PhantomRelay Propose Change

Actor(s): GreyVibe

According to WithSecure, PhantomRelay is a PowerShell-based RAT developed under the GREYVIBE activity cluster. It uses a two-stage execution chain (fingerprinting first, then the main RAT loaded in memory) with C2 communications over WebSockets, and its design is modular to enable additional post-compromise payloads. The family includes several variants, such as PhantomRelayLite and PhantomRelayV1/V2, which feature progressive obfuscation and persistence enhancements. The operators are Russian-speaking and Moscow-time aligned, with the tooling observed across GREYVIBE-related campaigns and related cybercrime activity.

References

There is no Yara-Signature yet.