GREYVIBE: A Russia-nexus group leveraging AI across state-aligned operations

What Happened

A cyber threat group known as GREYVIBE has been targeting Ukrainian military, government, and civilian organizations since August 2025. The attackers use fake emails, deceptive CAPTCHA pages, and fraudulent websites to trick victims into downloading malicious software. This activity is notable because the group heavily relies on Artificial Intelligence to write code and create convincing lures. Organizations should educate users on identifying fake verification pages and ensure robust endpoint protection is in place.

Key Takeaways

• GREYVIBE is a Russia-nexus threat group targeting Ukrainian entities since at least August 2025.
• The group systematically uses Generative AI (LLMs) for lure creation, malware development, and operational tasks.
• Attack vectors include spear-phishing, ClickFix fake CAPTCHAs, and fraudulent websites (adult clubs, charities).
• Custom malware deployed includes PhantomRelay and LegionRelay on Windows, and FallSpy on Android.
• Activity overlaps with cybercrime ecosystems, potentially indicating involvement of former cybercriminals or UAC-0098 members.

Affected Systems

• Windows
• Android

Attack Chain

GREYVIBE initiates attacks via spear-phishing emails containing malicious archives, ClickFix fake CAPTCHA pages, or fraudulent websites. Upon victim interaction, custom loaders (such as TEASOUP or LOOKVALJS) execute and deploy obfuscated payloads. The primary payloads include PhantomRelay or LegionRelay on Windows, and FallSpy on Android, which establish command-and-control communication. Post-compromise activities involve extensive data exfiltration, including browser data, messaging app data, and potential audio/video capture via WebRTC.

Detection Availability

• YARA Rules: Yes
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No
• Platforms: WithSecure GitHub

YARA rules for detecting the associated malware and loaders are available in the WithSecure GitHub repository.

Detection Engineering Assessment

EDR Visibility: High — EDR solutions should have high visibility into PowerShell execution, WebSockets communication, and unusual child processes spawned from browsers or document readers. Network Visibility: Medium — C2 communication uses WebSockets and REST APIs, which may blend with legitimate traffic, but unusual domains or high-volume data exfiltration can be detected. Detection Difficulty: Moderate — The heavy use of custom obfuscators (DAYLIGHT, TEASOUP) and LLM-generated code variations makes static signature detection difficult, requiring behavioral analysis.

Required Log Sources

• Process Creation (Event ID 4688 / Sysmon Event ID 1)
• PowerShell Operational Logs (Event ID 4104)
• Network Connections (Sysmon Event ID 3)

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Consider hunting for unusual PowerShell execution patterns involving WebSockets or REST API calls to unknown domains, which may indicate PhantomRelay or LegionRelay C2 communication.	PowerShell Operational Logs, Network Connections	Command and Control	Medium
If you have visibility into clipboard activity or browser events, look for users pasting suspicious commands (e.g., Win+R followed by PowerShell execution) indicative of ClickFix campaigns.	Process Creation, EDR Telemetry	Execution	Low

Control Gaps

• Static AV signatures may fail due to frequent LLM-assisted code refactoring and custom obfuscators.

Key Behavioral Indicators

• PowerShell scripts utilizing WebSockets for C2
• Execution of obfuscated JavaScript or PowerShell from unusual archive files (ZIP/RAR)
• Unexpected WebRTC audio/video capture requests from unknown websites

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Verify against your organization's incident response runbook and team escalation paths before acting.
• Consider blocking access to known malicious domains associated with the ClickFix and fake charity campaigns.
• Evaluate whether to restrict the execution of JavaScript and PowerShell from archive files downloaded from the internet.

Infrastructure Hardening

• If applicable, enforce strict execution policies for PowerShell (e.g., Constrained Language Mode) to limit the capabilities of post-compromise scripts.
• Consider implementing network segmentation to restrict outbound WebSockets and REST API traffic from critical endpoints to unknown destinations.

User Protection

• Evaluate deploying EDR solutions with behavioral analytics to detect anomalous PowerShell and JavaScript execution.
• If supported by your MDM, consider restricting the installation of unverified Android applications to mitigate FallSpy infections.

Security Awareness

• Consider updating security awareness training to include the risks of ClickFix campaigns, specifically instructing users never to copy and paste commands from web pages into the Run dialog or terminal.
• Evaluate educating personnel on the risks of interacting with unverified charity or adult-themed websites, especially those requesting unusual permissions like camera or microphone access.

MITRE ATT&CK Mapping

• T1566.002 - Phishing: Spearphishing Link
• T1204.001 - User Execution: Malicious Link
• T1059.001 - Command and Scripting Interpreter: PowerShell
• T1059.007 - Command and Scripting Interpreter: JavaScript
• T1027 - Obfuscated Files or Information
• T1113 - Screen Capture
• T1125 - Video/Audio Capture
• T1005 - Data from Local System