Overview
- WithSecure published a detailed report in late May 2026 that links a previously undocumented Russian‑language cluster called GREYVIBE to an espionage campaign active since at least August 2025 targeting Ukraine and Ukraine‑related organizations.
- The group used five distinct attack chains — PhantomMail, PhantomClick, PrincessClub, DroneLink, and Nebo — to deliver Windows remote‑access trojans and the FallSpy Android spyware against military, government, civilian, and business targets.
- Researchers found evidence the operators used ChatGPT, Google Gemini, and Ideogram to generate realistic email and web lures, create images for decoys, and assist in writing obfuscators, loaders, and malware such as LegionRelay and PhantomRelay.
- Operational mistakes exposed GREYVIBE: developers uploaded test samples to VirusTotal, design flaws revealed backend functionality, an ISO builder with ties to former TrickBot actors appeared in artifacts, and an XMRig miner was found on some infected machines.
- WithSecure published indicators of compromise and step‑by‑step guidance in its May 2026 report so organizations can detect the named malware, block the delivery chains, and protect personnel who handle sensitive Ukrainian communications.