← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
GREYVIBE Threat Actor: TTPs, Malware, and Infrastructure Analysis.
WHITE PetrP.73 2026-05-30 Modified: 2026-05-30
165
IOCs
HIGH VOLUME
GREYVIBE is a cyber threat actor identified by WithSecure, primarily targeting Ukraine and entities related to Ukraine since August 2025. The group's activities show significant overlaps in their attack infrastructure and operational methodologies, which indicate a persistent campaign aligned with Russian state interests, especially in the context of the Russia-Ukraine war. GREYVIBE's operations have been characterized by the use of various attack vectors, including spear-phishing emails, fake captcha pages, and fraudulent websites impersonating Ukrainian organizations. These methods have facilitated the distribution of malware, predominantly custom-developed variants like PhantomRelay, FallSpy, and LegionRelay.
researchwhitepapermohammad kazem hassan nejad2026powershellfallspylegionrelaylookvalpslookvaljsjavascriptdaylightteasoupandroid spywareaugusttelegramdronelinkprincessclubphantomrelayv1greyvibedomain namephantommailsha256domaindevelopmentphantomclickclub siteteamskongtukeaprilnsisserviceimpacket
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
LegionRelay DroneLink PrincessClub PhantomRelayV1 LOOKVALJS GREYVIBE
Indicators of Compromise (13 / 165 total)
All domain FileHash-MD5 FileHash-SHA1 FileHash-SHA256 IPv4 URL hostname
TYPEINDICATORDESCRIPTIONCREATED
FileHash-SHA1 0987ff3f22cfc118f42c4bbac34e1760d36f2f28 SHA1 of b0c07b265c9d9046038ffa48d5b8e17b8ba0791503beba85196cdbe0ac2fcb27 2026-05-30
FileHash-SHA1 19533a73486a90f8a17b10b37777eda641943838 SHA1 of 7db11cf6a0417d5e20cd6720687ba86045b2fb758a7b585a49f572df2dc40c5e 2026-05-30
FileHash-SHA1 2760046d59b382466fbdd1c770b0eeacdc03285f SHA1 of ccc7f039e1afd55fe8bc767ae688e71e66f162aba0c0d1650face02f15e9c7d0 2026-05-30
FileHash-SHA1 2971f1235d8417a5bf271133915da26f1c958bb2 SHA1 of e8d0943042e34a37ae8d79aeb4f9a2fa07b4a37955af2b0cc0e232b79c2e72f3 2026-05-30
FileHash-SHA1 2cf4f4c383c494826cda355306eb95e92214472a SHA1 of 476334f9254ef0277b3462b6086655f38358a983b95991cfe4dcdd787740906a 2026-05-30
FileHash-SHA1 360d71eff7392b958321dc61e7f39fe7f44200ce SHA1 of e9634032df81334e9e960ab8b88ff05a0f7ec9c034dc012f816f09e23c18d41b 2026-05-30
FileHash-SHA1 49eb11064dedc2cc016d4e8692a289762d71cf2c SHA1 of 93111e523c38d98247a78a0d1d9ae163e9874acb70721f6fe0bf451c62fff283 2026-05-30
FileHash-SHA1 5ac660ecbbde66ba9d46f37f9ddbc904e4c5d9e8 SHA1 of bcb9e99021f88b9720a667d737a3ddd7d5b9f963ac3cae6d26e74701e406dcdc 2026-05-30
FileHash-SHA1 65104dd762b8a5060e06178acd3ff6ab7e9f0613 SHA1 of 40f9399ea067d69c0985aecdc54beddbcb585d7f660606e5bb4be981811c28ba 2026-05-30
FileHash-SHA1 84ac1d9d0fb5fa8c23e06f92732d093489dccf16 SHA1 of 87b8abb05c7ee5642a5e801e7825dfa5ee4c1393ac998e87470ab53cc75e1842 2026-05-30
FileHash-SHA1 8b69a06e86ec120126fd07a2c32b2b7cbd485ca6 SHA1 of 48a371a3973983a9bdb395cb33d6fce68d75b41d4bfd86d3f923cff79b545efc 2026-05-30
FileHash-SHA1 8dd05a497f61164bad5c1cec44afc34e83086b3f SHA1 of c823a315c2c78d2fd345c9b38bb7fc31a8cbff96c534ce9cc66c4e54bc7935a2 2026-05-30
FileHash-SHA1 9d3a0c7c7859cb71902c61b7664a925781b08ebf SHA1 of 07d9deaace25d90fc91b31849dfc12b2fc3ac5ca90e317cfa165fe1d3553eead 2026-05-30
References (1)
↗ https://labs.withsecure.com/publications/greyvibe