{"id":10930,"date":"2026-05-28T10:06:11","date_gmt":"2026-05-28T09:06:11","guid":{"rendered":"https:\/\/www.withsecure.com\/?post_type=lab_item&#038;p=10930"},"modified":"2026-05-28T10:17:34","modified_gmt":"2026-05-28T09:17:34","slug":"greyvibe","status":"publish","type":"lab_item","link":"https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/greyvibe\/","title":{"rendered":"GREYVIBE: A Russia-nexus group leveraging AI across state-aligned operations"},"content":{"rendered":"<section\n    class=\"wp-block-one-column-block edwp-block js-wp-block-one-column-block wp-block-one-column-block--content-1 wp-block-one-column-block--meta-sharing layout--spacing-xxxxl-top layout--spacing-xl-bottom\"\n    >\n    <div class=\"wp-block-one-column-block__container\">\n                                                                                                                            <div class='wp-block-one-column-block__meta-sharing-grid'><div class=\"wp-component-content wp-component-content--default wp-block-one-column-block__content fade-in\">\n            <h1 class=\"wp-component-heading text--h2 wp-component-content__title\">\n    GREYVIBE: A Russia-nexus group leveraging <span class=\"blue-text\">AI across state-aligned operations<\/span><\/h1>                    <div class=\"wp-component-content__inner\">\n                                                    <div class=\"wp-component-content__meta\">\n                                                    <span class=\"wp-component-content__content-type\">\n                                Publications                            <\/span>\n                                                                            <span class=\"wp-component-content__meta-categories\">\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        AI Security                                    <\/span>\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        Software Protection                                    <\/span>\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        Threat Intelligence                                    <\/span>\n                                                            <\/span>\n                                                                                                    <span class=\"wp-component-content__meta-date\">\n                                28 May, 2026                            <\/span>\n                                                                            <span class=\"wp-component-content__meta-read\">\n                                15                            <\/span>\n                                            <\/div>\n                                            <\/div>\n                <\/div><section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--content-1 wp-block-sharing-icons--disable-container wp-block-one-column-block__sharing fade-in wp-block-one-column-block__sharing fade-in\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Share this                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/greyvibe\/&#038;title=GREYVIBE:%20A%20Russia-nexus%20group%20leveraging%20AI%20across%20state-aligned%20operations\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Share on Linkedin\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=GREYVIBE: A Russia-nexus group leveraging AI across state-aligned operations&#038;url=https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/greyvibe\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"Share on Twitter\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n<\/div>                                                                                <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-one-column-block edwp-block js-wp-block-one-column-block wp-block-one-column-block--content-1 layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-one-column-block__container\">\n                                                                                                                                    <div class=\"wp-component-image__wrapper wp-block-one-column-block__image fade-in\">\n                    <figure class=\"wp-component-image__figure\">\n                                            <img loading=\"lazy\" decoding=\"async\" width=\"1200\" height=\"800\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research.jpg.webp\" class=\"wp-component-image\n                            wp-component-image--desktop\n                            wp-component-image--mobile\n                            wp-component-image--ratio-content-25-1 wp-component-image--fit-cover\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research.jpg.webp 1200w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-300x200.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-1024x683.jpg.webp 1024w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-768x512.jpg.webp 768w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-447x298.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-219x146.jpg.webp 219w\" sizes=\"auto, (max-width: 1200px) 100vw, 1200px\" \/>                                                    <\/figure>\n                    <\/div>\n                                                                                <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-two-column-block edwp-block js-wp-block-two-column-block wp-block-two-column-block--content-1 wp-block-two-column-block__left--align-y-top wp-block-two-column-block__right--align-y-top wp-block-two-column-block--split-sidebar layout--none-top layout--spacing-xxxl-bottom\"\n    data-block-id=\"block_8b5f323b4e8b1886b2e80d93ecddda3b\"\n    >\n    <div class=\"wp-block-two-column-block__container row-load\">\n                                                        <div class=\"wp-block-two-column-block__left\">\n                                    <div class=\"wp-component-authors-list wp-block-two-column-block__authors\">\n                    <p class=\"wp-component-authors-list__title\">\n                Authors            <\/p>\n        \n        <div class=\"wp-component-authors-list__items\">\n                                                <div class=\"wp-component-author-card \">\n    <div class=\"wp-component-author-card__media\">\n                    <img loading=\"lazy\" decoding=\"async\" width=\"1080\" height=\"1080\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/Mohammad-Kazem-Hassan-Nejad_WithSecure_2.jpg.webp\" class=\"wp-component-author-card__photo\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/Mohammad-Kazem-Hassan-Nejad_WithSecure_2.jpg.webp 1080w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/Mohammad-Kazem-Hassan-Nejad_WithSecure_2-300x300.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/Mohammad-Kazem-Hassan-Nejad_WithSecure_2-1024x1024.jpg.webp 1024w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/Mohammad-Kazem-Hassan-Nejad_WithSecure_2-150x150.jpg.webp 150w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/Mohammad-Kazem-Hassan-Nejad_WithSecure_2-768x768.jpg.webp 768w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/Mohammad-Kazem-Hassan-Nejad_WithSecure_2-447x447.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/Mohammad-Kazem-Hassan-Nejad_WithSecure_2-700x700.jpg.webp 700w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/Mohammad-Kazem-Hassan-Nejad_WithSecure_2-146x146.jpg.webp 146w\" sizes=\"auto, (max-width: 1080px) 100vw, 1080px\" \/>            <\/div>\n    <div class=\"wp-component-author-card__content\">\n                    <h3 class=\"wp-component-author-card__name\">Mohammad Kazem Hassan Nejad<\/h3>\n        \n                    <p class=\"wp-component-author-card__meta\">\n                Senior Threat Intelligence Researcher, WithSecure            <\/p>\n                \n            <\/div>\n\n<\/div>\n\n                                    <\/div>\n\n            <\/div>\n<nav\n    class=\"wp-component-content-navigation wp-block-two-column-block__content-nav js-content-navigation\"\n    data-bem-base=\"wp-component-content-navigation\"\n    data-nav-column=\"left\"\n    data-nav-type=\"auto\"\n>\n            <p class=\"wp-component-content-navigation__title\">\n            Content        <\/p>\n    \n    <div class=\"wp-component-content-navigation__mobile\">\n        <label class=\"wp-component-content-navigation__mobile-label\">\n            <span class=\"wp-component-content-navigation__mobile-label-text\">\n                Content navigation            <\/span>\n            <select class=\"wp-component-content-navigation__select js-content-navigation-select\">\n                <option value=\"\">\n                    Select a section                <\/option>\n                            <\/select>\n        <\/label>\n    <\/div>\n\n    <div class=\"wp-component-content-navigation__desktop\">\n        <div class=\"wp-component-content-navigation__list-wrapper\">\n            <span\n                class=\"wp-component-content-navigation__indicator js-content-navigation-indicator\"\n                aria-hidden=\"true\"\n            ><\/span>\n            <ul class=\"wp-component-content-navigation__list js-content-navigation-list\">\n                            <\/ul>\n        <\/div>\n    <\/div>\n<\/nav>\n<section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--disable-container wp-block-two-column-block__share wp-block-two-column-block__hide-mobile wp-block-two-column-block__share wp-block-two-column-block__hide-mobile\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Share this story                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/greyvibe\/&#038;title=GREYVIBE:%20A%20Russia-nexus%20group%20leveraging%20AI%20across%20state-aligned%20operations\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Share on Linkedin\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=GREYVIBE: A Russia-nexus group leveraging AI across state-aligned operations&#038;url=https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/greyvibe\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"Share on Twitter\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n                <\/div>\n                                                <div class=\"wp-block-two-column-block__right\">\n                                <div class=\"wp-component-paragraph wp-block-two-column-block__paragraph \">\n    <h2 class=\"text--h4\">Executive Summary<\/h2>\n<ul>\n<li>WithSecure identified an ongoing and persistent set of activity targeting Ukraine and Ukraine-related entities since at least August 2025.<\/li>\n<li>Based on significant overlaps observed across both development and operational phases of the associated campaigns, WithSecure associates the activities with a threat group tracked as GREYVIBE. At the time of writing, WithSecure has not identified definitive links between GREYVIBE and any previously tracked threat group.<\/li>\n<li>The group has leveraged multiple attack vectors, including spear-phishing e-mails, fake captcha pages and fraudulent Ukrainian adult club websites, to deliver malware to a diverse set of victims. The observed victimology includes military, government, civilian, and business-related entities. Across these campaigns, the group has relied on custom developed obfuscators, loaders, and malware. WithSecure additionally identified several associated activity and related campaigns that shared varying degrees of overlap with the group\u2019s tooling, infrastructure, and tradecraft.<\/li>\n<li>The lures, targeting, and observed actions on objectives of the activities align with Russian state interests, particularly in support of intelligence-gathering objectives related to Ukraine in the context of the ongoing Russia-Ukraine war. WithSecure also identified multiple indicators suggesting that the associated developers and operators are Russian-speaking and operate broadly in Russian (Moscow) time zone.<\/li>\n<li>While the activities align with Russian state interests, several observed indicators suggest the group has ties to the broader cybercrime ecosystem, with the group potentially involving current or former cybercriminal actors.<\/li>\n<li>Moreover, WithSecure found strong evidence suggesting systematic use of generative AI (GenAI) and large language models (LLMs) by GREYVIBE throughout their operation.<\/li>\n<li>Taken together, WithSecure assesses GREYVIBE is a low-to-moderately sophisticated group, as reflected in repeated operational security failures, heavy reliance on LLMs, and overall observed tradecraft.<\/li>\n<li>Lastly, WithSecure identified design flaws in LegionRelay, a custom malware associated with GREYVIBE that WithSecure assesses was likely developed with LLM assistance. These flaws exposed a limited number of LegionRelay\u2019s backend functionality which provided WithSecure with research visibility into associated activity over an extended period. This visibility informed WithSecure\u2019s assessment of the group\u2019s victimology, actions on objectives, post-compromise tooling, and operational behaviour. Sensitive details pertaining to the observed victimology and actions on objectives as well as information that could aid the threat actor have been deliberately omitted from the report, but could be shared with relevant authorities where appropriate.<\/li>\n<\/ul>\n<p>This blog post summarises key topics from WithSecure\u2019s <a href=\"\/content\/dam\/labs\/docs\/WithSecure_GREYVIBE.pdf\">full report<\/a>, which covers our investigation and findings in substantially greater depth.<\/p>\n<p>&nbsp;<\/p>\n<h2 class=\"text--h4\">A multi-vector activity set<\/h2>\n<p>GREYVIBE has used several delivery approaches. We grouped GREYVIBE\u2019s observed activity into a set of distinct campaigns linked by shared malware, infrastructure, and operational behaviours. Across these campaigns, the group has consistently used appropriate lures for deception and implemented a decoy-and-payload execution logic to reinforce the credibility of the lure while covertly gaining access to the victim\u2019s machine.<\/p>\n<figure><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-10942 aligncenter\" src=\"https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/figure-1-1024x262.webp\" alt=\"\" width=\"1024\" height=\"262\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/figure-1-1024x262.webp 1024w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/figure-1-300x77.webp 300w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/figure-1-768x197.webp 768w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/figure-1-1536x394.webp 1536w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/figure-1-447x115.webp 447w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/figure-1-570x146.webp 570w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/figure-1.webp 1920w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption>Figure 1. Overview of GREYVIBE-associated campaigns, malware, loaders, and obfuscators<\/figcaption><\/figure>\n<p><b>PhantomMail &#8211; spear-phishing via email<\/b><\/p>\n<p>Since August 2025, the group has conducted at least six distinct spear-phishing campaigns. Spear-phishing e-mails sent to targeted victims typically contained links to malicious ZIP or RAR archives hosted on third-party file-sharing services such as Google Drive and 4sync. The archives contained PyInstaller- or JavaScript-based loaders that launched a decoy (e.g. a PDF document or an error pop-up) while initiating the PhantomRelay infection chain in the background. Lures impersonated a range of Ukrainian entities, including a Kyiv City Council official, a Ukrainian energy company, the Main Directorate of the State Emergency Service of Ukraine, and the State Service of Special Communications and Information Protection of Ukraine.<\/p>\n<figure><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-10943 aligncenter\" src=\"https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/figure-2.webp\" alt=\"\" width=\"652\" height=\"630\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/figure-2.webp 652w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/figure-2-300x290.webp 300w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/figure-2-447x432.webp 447w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/figure-2-151x146.webp 151w\" sizes=\"auto, (max-width: 652px) 100vw, 652px\" \/><figcaption>Figure 2. Example of decoy PDF document dropped and launched<\/figcaption><\/figure>\n<p><b>PhantomClick &#8211; ClickFix via fake CAPTCHA pages<\/b><\/p>\n<p>In early October 2025, the group briefly experimented with ClickFix-style fake CAPTCHA pages for initial malware delivery. Associated domains masqueraded as Zoom conference and LAPAS (Latvian Platform for Development Cooperation) websites. Once landed on the site, victims were instructed, in Ukrainian, to run commands under the pretext of completing a Cloudflare-themed security verification process, while the executed command initiated a PhantomRelay infection chain in the background. The fake sites also implemented decoy redirection to legitimate destinations, likely to reinforce the appearance of a normal verification process.<\/p>\n<figure><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-10944 aligncenter\" src=\"https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/figure-3-1024x526.webp\" alt=\"\" width=\"1024\" height=\"526\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/figure-3-1024x526.webp 1024w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/figure-3-300x154.webp 300w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/figure-3-768x395.webp 768w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/figure-3-447x230.webp 447w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/figure-3-284x146.webp 284w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/figure-3.webp 1518w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption>Figure 3. Example of fake captcha site and prompted instructions (Ukrainian)<\/figcaption><\/figure>\n<p><b>PrincessClub &#8211; fake Ukrainian adult-club websites<\/b><\/p>\n<p>A notable and persistent campaign, tracked as PrincessClub, used fake Ukrainian adult-club websites to deliver FallSpy on Android and PhantomRelayV1 or LegionRelay on Windows. Confirmed victimology included Ukrainian combatants, with many victims located in Kharkiv, Ukraine. The sites included victim-facing functionality intended to appear legitimate, while the infection chain executed in the background. The group has used fake female personas on Telegram, including via local dating channels, to build trust with victims before directing them to the lure sites or delivering malware directly. Later iterations of the lure sites introduced a WebRTC-based live call feature, accessible only post-infection, that could capture victim audio and video, turning the lure site from a static decoy into a potential human intelligence (HUMINT) collection mechanism.<\/p>\n<figure><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-10945 aligncenter\" src=\"https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/figure-4-1024x768.webp\" alt=\"\" width=\"1024\" height=\"768\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/figure-4-1024x768.webp 1024w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/figure-4-300x225.webp 300w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/figure-4-768x576.webp 768w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/figure-4-1536x1152.webp 1536w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/figure-4-447x335.webp 447w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/figure-4-195x146.webp 195w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/figure-4.webp 1600w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption>Figure 4. PrincessClub site offering Android and Windows client download<\/figcaption><\/figure>\n<p>&nbsp;<\/p>\n<h2 class=\"text--h4\">Other associated activity<\/h2>\n<p><b>DroneLink &#8211; drone-themed charity lures<\/b><\/p>\n<p>In March and April 2026, we observed an operational overlap between PrincessClub and a campaign leveraging websites masquerading as charitable foundations supporting the Armed Forces of Ukraine (FPV drones, UAVs, and related initiatives). Overlaps included shared C2 infrastructure, shared post-compromise tooling such as WireGuard and ZAPiXDESK, and DAYLIGHT-obfuscated LegionRelay scripts hosted on the charity sites. Although these overlaps strongly suggest the activity is closely associated with GREYVIBE, WithSecure continues to separately monitor and further investigate activity associated with DroneLink, its lineage, and its association with GREYVIBE.<\/p>\n<figure><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-10946 aligncenter\" src=\"https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/figure-5-1024x768.webp\" alt=\"\" width=\"1024\" height=\"768\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/figure-5-1024x768.webp 1024w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/figure-5-300x225.webp 300w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/figure-5-768x576.webp 768w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/figure-5-1536x1152.webp 1536w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/figure-5-447x335.webp 447w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/figure-5-195x146.webp 195w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/figure-5.webp 1600w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption>Figure 5. Frontpage of one of the fake charity domains used in the DroneLink campaign (frontforce[.]org)<\/figcaption><\/figure>\n<p><b>Nebo &#8211; a Russian-language lure<\/b><\/p>\n<p>A smaller cluster of artefacts highly likely associated with GREYVIBE were found masquerading as \u201c\u0421\u041f\u041e \u041d\u0415\u0411\u041e\u201d (transliterated as \u201cSPO NEBO\u201d). These include a FallSpy sample mimicking a Russian-language login screen and a similar fake login page hosted on PrincessClub infrastructure. Both referenced hard-coded telephone exchange (\u201cATC-P\u201d) numbers consistent with secure communications systems primarily used in Russian military and defence settings. The intended victimology of this activity remains unclear. However, the most plausible hypothesis is that the lure was designed to deceive Ukrainian military personnel by presenting the illusion of access to a Russian military terminal.<\/p>\n<figure><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-10947 aligncenter\" src=\"https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/figure-6-1024x409.webp\" alt=\"\" width=\"1024\" height=\"409\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/figure-6-1024x409.webp 1024w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/figure-6-300x120.webp 300w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/figure-6-768x307.webp 768w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/figure-6-1536x614.webp 1536w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/figure-6-447x179.webp 447w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/figure-6-365x146.webp 365w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/figure-6.webp 1920w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption>Figure 6. SPO NEBO fake login page and post-authentication \u201cupdate\u201d progress screens<\/figcaption><\/figure>\n<p>&nbsp;<\/p>\n<h2 class=\"text--h4\">AI as an operational enabler<\/h2>\n<p>One of the most notable aspects of GREYVIBE\u2019s activity is their apparent systematic use of generative AI and large language models across the attack lifecycle. We identified strong indicators suggesting the group has used several AI platforms including: Ideogram AI, ChatGPT, and Google Gemini.<\/p>\n<p>Observed indicators suggest AI-assisted activity across:<\/p>\n<ul>\n<li><b>Lure development<\/b>, including the generation of images used in the PrincessClub campaign and the development of lure sites associated with PrincessClub and PhantomClick.<\/li>\n<li><b>Resource development<\/b>, including the development of obfuscation and loader scripts (LOOKVALJS, DAYLIGHT, TEASOUP), full-stack development of LegionRelay, and backend infrastructure setup and configuration.<\/li>\n<li><b>Post-compromise activity<\/b>, including the generation of post-compromise commands, scripts, and tooling delivered through PhantomRelay and LegionRelay.<\/li>\n<\/ul>\n<figure><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-10948 aligncenter\" src=\"https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/figure-7.webp\" alt=\"\" width=\"890\" height=\"548\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/figure-7.webp 890w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/figure-7-300x185.webp 300w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/figure-7-768x473.webp 768w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/figure-7-447x275.webp 447w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/figure-7-237x146.webp 237w\" sizes=\"auto, (max-width: 890px) 100vw, 890px\" \/><figcaption>Figure 7. Examples of LLM markers present across images used by GREYVIBE<\/figcaption><\/figure>\n<p>WithSecure assesses that this usage is likely deliberate and operationally integrated rather than isolated or experimental. The group\u2019s use of AI may serve several purposes:<\/p>\n<ul>\n<li>Bridging technical capability gaps.<\/li>\n<li>Accelerating development and operational tempo.<\/li>\n<li>Reducing reliance on historically reused malware, code patterns, or tooling that could support attribution.<\/li>\n<\/ul>\n<p>This may also complicate continuous threat tracking and attribution. If an actor can frequently generate, refactor, or replace components of its operational footprint with AI assistance, traditional clustering methods based on stable technical artifacts may become less reliable over time.<\/p>\n<p>&nbsp;<\/p>\n<h2 class=\"text--h4\">Custom malware, loaders, and obfuscators<\/h2>\n<p>The group has relied on a small set of custom-developed malware and obfuscators across their campaigns.<\/p>\n<p><b>PhantomRelay<\/b><\/p>\n<p>PhantomRelay is a PowerShell-based RAT that uses a two-stage execution chain: a fingerprinting script, followed by the main RAT client. The RAT uses WebSockets to communicate with its C2 and supports execution of both PowerShell scripts and Windows commands. Despite its limited native functionality, the RAT is modular in design. Its capabilities are extended through additional PowerShell scripts delivered by the C2 and dynamically executed on the victim machine.<\/p>\n<p>We initially assessed PhantomRelay was custom-developed and exclusively associated with GREYVIBE; however, subsequent analysis identified the same malware in use across additional, seemingly unrelated cybercrime activity clusters. To distinguish these uses we track three variants:<\/p>\n<ol>\n<li><b>PhantomRelayLite<\/b>, a base variant observed across both GREYVIBE\u2019s early development activity and the cybercrime clusters (including a Microsoft Teams voice-phishing intrusion set, and a KongTuke ClickFix delivery chain).<\/li>\n<li><b>PhantomRelayV1<\/b>, the first operational variant developed and weaponised by GREYVIBE, distinguished by a custom watchdog persistence mechanism, a shift from the SAWDUST and CRUDEDUST obfuscators to the group\u2019s own DAYLIGHT obfuscator, as well as distinct C2 infrastructure.<\/li>\n<li><b>PhantomRelayV2<\/b>, the second operational variant developed and weaponised by GREYVIBE, which reconstructs the malware while preserving its core functionality.<\/li>\n<\/ol>\n<p>We cannot at present ascertain the origin of PhantomRelayLite; nevertheless, its appearance across multiple cybercrime clusters places GREYVIBE in close proximity to the cybercrime ecosystem.<\/p>\n<figure><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-10949 aligncenter\" src=\"https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/figure-8-1024x336.webp\" alt=\"\" width=\"1024\" height=\"336\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/figure-8-1024x336.webp 1024w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/figure-8-300x98.webp 300w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/figure-8-768x252.webp 768w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/figure-8-1536x504.webp 1536w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/figure-8-447x147.webp 447w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/figure-8-445x146.webp 445w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/figure-8.webp 1920w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption>Figure 8. Perceived relationship between PhantomRelay variants and associated activity clusters<\/figcaption><\/figure>\n<p><b>FallSpy<\/b><\/p>\n<p>FallSpy is an Android spyware first observed in August 2025. It has been observed across several GREYVIBE-associated campaigns, including PrincessClub and Nebo.<\/p>\n<p>The malware presents decoy content to the victim while covertly collecting and exfiltrating information from the victim\u2019s device, including contacts, call logs, installed applications, SIM-linked phone numbers, device and network information, Wi-Fi SSID, last-known location, public IP, and media files. Based on its functionality and deployment context, FallSpy appears to be developed for surveillance and intelligence-gathering objectives.<\/p>\n<p><b>LegionRelay<\/b><\/p>\n<p>LegionRelay is a lightweight PowerShell-based RAT that communicates with its command-and-control server through REST API methods. Although the client-side implementation is limited to executing operator-issued PowerShell commands, the broader capability set is realised through operator-staged scripts deployed during post-compromise activity.<\/p>\n<p>WithSecure observed operators using LegionRelay for file enumeration, file exfiltration, screenshot capture, browser data theft, Telegram and WhatsApp data exfiltration, RDP access setup, among other actions.<\/p>\n<p><b>Custom obfuscators<\/b><\/p>\n<p>The group has developed and rotated through several custom obfuscators and loaders: LOOKVALPS (PowerShell), LOOKVALJS (JavaScript), DAYLIGHT (PowerShell), and TEASOUP (JavaScript).<\/p>\n<p>DAYLIGHT, in active use from October 2025, likely replaced LOOKVALPS and was routinely applied to both initial-stage and post-compromise payloads. TEASOUP, observed from March 2026, similarly succeeded LOOKVALJS.<\/p>\n<p>We assess with moderate-to-high confidence that all four were custom-developed by the group, and with moderate confidence that several were developed with LLM assistance.<\/p>\n<p>&nbsp;<\/p>\n<h2 class=\"text--h4\">The blurred lines of attribution<\/h2>\n<p>WithSecure found associated operators and developers are Russian-speaking and operate within the Russian (Moscow) time zone. This assessment is supported by converging indicators, including:<\/p>\n<ul>\n<li>The prevalence of Russian-language comments across development, backend, and code artefacts<\/li>\n<li>Russian-language administrative panels for FallSpy, LegionRelay, and PrincessClub.<\/li>\n<li>Operator- and developer-linked machines configured to the Russian locale and UTC+3 (Moscow time)<\/li>\n<li>C2 servers similarly configured to UTC+3<\/li>\n<li>Evidence of operators communicating in Russian and translating between Russian and Ukrainian.<\/li>\n<\/ul>\n<p>Analysis of operator post-compromise activity over several months further showed patterns consistent with Moscow working hours.<\/p>\n<figure><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-10950 aligncenter\" src=\"https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/figure-9-1024x558.webp\" alt=\"\" width=\"1024\" height=\"558\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/figure-9-1024x558.webp 1024w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/figure-9-300x164.webp 300w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/figure-9-768x419.webp 768w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/figure-9-447x244.webp 447w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/figure-9-268x146.webp 268w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/figure-9.webp 1381w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption>Figure 9. Operator post-compromise activity grouped by hour of day (UTC+3)<\/figcaption><\/figure>\n<p>Moreover, we assess with high confidence that GREYVIBE\u2019s activities align with Russian state interests, particularly intelligence-gathering objectives in the context of the ongoing Russia-Ukraine war. This assessment is supported by the group\u2019s primary focus on Ukrainian targets, the nature of the lures and victimology observed, and the actions on objectives identified during post-compromise activity.<\/p>\n<p>At the same time, several indicators align more closely with cybercriminal actors than with traditional nation-state operations, including:<\/p>\n<ul>\n<li>Suspected access to and use of a unique ISO builder across early development samples, potentially linked to the <a href=\"https:\/\/www.ibm.com\/think\/x-force\/trickbot-group-systematically-attacking-ukraine\" target=\"_blank\" rel=\"noopener\">TrickBot ecosystem<\/a>\u00a0and <a href=\"https:\/\/cert.gov.ua\/article\/39934\" target=\"_blank\" rel=\"noopener\">UAC-0098<\/a>\u00a0 (an activity cluster likely involving former TrickBot members previously observed targeting Ukraine)<\/li>\n<li>The presence of PhantomRelay variants across seemingly unrelated cybercrime activity clusters<\/li>\n<li>Development and test samples being uploaded to public platforms such as VirusTotal<\/li>\n<li>The use of Internet slang-based naming conventions across early-stage development artefacts (for example, \u201cletsrollboyos,\u201d \u201ctotallyunsus,\u201d \u201ccuteuwu\u201d)<\/li>\n<li>The deployment of an XMRig miner payload on a small number of LegionRelay-infected machines.<\/li>\n<\/ul>\n<p>Taken together, we assess with moderate confidence that the group has ties to the broader cybercrime ecosystem, and with low-to-moderate confidence that it involves current or former cybercriminal members. The exact nature of their relationship to the Russian state remains unclear, whether such members have been absorbed into a state-backed group, operate independently under state-directed tasking, or have formed a hybrid team. There is established <a href=\"https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/cybercrime-multifaceted-national-security-threat\" target=\"_blank\" rel=\"noopener\">precedent<\/a> for Russian intelligence services leveraging or co-opting cybercriminal groups in support of state objectives.<\/p>\n<p>While certain technical overlaps suggest proximity to UAC-0098, there is at present insufficient evidence to assess that GREYVIBE represents a direct continuation or reconstitution of that cluster. This hypothesis therefore remains low likelihood, but warrants further investigation.<\/p>\n<p>&nbsp;<\/p>\n<h2 class=\"text--h4\">Conclusion<\/h2>\n<p>GREYVIBE represents a persistent Russia-nexus threat operating primarily against Ukrainian targets, leveraging a broad range of delivery vectors and a small family of custom-developed malware, loaders, and obfuscators.<\/p>\n<p>The group\u2019s operation aligns with Russian state interests but does not consistently exhibit the operational maturity associated with more seasoned adversaries, and indicators also suggest ties to the broader cybercrime ecosystem. The group occupies a grey area between cybercrime and state-affiliated activity, complicating attribution efforts and blurring traditional distinctions between these categories.<\/p>\n<p>The group\u2019s extensive use of GenAI and LLMs is a notable aspect of its tradecraft. GREYVIBE appears to use AI not only for isolated development tasks, but across multiple operational phases. This likely enables the group to compensate for capability gaps, accelerate development cycles, and potentially reduce historical backlinks to prior activity. Given this extensive use, we expect the group\u2019s tradecraft to continue evolving and diversifying, likely increasing the complexity of continuous detection, tracking, and attribution.<\/p>\n<p>At the time of writing, WithSecure has not identified definitive links between GREYVIBE and any previously tracked threat group. WithSecure continues to monitor the group, its associated campaigns, and potential links to other activity clusters.<\/p>\n<p>A full list of Indicators of Compromise and associated YARA rules can be found in <a href=\"https:\/\/github.com\/WithSecureLabs\/iocs\/tree\/master\/GREYVIBE\/\" target=\"_blank\" rel=\"noopener\">WithSecure\u2019s GitHub<\/a><\/p>\n<\/div>\n<section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--disable-container wp-block-two-column-block__share wp-block-two-column-block__mobile-after-right wp-block-two-column-block__share wp-block-two-column-block__mobile-after-right\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Share this story                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/greyvibe\/&#038;title=GREYVIBE:%20A%20Russia-nexus%20group%20leveraging%20AI%20across%20state-aligned%20operations\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Share on Linkedin\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=GREYVIBE: A Russia-nexus group leveraging AI across state-aligned operations&#038;url=https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/greyvibe\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"Share on Twitter\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n                <\/div>\n                        <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-cta-banner edwp-block js-wp-block-cta-banner wp-block-cta-banner--style-icon wp-block-cta-banner--no-image layout--spacing-xxxl-top layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-cta-banner__container\">\n        <div class=\"wp-block-cta-banner__box row-load\">\n            <div class=\"wp-component-content wp-component-content--help-text wp-component-content--dark wp-block-cta-banner__content\">\n                        <div class=\"wp-component-content__inner\">\n                <h2 class=\"wp-component-heading text--h2 wp-component-heading--dark wp-component-content__title\">\n    What <span class=\"blue-text\">next?<\/span><\/h2>                                    <div class=\"wp-component-content__content wysiwyg wysiwyg--dark\">\n                        <div class=\"wp-component-paragraph wp-component-paragraph--dark\">\n    <p class=\"text--p-medium\">Discover WithSecure\u2122 Elements Exposure Management.<br \/>\n&#8211; No credit card required. No obligations.No complexity.<\/p>\n<\/div>\n                    <\/div>\n                            <\/div>\n                            <div class=\"wp-component-content__buttons\">\n                <a class=\"wp-component-button btn btn--primary btn--dark\" href=\"https:\/\/www.withsecure.com\/en\/contact-us\/\">Contact us<\/a>            <\/div>\n                <\/div>                    <\/div>\n    <\/div>\n<\/section>\n\n\n\n\n<section\n    class=\"wp-block-cards edwp-block wp-block-cards--col-3 js-wp-block-cards wp-block-cards--show-overflow wp-block-cards--auto-slides-per-view layout--spacing-xxxl-top layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-cards__container\">\n        <div class=\"wp-component-content wp-component-content--default wp-block-cards__content\">\n            <h2 class=\"wp-component-heading text--h2 wp-component-content__title\">\n    Related <span class=\"blue-text\">Labs content<\/span><\/h2>                    <div class=\"wp-component-content__inner\">\n                                    <div class=\"wp-component-content__content wysiwyg\">\n                        <div class=\"wp-component-paragraph \">\n    <p class=\"text--p-medium\"><span data-teams=\"true\">Find related content relating to this topic.<\/span><\/p>\n<\/div>\n                    <\/div>\n                                                            <\/div>\n                <\/div>                            <div\n                class=\"swiper wp-block-cards__swiper js-wp-block-cards-swiper\"\n                data-slides-per-view-desktop=\"auto\"\n                data-slides-per-view-tablet=\"auto\"\n                data-slides-per-view-mobile=\"auto\"\n            >\n                <div class=\"swiper-wrapper wp-block-cards__swiper-wrapper row-load\">\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card wp-component-card-insight--highlighted\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">Publications<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">AI Security<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Threat Intelligence<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">GREYVIBE: A Russia-nexus group leveraging AI across state-aligned operations<\/h3>\n                                    <p class=\"wp-component-card-insight__read-time\">15<\/p>\n                                    <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary btn--dark wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/greyvibe\/\">Read more<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                            <h3 class=\"wp-component-card-insight__title\">WithSecure uncovers Russia-nexus threat group using AI to target Ukraine and European organisations<\/h3>\n                                                    <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/10919\/\">Read more<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"1200\" height=\"800\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research.jpg.webp 1200w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-300x200.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-1024x683.jpg.webp 1024w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-768x512.jpg.webp 768w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-447x298.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-219x146.jpg.webp 219w\" sizes=\"auto, (max-width: 1200px) 100vw, 1200px\" \/>                    <p class=\"wp-component-card-insight__content-type\">Blog post<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Threat Intelligence<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">DarkGate Rises: New version of DarkGate malware hunts like a Duck but bites like a RAT<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">Source: https:\/\/labs.withsecure.com\/publications\/darkgate-rises<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/darkgate-rises\/\">Read more<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                    <\/div>\n                <div class=\"wp-block-cards__nav fade-in\">\n                    <div class=\"wp-block-cards__pagination js-wp-block-cards-pagination\">\n                    <\/div>\n                    <div class=\"wp-block-cards__nav-arrow js-wp-block-cards-nav-prev\">\n                        <svg class='edwp-icon edwp-icon--reg js-icon ' aria-hidden='true'>\n                <use xlink:href='#chevron'><\/use>\n            <\/svg>                    <\/div>\n                    <div class=\"wp-block-cards__nav-arrow js-wp-block-cards-nav-next\">\n                        <svg class='edwp-icon edwp-icon--reg js-icon ' aria-hidden='true'>\n                <use xlink:href='#chevron'><\/use>\n            <\/svg>                    <\/div>\n                <\/div>\n            <\/div>\n                                    <\/div>\n<\/section>\n","protected":false},"excerpt":{"rendered":"","protected":false},"author":3,"featured_media":0,"template":"","categories":[273,231,269],"labs_content_type":[221],"class_list":["post-10930","lab_item","type-lab_item","status-publish","hentry","category-ai-security","category-software-protection","category-threat-intelligence"],"acf":[],"card":"<div class=\"wp-component-card-insight js-card-link wp-component-card-insight--highlighted\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder.jpg\" class=\"wp-component-card-insight__image\" alt=\"\" decoding=\"async\" loading=\"lazy\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder.jpg 618w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder-300x214.jpg 300w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder-447x318.jpg 447w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder-205x146.jpg 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">Publications<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">AI Security<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Threat Intelligence<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">GREYVIBE: A Russia-nexus group leveraging AI across state-aligned operations<\/h3>\n                                    <p class=\"wp-component-card-insight__read-time\">15<\/p>\n                                    <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary btn--dark wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/greyvibe\/\">Read more<\/a>            <\/div>\n            <\/div>\n<\/div>","_links":{"self":[{"href":"https:\/\/www.withsecure.com\/en\/wp-json\/wp\/v2\/lab_item\/10930","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.withsecure.com\/en\/wp-json\/wp\/v2\/lab_item"}],"about":[{"href":"https:\/\/www.withsecure.com\/en\/wp-json\/wp\/v2\/types\/lab_item"}],"author":[{"embeddable":true,"href":"https:\/\/www.withsecure.com\/en\/wp-json\/wp\/v2\/users\/3"}],"wp:attachment":[{"href":"https:\/\/www.withsecure.com\/en\/wp-json\/wp\/v2\/media?parent=10930"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.withsecure.com\/en\/wp-json\/wp\/v2\/categories?post=10930"},{"taxonomy":"labs_content_type","embeddable":true,"href":"https:\/\/www.withsecure.com\/en\/wp-json\/wp\/v2\/labs_content_type?post=10930"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}