GreyVibe custom malware activity with LegionRelay, PhantomRelay, and FallSpy
Malware Activity
Summary
Hide ▲
Show ▼
GREYVIBE is a Russian-speaking malware activity targeting Ukraine and Ukraine-related entities since at least August 2025. The group uses spear-phishing e-mails, fake CAPTCHA/ClickFix pages, and fraudulent websites to deliver custom tooling including PhantomMail, PhantomRelay, PhantomRelayV1, LegionRelay, FallSpy, and WireGuard. The activity spans Windows remote access, browser and file theft, and Android spyware, broadening the operation from delivery into sustained compromise and surveillance.
Related Happenings
Y2K Operators Millenium RAT social-engineering distribution campaign
Campaign
H score73
First: 29.06.2026 17:30
Last: 29.06.2026 17:30
Sources 1
About this happening:
The **Y2K Operators** are running a **social-engineering distribution campaign** that spreads **Millenium RAT** through **booby-trapped downloads**, exposing users to remote compr...
Y2K Operators Millenium RAT social-engineering distribution campaign
CampaignAbout this happening: The **Y2K Operators** are running a **social-engineering distribution campaign** that spreads **Millenium RAT** through **booby-trapped downloads**, exposing users to remote compr...
Hotel and hospitality photo-ZIP phishing campaign
Campaign
H score40
First: 26.06.2026 12:27
Last: 26.06.2026 12:27
Sources 1
About this happening:
An **active phishing campaign** is targeting **hotel and hospitality organizations** across **Europe and Asia**, increasing the risk of **front-desk machine compromise** and durab...
Hotel and hospitality photo-ZIP phishing campaign
CampaignAbout this happening: An **active phishing campaign** is targeting **hotel and hospitality organizations** across **Europe and Asia**, increasing the risk of **front-desk machine compromise** and durab...
KongTuke ClickFix and Teams access-seeking campaign
Campaign
H score33
First: 25.06.2026 11:54
Last: 25.06.2026 11:54
Sources 1
About this happening:
The **KongTuke** operation is using **ClickFix** lures and **Microsoft Teams** messages to widen access-seeking attacks against **multiple organizations**, increasing the risk of...
KongTuke ClickFix and Teams access-seeking campaign
CampaignAbout this happening: The **KongTuke** operation is using **ClickFix** lures and **Microsoft Teams** messages to widen access-seeking attacks against **multiple organizations**, increasing the risk of...
REF8372 malicious Google Ads CastleStealer delivery campaign
Campaign
H score27
First: 22.06.2026 16:20
Last: 22.06.2026 16:20
Sources 1
About this happening:
The **REF8372** campaign now uses **malicious Google Ads** and a fake **Node.js** download site to deliver **OXLOADER** and **CastleStealer**, putting search users at risk of malw...
REF8372 malicious Google Ads CastleStealer delivery campaign
CampaignAbout this happening: The **REF8372** campaign now uses **malicious Google Ads** and a fake **Node.js** download site to deliver **OXLOADER** and **CastleStealer**, putting search users at risk of malw...
SprySOCKS Windows backdoor activity against government organizations
Malware Activity
H score23
First: 16.06.2026 12:00
Last: 16.06.2026 12:00
Sources 1
About this happening:
**SprySOCKS** now has documented **Windows variants**, **WIN_DRV** and **WIN_PLUS**, expanding a toolset first known as a **Linux-only backdoor**. The activity is tied to **govern...
SprySOCKS Windows backdoor activity against government organizations
Malware ActivityAbout this happening: **SprySOCKS** now has documented **Windows variants**, **WIN_DRV** and **WIN_PLUS**, expanding a toolset first known as a **Linux-only backdoor**. The activity is tied to **govern...
Timeline
-
29.05.2026 01:24 3 articles · 1mo ago
Initial report: GreyVibe custom malware activity with LegionRelay, PhantomRelay, and FallSpy
Initial DisclosureGreyVibe introduced a custom malware stack that combined **Windows remote access**, **credential theft**, and **mobile spying**. The toolkit was used to deepen access after lure-based delivery into targeted environments.
Show sources
- GreyVibe hackers use ChatGPT, Gemini to power cyberattacks — www.bleepingcomputer.com — 29.05.2026 01:24
- GreyVibe hackers use ChatGPT, Gemini to power cyberattacks — www.bleepingcomputer.com — 29.05.2026 01:24
- New Russian-Linked GREYVIBE Targets Ukraine with AI-Powered Cyberattacks — thehackernews.com — 29.05.2026 14:31