Telegram

The likely Russian-aligned GreyVibe group is targeting Ukrainian organizations with AI-generated lures delivered via spear-phishing and malicious websites, deploying custom malware such as PhantomRelay, LegionRelay, and FallSpy to exfiltrate sensitive data.

The WantToCry ransomware exploits exposed SMB services via brute-force for initial access, then exfiltrates files for remote encryption, rewriting the encrypted files to the original locations, demanding ransom payments from $400 to $1,800.

This rule detects command and control (C2) communications that use common web services to hide malicious activity on Windows hosts by identifying network connections to commonly abused web services from processes outside of known legitimate program locations, indicating potential exfiltration or C2 activity blended with legitimate traffic.