GREYVIBE's Kremlin-aligned role in the Russian cybercrime ecosystem
Threat Actor Meta
Summary
Hide ▲
Show ▼
A newly characterized GREYVIBE actor sits in a grey zone between Kremlin-aligned intelligence work and the Russian cybercrime ecosystem, complicating attribution for Ukraine-focused operations. The assessment links the group to Russian-speaking operators and suggests the blend of state tasking and criminal talent is shaping how the actor is organized and deployed. That hybrid profile matters because it weakens traditional clustering based on stable tooling and relationships.
Related Happenings
GreyVibe AI-assisted cyberespionage campaign targeting Ukraine-linked organizations
Campaign
First: 29.05.2026 01:24
Last: 29.05.2026 01:24
Sources 1
How related:
A previously undocumented threat actor dubbed GREYVIBE has been attributed to ongoing and persistent attacks targeting Ukraine and Ukraine-related entities since at least August 2025.
About this happening:
**GreyVibe** is running an **AI-assisted cyberespionage campaign** against **Ukrainian and Ukraine-related organizations**, expanding the threat to military, government, civilian,...
GreyVibe AI-assisted cyberespionage campaign targeting Ukraine-linked organizations
CampaignHow related: A previously undocumented threat actor dubbed GREYVIBE has been attributed to ongoing and persistent attacks targeting Ukraine and Ukraine-related entities since at least August 2025.
About this happening: **GreyVibe** is running an **AI-assisted cyberespionage campaign** against **Ukrainian and Ukraine-related organizations**, expanding the threat to military, government, civilian,...
GreyVibe custom malware activity with LegionRelay, PhantomRelay, and FallSpy
Malware Activity
First: 29.05.2026 01:24
Last: 29.05.2026 01:24
Sources 1
How related:
PrincessClub, which uses fake Ukrainian adult-club websites to deliver FallSpy on Android and PhantomRelayV1 or LegionRelay on Windows, with subsequent iterations of the lure sites introducing a WebRTC-based live call feature to capture victim audio and video.
About this happening:
**GREYVIBE** is a **Russian-speaking** malware activity targeting **Ukraine and Ukraine-related entities** since at least **August 2025**. The group uses **spear-phishing e-mails*...
GreyVibe custom malware activity with LegionRelay, PhantomRelay, and FallSpy
Malware ActivityHow related: PrincessClub, which uses fake Ukrainian adult-club websites to deliver FallSpy on Android and PhantomRelayV1 or LegionRelay on Windows, with subsequent iterations of the lure sites introducing a WebRTC-based live call feature to capture victim audio and video.
About this happening: **GREYVIBE** is a **Russian-speaking** malware activity targeting **Ukraine and Ukraine-related entities** since at least **August 2025**. The group uses **spear-phishing e-mails*...
Iranian MOIS Telegram malware campaign targeting opposition groups
Campaign
First: 23.03.2026 11:45
Last: 23.03.2026 11:45
Sources 1
About this happening:
The **FBI** warned that **Iranian MOIS-linked hackers** are using **Telegram C2** and **social engineering** to deliver **Windows malware** against journalists, dissidents, and ot...
Iranian MOIS Telegram malware campaign targeting opposition groups
CampaignAbout this happening: The **FBI** warned that **Iranian MOIS-linked hackers** are using **Telegram C2** and **social engineering** to deliver **Windows malware** against journalists, dissidents, and ot...
Silver Dragon assessed within the APT41 umbrella
Threat Actor Meta
First: 04.03.2026 10:14
Last: 04.03.2026 10:14
Sources 1
About this happening:
**Silver Dragon** is now assessed to operate within the **APT41 umbrella**, sharpening attribution for a cluster active against **Europe**, **Southeast Asia**, and **government en...
Silver Dragon assessed within the APT41 umbrella
Threat Actor MetaAbout this happening: **Silver Dragon** is now assessed to operate within the **APT41 umbrella**, sharpening attribution for a cluster active against **Europe**, **Southeast Asia**, and **government en...
UAC-0050 spear-phishing campaign targeting European financial institutions
Campaign
First: 24.02.2026 16:21
Last: 24.02.2026 16:21
Sources 1
About this happening:
The **UAC-0050** spear-phishing operation targeted a **European financial institution**, raising concern that the actor is extending its reach beyond **Ukraine** into **Western Eu...
UAC-0050 spear-phishing campaign targeting European financial institutions
CampaignAbout this happening: The **UAC-0050** spear-phishing operation targeted a **European financial institution**, raising concern that the actor is extending its reach beyond **Ukraine** into **Western Eu...
Timeline
-
29.05.2026 14:31 2 articles · 3h ago
GREYVIBE linked to Kremlin interests and the Russian cybercrime ecosystem
Initial DisclosureWithSecure assessed GREYVIBE as a Russian-speaking group operating broadly in the Russian time zone and aligning with Kremlin state interests in intelligence gathering efforts aimed at Ukraine. The same assessment says GREYVIBE also shares ties to the broader Russian cybercrime ecosystem through members believed to be current or former cybercriminal actors, placing the group in a grey area between cybercrime and state-affiliated activity.
Show sources
- New Russian-Linked GREYVIBE Targets Ukraine with AI-Powered Cyberattacks — thehackernews.com — 29.05.2026 14:31
- New Russian-Linked GREYVIBE Targets Ukraine with AI-Powered Cyberattacks — thehackernews.com — 29.05.2026 14:31