{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/actors/greyvibe/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["GreyVibe"],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["google drive","zoom","lapas","cloudflare","telegram","whatsapp","phantomrelay","legionrelay","fallspy"],"_cs_severities":["high"],"_cs_tags":["greyvibe","ai-generated-lures","cyberespionage","ukraine","malware","phantomrelay","legionrelay","fallspy"],"_cs_type":"threat","_cs_vendors":["google","cloudflare","telegram","whatsapp","microsoft"],"content_html":"\u003cp\u003eThe GreyVibe threat group, believed to be Russian-aligned, has been actively targeting Ukrainian entities since at least August 2025. WithSecure discovered this campaign in January 2026, revealing that GreyVibe leverages AI tools like ChatGPT, Ideogram AI, and Google Gemini to generate realistic lures for their cyberespionage operations. The targets include organizations in the military, government, civilian, and business sectors within Ukraine and those related to Ukraine. GreyVibe utilizes diverse attack chains, including spear-phishing (PhantomMail), fake CAPTCHA pages (PhantomClick), and malicious websites (PrincessClub, DroneLink, Nebo) to deliver custom malware such as PhantomRelay, LegionRelay, and FallSpy. The threat actor also uses AI assistance in developing malware obfuscators and RATs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access (PhantomMail):\u003c/strong\u003e GreyVibe sends spear-phishing emails to Ukrainian targets using Google Drive and 4sync links, delivering malicious ZIP/RAR archives.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDeception:\u003c/strong\u003e Victims are presented with decoy PDF documents or fake error messages to conceal the malicious payload.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExecution (PhantomClick):\u003c/strong\u003e Victims are redirected to fake CAPTCHA or ClickFix pages disguised as Zoom or LAPAS sites.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommand Execution:\u003c/strong\u003e Targets are tricked into executing self-infecting commands via fake Cloudflare verification prompts.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMalware Installation (PrincessClub, DroneLink):\u003c/strong\u003e Victims visiting fake Ukrainian adult/dating websites or Ukrainian military charity websites are infected with FallSpy Android spyware and PhantomRelay/LegionRelay Windows malware.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Collection (FallSpy, LegionRelay):\u003c/strong\u003e FallSpy collects contact lists, call logs, device/network information, location data, media files, and SIM information. LegionRelay supports file theft, screenshot capturing, browser credential theft, Telegram/WhatsApp data exfiltration, and RDP access setup.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommand and Control (PhantomRelay):\u003c/strong\u003e PhantomRelay establishes command and control, enabling system fingerprinting, dynamic script loading, and PowerShell and Windows command execution.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExfiltration:\u003c/strong\u003e Stolen data is exfiltrated to attacker-controlled servers, supporting cyberespionage objectives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eGreyVibe's cyberespionage campaign targets Ukrainian military, government, civilian, and business sectors to gather intelligence aligned with potential Russian interests. Successful attacks can lead to the compromise of sensitive data, including personal information, military communications, and business intelligence, potentially harming national security and economic stability. The use of AI-generated lures enhances the credibility of phishing campaigns, increasing the likelihood of successful breaches. While the precise number of victims is unknown, the ongoing nature of the campaign and the breadth of targeted sectors indicate a significant and persistent threat.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the following Sigma rule to detect the execution of self-infecting commands related to the PhantomClick campaign, triggered by fake Cloudflare verification prompts (\u003ccode\u003erules \u0026gt; Fake Cloudflare Verification Prompt\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eMonitor network connections for suspicious PowerShell commands indicative of PhantomRelay or LegionRelay activity (\u003ccode\u003erules \u0026gt; Suspicious PowerShell Network Connection\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eEnable endpoint detection and response (EDR) systems to detect and block the execution of PhantomRelay and LegionRelay, focusing on PowerShell scripts with data exfiltration capabilities.\u003c/li\u003e\n\u003cli\u003eEducate users about spear-phishing tactics, especially those using AI-generated lures that impersonate Ukrainian government, emergency, telecom, and energy entities (PhantomMail).\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all critical systems to mitigate the risk of credential theft via LegionRelay.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-28T22:25:55Z","date_published":"2026-05-28T22:25:55Z","id":"https://feed.craftedsignal.io/briefs/2026-05-greyvibe-ai-attacks/","summary":"The likely Russian-aligned GreyVibe group is targeting Ukrainian organizations with AI-generated lures delivered via spear-phishing and malicious websites, deploying custom malware such as PhantomRelay, LegionRelay, and FallSpy to exfiltrate sensitive data.","title":"GreyVibe Targets Ukraine with AI-Generated Lures and Custom Malware","url":"https://feed.craftedsignal.io/briefs/2026-05-greyvibe-ai-attacks/"}],"language":"en","title":"CraftedSignal Threat Feed - GreyVibe","version":"https://jsonfeed.org/version/1.1"}