GoKawiilA likely Russian threat group tracked as GreyVibe has been using AI-generated lures and a rich set of custom malware tools to target entities in the military, government, civilian, and business sectors.
The cyberespionage campaign has been active since at least August 2025 and appears to align with Russian state interests, although researchers cannot confidently classify it as a nation-state operation.
Cybersecurity company WithSecure discovered the activity in January this year and determined that its focus is on Ukrainian or Ukraine-related organizations.
The link to a Russian-speaking threat actor is supported by the language for the malware panels, comments in code artifacts, and command-and-control (C2) server time configured to UTC+3 (Moscow time).
According to the researchers, GreyVibe has used several attack chains against its targets, including:
PhantomMail: Spear-phishing emails delivering malicious ZIP/RAR archives via Google Drive and 4sync links, using decoy PDFs or fake errors while deploying malware. The observed lures impersonated Ukrainian government, emergency, telecom, and energy entities.
PhantomClick: Fake CAPTCHA/ClickFix pages disguised as Zoom and LAPAS sites trick victims into running self-infecting commands through fake Cloudflare verification prompts.
PrincessClub: Fake Ukrainian adult/dating websites delivering FallSpy Android spyware and PhantomRelay/LegionRelay Windows malware. The operators used fake female Telegram personas and later added WebRTC-based live calls that could capture the victim's audio/video.
DroneLink: Fake Ukrainian military charity websites themed around FPV drones and UAVs shared infrastructure and tooling with PrincessClub campaigns.
Nebo: Fake “СПО НЕБО” Russian military communications login pages were likely designed to trick Ukrainian military personnel into believing they were accessing a Russian military terminal.
... continue reading