GreyVibe custom malware activity with LegionRelay, PhantomRelay, and FallSpy
Malware Activity
Summary
Hide ▲
Show ▼
GREYVIBE is a Russian-speaking malware activity targeting Ukraine and Ukraine-related entities since at least August 2025. The group uses spear-phishing e-mails, fake CAPTCHA/ClickFix pages, and fraudulent websites to deliver custom tooling including PhantomMail, PhantomRelay, PhantomRelayV1, LegionRelay, FallSpy, and WireGuard. The activity spans Windows remote access, browser and file theft, and Android spyware, broadening the operation from delivery into sustained compromise and surveillance.
Related Happenings
GREYVIBE's Kremlin-aligned role in the Russian cybercrime ecosystem
Threat Actor Meta
First: 29.05.2026 14:31
Last: 29.05.2026 14:31
Sources 1
How related:
GREYVIBE, per WithSecure, is assessed to be a Russian-speaking group operating broadly in the Russian time zone, with the activities aligning with Kremlin state interests, specifically when it comes to intelligence gathering efforts aimed at Ukraine in the context of the ongoing Russo-Ukrainian war.
About this happening:
A newly characterized **GREYVIBE** actor sits in a **grey zone** between **Kremlin-aligned intelligence work** and the **Russian cybercrime ecosystem**, complicating attribution f...
GREYVIBE's Kremlin-aligned role in the Russian cybercrime ecosystem
Threat Actor MetaHow related: GREYVIBE, per WithSecure, is assessed to be a Russian-speaking group operating broadly in the Russian time zone, with the activities aligning with Kremlin state interests, specifically when it comes to intelligence gathering efforts aimed at Ukraine in the context of the ongoing Russo-Ukrainian war.
About this happening: A newly characterized **GREYVIBE** actor sits in a **grey zone** between **Kremlin-aligned intelligence work** and the **Russian cybercrime ecosystem**, complicating attribution f...
GreyVibe AI-assisted cyberespionage campaign targeting Ukraine-linked organizations
Campaign
First: 29.05.2026 01:24
Last: 29.05.2026 01:24
Sources 1
How related:
A previously undocumented threat actor dubbed GREYVIBE has been attributed to ongoing and persistent attacks targeting Ukraine and Ukraine-related entities since at least August 2025.
About this happening:
**GreyVibe** is running an **AI-assisted cyberespionage campaign** against **Ukrainian and Ukraine-related organizations**, expanding the threat to military, government, civilian,...
GreyVibe AI-assisted cyberespionage campaign targeting Ukraine-linked organizations
CampaignHow related: A previously undocumented threat actor dubbed GREYVIBE has been attributed to ongoing and persistent attacks targeting Ukraine and Ukraine-related entities since at least August 2025.
About this happening: **GreyVibe** is running an **AI-assisted cyberespionage campaign** against **Ukrainian and Ukraine-related organizations**, expanding the threat to military, government, civilian,...
SHub Reaper macOS infostealer variant
Malware Activity
First: 19.05.2026 00:42
Last: 19.05.2026 00:42
Sources 1
About this happening:
The **SHub Reaper** macOS infostealer now uses **AppleScript** and a fake **Apple security update** lure to infect Macs, raising the risk of credential theft and remote access. It...
SHub Reaper macOS infostealer variant
Malware ActivityAbout this happening: The **SHub Reaper** macOS infostealer now uses **AppleScript** and a fake **Apple security update** lure to infect Macs, raising the risk of credential theft and remote access. It...
Vidar infostealer market rise and distribution expansion
Malware Activity
First: 28.04.2026 22:07
Last: 28.04.2026 22:07
Sources 1
About this happening:
**Vidar** remains a long-running **infostealer** threat, and **Aryaka** reported a fresh campaign in **recent weeks** that adds **new obfuscation techniques** and stronger **steal...
Vidar infostealer market rise and distribution expansion
Malware ActivityAbout this happening: **Vidar** remains a long-running **infostealer** threat, and **Aryaka** reported a fresh campaign in **recent weeks** that adds **new obfuscation techniques** and stronger **steal...
Venom Stealer MaaS continuous credential theft and exfiltration
Malware Activity
First: 01.04.2026 16:30
Last: 01.04.2026 16:30
Sources 1
About this happening:
The **Venom Stealer** **malware-as-a-service** platform has been identified as a **credential-theft** threat that keeps exfiltrating data after infection, extending the window for...
Venom Stealer MaaS continuous credential theft and exfiltration
Malware ActivityAbout this happening: The **Venom Stealer** **malware-as-a-service** platform has been identified as a **credential-theft** threat that keeps exfiltrating data after infection, extending the window for...
Timeline
-
29.05.2026 01:24 3 articles · 16h ago
Initial report: GreyVibe custom malware activity with LegionRelay, PhantomRelay, and FallSpy
Initial DisclosureGreyVibe introduced a custom malware stack that combined **Windows remote access**, **credential theft**, and **mobile spying**. The toolkit was used to deepen access after lure-based delivery into targeted environments.
Show sources
- GreyVibe hackers use ChatGPT, Gemini to power cyberattacks — www.bleepingcomputer.com — 29.05.2026 01:24
- GreyVibe hackers use ChatGPT, Gemini to power cyberattacks — www.bleepingcomputer.com — 29.05.2026 01:24
- New Russian-Linked GREYVIBE Targets Ukraine with AI-Powered Cyberattacks — thehackernews.com — 29.05.2026 14:31