SYMBOLCOMMON_NAMEaka. SYNONYMS

GreyVibe  (Back to overview)


GREYVIBE is a low-to-moderately sophisticated threat actor associated with Russian state interests, primarily targeting Ukrainian entities. The group employs custom malware like LegionRelay and PhantomRelay, utilizing techniques such as decoy-and-payload execution logic and systematic use of GenAI and LLMs throughout their operations. Their campaigns exhibit operational overlaps with other groups, including shared C2 infrastructure and post-compromise tooling. WithSecure has identified design flaws in their malware that have provided insights into their victimology and operational behavior.


Associated Families
ps1.phantom_relay ps1.legion_relay

References
2026-05-28Mohammad Kazem Hassan Nejad
GREYVIBE: A Russia-nexus group leveraging AI across state-aligned operations
LegionRelay PhantomRelay
2026-05-28WithSecureMohammad Kazem Hassan Nejad
GREYVIBE: A Russia-nexus group leveraging AI across state-aligned operations
GreyVibe

Credits: MISP Project