GreyVibe Espionage Campaign Analysis | Femto Security Threat Intelligence

Key Takeaways

GreyVibe utilizes advanced generative AI platforms such as ChatGPT and Google Gemini to generate highly realistic, multi-lingual social engineering lures.
The group uses custom-built, LLM-assisted PowerShell RATs named PhantomRelay and LegionRelay to exfiltrate session data and establish persistent access.
Evidence points to a hybrid operational model comprising cybercriminals co-opted or task-directed by state-affiliated entities.

Threat Actor Profile: GreyVibe

GreyVibe

aka UAC-0098 Overlap

Origin: Russia-nexus (UTC+3 / Moscow Time)
Motivation: Intelligence collection & cyberespionage
Targets: Ukraine (primary)MoldovaRomaniaBrazilVenezuelaGuinea
TTPs: Generative AI-assisted social engineering luresPowerShell-based RATs (PhantomRelay, LegionRelay)Fake CAPTCHAs & ClickFix redirectionsWebRTC-enabled dating site decoys

Campaign 2: PhantomClick Attack Chain

1Social Engineeringlow
Redirection to fake CAPTCHA / verification pages mimicking Zoom or LAPAS
low
2User Executionmedium
Victim is prompted to press Win+R, paste a malicious command with Ctrl+V, and hit Enter
medium
3Evasion & Loaderhigh
Obfuscated PowerShell loader fires, leveraging LOOKVALPS or DAYLIGHT
high
4Payload Deliverycritical
PhantomRelay RAT executes, establishing an interactive shell with the C2
critical

GreyVibe ATT&CK Matrix Mapping

Initial Access

T1566.002

Phishing: Malicious Link

Execution

T1204.001

User Execution: Malicious Link

T1059.001

Command and Scripting Interpreter: PowerShell

Persistence

T1547.001

Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Defense Evasion

T1027

Obfuscated Files or Information

Credential Access

T1539

Steal Web Session Cookie

Collection

T1113

Screen Capture

Key Indicators of Compromise

domain
routinesyscheckup.com
C2 Domain
domain
routinesyscheckup.com
C2 Domain
domain
prosearium.net
C2 Domain
domain
prosearium.net
C2 Domain
hash
8682cec191aa676d696d5ccc6a1116285cb912ae9685e3060fae2e45277a1603
WUDFHost.ps1 USB Spreading Script (SHA-256)
hash
8682cec191aa676d696d5ccc6a1116285cb912ae9685e3060fae2e45277a1603
WUDFHost.ps1 USB Spreading Script (SHA-256)
hash
58a1c33d738dabe16e57934b33a7684fe1d0cea976ed599b5d2548de01546b60
SystemHealthSvc.ps1 Payload Loader (SHA-256)
hash
58a1c33d738dabe16e57934b33a7684fe1d0cea976ed599b5d2548de01546b60
SystemHealthSvc.ps1 Payload Loader (SHA-256)
hash
07d9deaace25d90fc91b31849dfc12b2fc3ac5ca90e317cfa165fe1d3553eead
princess.apk FallSpy Android Spyware (SHA-256)
hash
07d9deaace25d90fc91b31849dfc12b2fc3ac5ca90e317cfa165fe1d3553eead
princess.apk FallSpy Android Spyware (SHA-256)

Immediate Containment Actions

Progress0 / 4 (0%)

Enforce PowerShell Constrained Language Mode
Restricts dynamic API compilation on non-developer endpoints to stop execution of obfuscated memory payloads.
Disable Windows Script Host
Globally block wscript.exe and cscript.exe execution to break JavaScript double-extension loading chains.
Revoke Active User Sessions
Immediately terminate and rotate all active browser cookies, Telegram desktop tokens, and WhatsApp sessions on compromised hosts.
Set UAC to 'Always Notify'
Prevent actors from exploiting cmstp.exe alongside custom .INF files to bypass elevation prompts.

How to Defend Against Similar Threats

Audit endpoints for headless conhost execution and unexpected PowerShell history suppression commands.
Enforce PowerShell Constrained Language Mode globally across non-developer endpoints.
Implement strict limits on execution of double-extension scripting payloads and disable Windows Script Host where possible.

Threat Intel FAQ

What is the relationship between GreyVibe and generative AI?

GreyVibe relies heavily on generative AI models like ChatGPT, Google Gemini, and Ideogram AI to create highly customized social engineering lures, fake websites, and graphics. They also use LLM assistance to develop and optimize their custom malware, including obfuscators like DAYLIGHT and their primary PowerShell RATs.

How can organizations defend against GreyVibe's PowerShell payloads?

Organizations can defend against these payloads by enforcing PowerShell Constrained Language Mode, disabling Windows Script Host globally to block JavaScript loaders, and implementing endpoint monitoring queries to detect history-suppression commands and unauthorized headless shell executions.

Could a similar threat affect your organization?

If your team may be exposed to a similar threat, FemtoSec can help validate blast radius, prioritize remediation, and connect the issue to a practical security program.

GreyVibe Blends GenAI Lures with Custom RATs

Key Takeaways

How to Defend Against Similar Threats

Threat Intel FAQ

Could a similar threat affect your organization?