GreyVibe, a likely Russian threat group, has been targeting Ukrainian and Ukraine-related organizations with AI-generated lures and custom malware since at least August 2025. Its campaigns use multiple attack chains and tools such as LegionRelay, PhantomRelay, and FallSpy, suggesting a hybrid operation that may blend state-aligned goals with cybercriminal tradecraft. #GreyVibe #WithSecure #LegionRelay #PhantomRelay #FallSpy #PhantomMail #PhantomClick #PrincessClub #DroneLink #Nebo #UAC-0098
Keypoints
- GreyVibe has been active since at least August 2025.
- The group is targeting Ukrainian and Ukraine-related entities across multiple sectors.
- It uses AI-generated lures to make phishing and fake sites more convincing.
- The campaign includes custom tools such as LegionRelay, PhantomRelay, and FallSpy.
- Researchers believe the activity may combine state-aligned intent with cybercriminal involvement.