The Five-Pronged Attack Architecture
The threat group runs five concurrent campaigns, each tailored to specific vectors and operational objectives:
1. PhantomMail (Spear-phishing Lures)
The PhantomMail campaign targets key personnel through highly specific spear-phishing emails containing malicious ZIP or RAR archives hosted on public cloud repositories, including Google Drive and 4sync. When opened, these archives extract double-extension JavaScript loaders, such as .pdf.js or .rar.js, which are heavily obfuscated using the custom LOOKVALJS or TEASOUP engines. To deceive the user, a decoy PDF or fake system error is displayed on screen while a script launcher silently executes in the background to install the PhantomRelay remote access trojan (RAT).
2. PhantomClick (ClickFix Redirection)
Leveraging fake CAPTCHA and ClickFix verification pages, this campaign redirects users to domains designed to look like legitimate services, such as Zoom and LAPAS. The victim is greeted with a fake Cloudflare verification prompt instructing them to press the Windows key + R, paste an encoded command into the Run dialog box, and press Enter. This social engineering trick directly executes a custom PowerShell command, bypassing browser sandbox protections to deploy the PhantomRelay RAT.
3. PrincessClub (Social Engineering & WebRTC)
Primarily targeting military and defense personnel, this campaign uses fraudulent dating portals and fake female Telegram personas to build trust. Recent iterations have incorporated WebRTC-based live call features to increase credibility before delivering the payload. For Android devices, victims are directed to download a malicious application package (princess.apk) containing the FallSpy spyware. For Windows devices, the actors deliver JavaScript-based loaders that deploy the LegionRelay RAT.
4. DroneLink (Military Charity Decoys)
The DroneLink campaign leverages fake military charity sites, specifically focusing on FPV drone fundraising. The underlying infrastructure and custom tooling are shared with the PrincessClub campaign. Once a user is enticed to download a fake software update or connectivity tool on the decoy site, the compromised system is loaded with LegionRelay alongside legitimate administrative utilities like WireGuard and ZAPiXDESK, which the actors use for session hijacking.
5. Nebo (Tactical Communication Clone)
The Nebo campaign features clone login pages that mimic Russian tactical military communications portals like SPO Nebo. This campaign targets frontline personnel, acting as a direct credential harvester and a gateway for secondary execution. Depending on the victim platform, the infection chain deploys FallSpy on Android or LegionRelay on Windows endpoints.