GREYVIBE's Kremlin-aligned role in the Russian cybercrime ecosystem
Threat Actor Meta
Summary
Hide ▲
Show ▼
A newly characterized GREYVIBE actor sits in a grey zone between Kremlin-aligned intelligence work and the Russian cybercrime ecosystem, complicating attribution for Ukraine-focused operations. The assessment links the group to Russian-speaking operators and suggests the blend of state tasking and criminal talent is shaping how the actor is organized and deployed. That hybrid profile matters because it weakens traditional clustering based on stable tooling and relationships.
Related Happenings
Gamaredon Ukraine espionage campaign targeting government, military and critical infrastructure
Campaign
H score56
First: 01.06.2026 14:00
Last: 01.06.2026 14:00
Sources 1
About this happening:
The **Gamaredon** espionage campaign remained active in **January 2026**, targeting **Ukrainian government, military, and critical-infrastructure** networks to steal documents and...
Gamaredon Ukraine espionage campaign targeting government, military and critical infrastructure
CampaignAbout this happening: The **Gamaredon** espionage campaign remained active in **January 2026**, targeting **Ukrainian government, military, and critical-infrastructure** networks to steal documents and...
GreyVibe AI-assisted cyberespionage campaign targeting Ukraine-linked organizations
Campaign
H score39
First: 29.05.2026 01:24
Last: 29.05.2026 01:24
Sources 1
How related:
A previously undocumented threat actor dubbed GREYVIBE has been attributed to ongoing and persistent attacks targeting Ukraine and Ukraine-related entities since at least August 2025.
About this happening:
**GreyVibe** is running an **AI-assisted cyberespionage campaign** against **Ukrainian and Ukraine-related organizations**, expanding the threat to military, government, civilian,...
GreyVibe AI-assisted cyberespionage campaign targeting Ukraine-linked organizations
CampaignHow related: A previously undocumented threat actor dubbed GREYVIBE has been attributed to ongoing and persistent attacks targeting Ukraine and Ukraine-related entities since at least August 2025.
About this happening: **GreyVibe** is running an **AI-assisted cyberespionage campaign** against **Ukrainian and Ukraine-related organizations**, expanding the threat to military, government, civilian,...
GreyVibe custom malware activity with LegionRelay, PhantomRelay, and FallSpy
Malware Activity
H score41
First: 29.05.2026 01:24
Last: 29.05.2026 01:24
Sources 1
How related:
PrincessClub, which uses fake Ukrainian adult-club websites to deliver FallSpy on Android and PhantomRelayV1 or LegionRelay on Windows, with subsequent iterations of the lure sites introducing a WebRTC-based live call feature to capture victim audio and video.
About this happening:
**GREYVIBE** is a **Russian-speaking** malware activity targeting **Ukraine and Ukraine-related entities** since at least **August 2025**. The group uses **spear-phishing e-mails*...
GreyVibe custom malware activity with LegionRelay, PhantomRelay, and FallSpy
Malware ActivityHow related: PrincessClub, which uses fake Ukrainian adult-club websites to deliver FallSpy on Android and PhantomRelayV1 or LegionRelay on Windows, with subsequent iterations of the lure sites introducing a WebRTC-based live call feature to capture victim audio and video.
About this happening: **GREYVIBE** is a **Russian-speaking** malware activity targeting **Ukraine and Ukraine-related entities** since at least **August 2025**. The group uses **spear-phishing e-mails*...
Iranian MOIS Telegram malware campaign targeting opposition groups
Campaign
H score32
First: 23.03.2026 11:45
Last: 23.03.2026 11:45
Sources 1
About this happening:
The **FBI** warned that **Iranian MOIS-linked hackers** are using **Telegram C2** and **social engineering** to deliver **Windows malware** against journalists, dissidents, and ot...
Iranian MOIS Telegram malware campaign targeting opposition groups
CampaignAbout this happening: The **FBI** warned that **Iranian MOIS-linked hackers** are using **Telegram C2** and **social engineering** to deliver **Windows malware** against journalists, dissidents, and ot...
Silver Dragon assessed within the APT41 umbrella
Threat Actor Meta
H score25
First: 04.03.2026 10:14
Last: 04.03.2026 10:14
Sources 1
About this happening:
**Silver Dragon** is now assessed to operate within the **APT41 umbrella**, sharpening attribution for a cluster active against **Europe**, **Southeast Asia**, and **government en...
Silver Dragon assessed within the APT41 umbrella
Threat Actor MetaAbout this happening: **Silver Dragon** is now assessed to operate within the **APT41 umbrella**, sharpening attribution for a cluster active against **Europe**, **Southeast Asia**, and **government en...
Timeline
-
29.05.2026 14:31 2 articles · 1mo ago
GREYVIBE linked to Kremlin interests and the Russian cybercrime ecosystem
Initial DisclosureWithSecure assessed GREYVIBE as a Russian-speaking group operating broadly in the Russian time zone and aligning with Kremlin state interests in intelligence gathering efforts aimed at Ukraine. The same assessment says GREYVIBE also shares ties to the broader Russian cybercrime ecosystem through members believed to be current or former cybercriminal actors, placing the group in a grey area between cybercrime and state-affiliated activity.
Show sources
- New Russian-Linked GREYVIBE Targets Ukraine with AI-Powered Cyberattacks — thehackernews.com — 29.05.2026 14:31
- New Russian-Linked GREYVIBE Targets Ukraine with AI-Powered Cyberattacks — thehackernews.com — 29.05.2026 14:31