Find notable cyber news and cases, enriched with sources, timelines, and signals.

GreyVibe custom malware activity with LegionRelay, PhantomRelay, and FallSpy

Malware Activity
First reported
Last updated
Happening score
H score 41
2 unique sources, 2 articles

Summary

Hide ▲

GREYVIBE is a Russian-speaking malware activity targeting Ukraine and Ukraine-related entities since at least August 2025. The group uses spear-phishing e-mails, fake CAPTCHA/ClickFix pages, and fraudulent websites to deliver custom tooling including PhantomMail, PhantomRelay, PhantomRelayV1, LegionRelay, FallSpy, and WireGuard. The activity spans Windows remote access, browser and file theft, and Android spyware, broadening the operation from delivery into sustained compromise and surveillance.

Related Happenings

Y2K Operators Millenium RAT social-engineering distribution campaign

Campaign
H score73 First: 29.06.2026 17:30 Last: 29.06.2026 17:30 Sources 1

About this happening: The **Y2K Operators** are running a **social-engineering distribution campaign** that spreads **Millenium RAT** through **booby-trapped downloads**, exposing users to remote compr...

Hotel and hospitality photo-ZIP phishing campaign

Campaign
H score40 First: 26.06.2026 12:27 Last: 26.06.2026 12:27 Sources 1

About this happening: An **active phishing campaign** is targeting **hotel and hospitality organizations** across **Europe and Asia**, increasing the risk of **front-desk machine compromise** and durab...

KongTuke ClickFix and Teams access-seeking campaign

Campaign
H score33 First: 25.06.2026 11:54 Last: 25.06.2026 11:54 Sources 1

About this happening: The **KongTuke** operation is using **ClickFix** lures and **Microsoft Teams** messages to widen access-seeking attacks against **multiple organizations**, increasing the risk of...

REF8372 malicious Google Ads CastleStealer delivery campaign

Campaign
H score27 First: 22.06.2026 16:20 Last: 22.06.2026 16:20 Sources 1

About this happening: The **REF8372** campaign now uses **malicious Google Ads** and a fake **Node.js** download site to deliver **OXLOADER** and **CastleStealer**, putting search users at risk of malw...

SprySOCKS Windows backdoor activity against government organizations

Malware Activity
H score23 First: 16.06.2026 12:00 Last: 16.06.2026 12:00 Sources 1

About this happening: **SprySOCKS** now has documented **Windows variants**, **WIN_DRV** and **WIN_PLUS**, expanding a toolset first known as a **Linux-only backdoor**. The activity is tied to **govern...

Timeline

  1. 29.05.2026 01:24 3 articles · 1mo ago

    Initial report: GreyVibe custom malware activity with LegionRelay, PhantomRelay, and FallSpy

    Initial Disclosure

    GreyVibe introduced a custom malware stack that combined **Windows remote access**, **credential theft**, and **mobile spying**. The toolkit was used to deepen access after lure-based delivery into targeted environments.

    Show sources