The initial lures and approaches from GreyVibe are varied and heavily supported by AI. Spear-phishing emails (at least six distinct campaigns, but with no mention of deepfakes) directed victims to ZIP or RAR archives on third-party file-sharing services such as Google Drive and 4sync. These would launch a decoy file to take the user’s attention while simultaneously initiating a PhantomRelay (Windows malware) infection chain in the background.A separate campaign, which the researchers call PrincessClub, used fake adult-club websites to deliver Fallspy (Android malware) and PhantomRelay or LegionRelay on Windows. Victims were further lured to the lure by fake female personas using Telegram or dating sites to direct them.This extensive use of AI not only compensates for capability gaps within GreyVibe but also reduces ‘historical backlinks to prior activity’. In short, we cannot be certain the group hasn’t previously been tracked under a different name by other researchers – but WithSecure has found no evidence of this.What it has detected, however, is the use of a unique ISO builder potentially linked to theTrickBotecosystem andUAC-0098(an activity cluster likely involving former TrickBot members previously also observed targeting Ukraine).GreyVibe is still active, and its members are still unknown. Going forward, its AI expertise is likely to increase. “Given this extensive use, we expect the group’s tradecraft to continue evolving and diversifying, likely increasing the complexity of continuous detection, tracking, and attribution,” says WithSecure.Whether this might tempt the group to spread its activity beyond the current focus on Ukraine remains to be seen. If it really is closely aligned to Russian state activities, this is more than possible given the current state of global geopolitics.Related:UK Cyberspying Chief Calls AI ‘an Unstoppable Force’ and Warns About RussiaRelated:Admins of Bulletproof Hosting Service Used by Russian Hackers Arrested in NetherlandsRelated:Germany Suspects Russia Is Behind Signal Phishing That Targeted Top OfficialsRelated:Sweden Blames Pro-Russian Group for Cyberattack Last Year on Its Energy Infrastructure
A separate campaign, which the researchers call PrincessClub, used fake adult-club websites to deliver Fallspy (Android malware) and PhantomRelay or LegionRelay on Windows. Victims were further lured to the lure by fake female personas using Telegram or dating sites to direct them.This extensive use of AI not only compensates for capability gaps within GreyVibe but also reduces ‘historical backlinks to prior activity’. In short, we cannot be certain the group hasn’t previously been tracked under a different name by other researchers – but WithSecure has found no evidence of this.What it has detected, however, is the use of a unique ISO builder potentially linked to theTrickBotecosystem andUAC-0098(an activity cluster likely involving former TrickBot members previously also observed targeting Ukraine).GreyVibe is still active, and its members are still unknown. Going forward, its AI expertise is likely to increase. “Given this extensive use, we expect the group’s tradecraft to continue evolving and diversifying, likely increasing the complexity of continuous detection, tracking, and attribution,” says WithSecure.Whether this might tempt the group to spread its activity beyond the current focus on Ukraine remains to be seen. If it really is closely aligned to Russian state activities, this is more than possible given the current state of global geopolitics.Related:UK Cyberspying Chief Calls AI ‘an Unstoppable Force’ and Warns About RussiaRelated:Admins of Bulletproof Hosting Service Used by Russian Hackers Arrested in NetherlandsRelated:Germany Suspects Russia Is Behind Signal Phishing That Targeted Top OfficialsRelated:Sweden Blames Pro-Russian Group for Cyberattack Last Year on Its Energy Infrastructure
This extensive use of AI not only compensates for capability gaps within GreyVibe but also reduces ‘historical backlinks to prior activity’. In short, we cannot be certain the group hasn’t previously been tracked under a different name by other researchers – but WithSecure has found no evidence of this.What it has detected, however, is the use of a unique ISO builder potentially linked to theTrickBotecosystem andUAC-0098(an activity cluster likely involving former TrickBot members previously also observed targeting Ukraine).GreyVibe is still active, and its members are still unknown. Going forward, its AI expertise is likely to increase. “Given this extensive use, we expect the group’s tradecraft to continue evolving and diversifying, likely increasing the complexity of continuous detection, tracking, and attribution,” says WithSecure.Whether this might tempt the group to spread its activity beyond the current focus on Ukraine remains to be seen. If it really is closely aligned to Russian state activities, this is more than possible given the current state of global geopolitics.Related:UK Cyberspying Chief Calls AI ‘an Unstoppable Force’ and Warns About RussiaRelated:Admins of Bulletproof Hosting Service Used by Russian Hackers Arrested in NetherlandsRelated:Germany Suspects Russia Is Behind Signal Phishing That Targeted Top OfficialsRelated:Sweden Blames Pro-Russian Group for Cyberattack Last Year on Its Energy Infrastructure
What it has detected, however, is the use of a unique ISO builder potentially linked to theTrickBotecosystem andUAC-0098(an activity cluster likely involving former TrickBot members previously also observed targeting Ukraine).GreyVibe is still active, and its members are still unknown. Going forward, its AI expertise is likely to increase. “Given this extensive use, we expect the group’s tradecraft to continue evolving and diversifying, likely increasing the complexity of continuous detection, tracking, and attribution,” says WithSecure.Whether this might tempt the group to spread its activity beyond the current focus on Ukraine remains to be seen. If it really is closely aligned to Russian state activities, this is more than possible given the current state of global geopolitics.Related:UK Cyberspying Chief Calls AI ‘an Unstoppable Force’ and Warns About RussiaRelated:Admins of Bulletproof Hosting Service Used by Russian Hackers Arrested in NetherlandsRelated:Germany Suspects Russia Is Behind Signal Phishing That Targeted Top OfficialsRelated:Sweden Blames Pro-Russian Group for Cyberattack Last Year on Its Energy Infrastructure
GreyVibe is still active, and its members are still unknown. Going forward, its AI expertise is likely to increase. “Given this extensive use, we expect the group’s tradecraft to continue evolving and diversifying, likely increasing the complexity of continuous detection, tracking, and attribution,” says WithSecure.Whether this might tempt the group to spread its activity beyond the current focus on Ukraine remains to be seen. If it really is closely aligned to Russian state activities, this is more than possible given the current state of global geopolitics.Related:UK Cyberspying Chief Calls AI ‘an Unstoppable Force’ and Warns About RussiaRelated:Admins of Bulletproof Hosting Service Used by Russian Hackers Arrested in NetherlandsRelated:Germany Suspects Russia Is Behind Signal Phishing That Targeted Top OfficialsRelated:Sweden Blames Pro-Russian Group for Cyberattack Last Year on Its Energy Infrastructure
Whether this might tempt the group to spread its activity beyond the current focus on Ukraine remains to be seen. If it really is closely aligned to Russian state activities, this is more than possible given the current state of global geopolitics.Related:UK Cyberspying Chief Calls AI ‘an Unstoppable Force’ and Warns About RussiaRelated:Admins of Bulletproof Hosting Service Used by Russian Hackers Arrested in NetherlandsRelated:Germany Suspects Russia Is Behind Signal Phishing That Targeted Top OfficialsRelated:Sweden Blames Pro-Russian Group for Cyberattack Last Year on Its Energy Infrastructure
Related:UK Cyberspying Chief Calls AI ‘an Unstoppable Force’ and Warns About RussiaRelated:Admins of Bulletproof Hosting Service Used by Russian Hackers Arrested in NetherlandsRelated:Germany Suspects Russia Is Behind Signal Phishing That Targeted Top OfficialsRelated:Sweden Blames Pro-Russian Group for Cyberattack Last Year on Its Energy Infrastructure
Related:Admins of Bulletproof Hosting Service Used by Russian Hackers Arrested in NetherlandsRelated:Germany Suspects Russia Is Behind Signal Phishing That Targeted Top OfficialsRelated:Sweden Blames Pro-Russian Group for Cyberattack Last Year on Its Energy Infrastructure
Related:Germany Suspects Russia Is Behind Signal Phishing That Targeted Top OfficialsRelated:Sweden Blames Pro-Russian Group for Cyberattack Last Year on Its Energy Infrastructure
Related:Sweden Blames Pro-Russian Group for Cyberattack Last Year on Its Energy Infrastructure
Source: SecurityWeek
