Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to malware
MalwareUsed by 1 actor

LegionRelay

LegionRelay is a lightweight PowerShell-based remote access trojan (RAT) / REST client associated with the GREYVIBE threat actor. It communicates with command-and-control infrastructure via REST API methods and has been used in campaigns targeting Ukrainian and broader Eastern European entities since at least 2025. Reported capabilities include file enumeration and theft, file exfiltration, screenshot capture, browser data theft, Telegram and WhatsApp data exfiltration or messaging database enumeration, and setup of RDP access. GREYVIBE delivered LegionRelay through multiple social-engineering-driven intrusion chains, including fake Ukrainian adult-club websites in the PrincessClub campaign and charity-themed websites posing as foundations supporting the Armed Forces of Ukraine in the DroneLink campaign, where it was delivered alongside WireGuard VPN software. Victim sectors attributed to GREYVIBE activity include military, government, civilian, and business organizations, with confirmed Ukrainian combatants among targets in related campaigns. WithSecure reported design flaws in LegionRelay that exposed limited backend functionality and enabled extended monitoring of GREYVIBE activity, and assessed that the malware was likely developed with assistance from generative AI / LLM tools.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
GREYVIBE

Alternatively, the actors deploy a lightweight REST client called LegionRelay . This compact binary facilitates file theft, screenshot extraction, and messaging database enumeration .

via security online infosecurityonline.info
MITRE ATT&CK

Techniques & procedures

17 distinct techniques documented for this family, organized by ATT&CK tactic.

Reconnaissance

1 technique
T1598Phishing for InformationEvidence1

The group has used fake female personas on Telegram, including via local dating channels, to build trust with victims before directing them to the lure sites or delivering malware directly.

Resource Development

1 technique
T1587Develop CapabilitiesEvidence1

Observed indicators suggest AI-assisted activity across: Resource development, including the development of obfuscation and loader scripts (LOOKVALJS, DAYLIGHT, TEASOUP), full-stack development of LegionRelay, and backend infrastructure setup and configuration.

Initial Access

2 techniques
T1189Drive-by CompromiseEvidence2

A notable and persistent campaign, tracked as PrincessClub, used fake Ukrainian adult-club websites to deliver FallSpy on Android and PhantomRelayV1 or LegionRelay on Windows.

T1566.001Spearphishing AttachmentEvidence1

Initially, the threat actors initiated at least six unique email-based campaigns. These malicious messages deliver dangerous compression archives hosted on popular public storage services. Furthermore, the files contain automated script loaders that deploy localized documents.

Execution

2 techniques
T1059.001PowerShellEvidence2

PhantomRelay, a PowerShell-based remote access trojan (RAT) designed to profile the host and run PowerShell scripts and Windows commands.

T1204User ExecutionEvidence2

Subsequently, the interface instructs landing users to execute localized commands. These commands quietly spawn the primary backdoor client while redirecting users to safe destinations.

Stealth

2 techniques
T1027Obfuscated Files or InformationEvidence2

Across these campaigns, the group has relied on custom developed obfuscators, loaders, and malware... WithSecure found evidence of AI assistance across multiple parts of the operation... obfuscation scripts...

T1036MasqueradingEvidence2

PhantomClick uses fake CAPTCHA pages impersonating Zoom and LAPAS... DroneLink uses websites posing as charitable foundations supporting the Ukrainian military... Nebo uses a FallSpy sample designed to mimic a Russian military login screen...

Credential Access

2 techniques
T1539Steal Web Session CookieEvidence1

WithSecure observed operators using LegionRelay for file enumeration, file exfiltration, screenshot capture, browser data theft, Telegram and WhatsApp data exfiltration, RDP access setup, among other actions.

T1555.003Credentials from Web BrowsersEvidence1

LegionRelay is a lightweight PowerShell-based RAT that supports ... browser data theft...

Discovery

1 technique
T1083File and Directory DiscoveryEvidence2

WithSecure observed operators using LegionRelay for file enumeration, file exfiltration, screenshot capture, browser data theft, Telegram and WhatsApp data exfiltration, RDP access setup, among other actions.

Lateral Movement

1 technique
T1021.001Remote Desktop ProtocolEvidence2

LegionRelay is a lightweight PowerShell-based RAT that supports ... RDP access setup.

Collection

1 technique
T1113Screen CaptureEvidence3

This compact binary facilitates file theft, screenshot extraction, and messaging database enumeration.

Command and Control

2 techniques
T1071.001Web ProtocolsEvidence2

This client establishes secure websocket connections to interact with command servers. Alternatively, the actors deploy a lightweight REST client called LegionRelay.

T1105Ingress Tool TransferEvidence1

DroneLink uses websites posing as charitable foundations supporting the Ukrainian military to deliver WireGuard VPN software alongside a lightweight RAT called LegionRelay.

Exfiltration

1 technique
T1041Exfiltration Over C2 ChannelEvidence2

LegionRelay is a lightweight PowerShell-based RAT that supports ... file exfiltration, screenshot capture, browser data theft, Telegram and WhatsApp data exfiltration...

Impact

1 technique
T1496Resource HijackingEvidence1

The deployment of XMRig miner on a small number of LegionRelay-infected machines

INDICATORS OF COMPROMISE

IOCs tracked for this family

1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
1 tracked

IPs, domains, and DNS infrastructure linked to this family.

TypeValueLatest sighting
domain●●●●●●●●●●●●View more in app1 month ago
ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app
security online infoNews
Jun 3, 2026
GREYVIBE Threat Actor Group: Russia Nexus Threat

A lightweight REST-based backdoor/client used for data theft, screenshot capture, and messaging database enumeration. The report also notes likely LLM-assisted development and obfuscation-related design flaws.

Read more
security affairsNews
May 29, 2026
Meet GREYVIBE, the Russian-Linked Hacking Group Using AI to Target Ukraine and Still Making Rookie Mistakes

A lightweight remote access trojan delivered alongside WireGuard through fake charity-themed websites; researchers noted design flaws that exposed backend functionality.

Read more
the hacker newsNews
May 29, 2026
New Russian-Linked GREYVIBE Targets Ukraine with AI-Powered Cyberattacks

A lightweight PowerShell RAT used by GREYVIBE that supports file enumeration and exfiltration, screenshot capture, browser credential/data theft, Telegram and WhatsApp data theft, and RDP access setup.

Read more
register securityNews
May 29, 2026
Russia-linked threat group put ChatGPT to work from lure to payload

Malware used by the GREYVIBE threat group in operations targeting Ukrainian entities; design flaws exposed parts of its backend infrastructure. The report suggests it may have been developed with LLM assistance.

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching1

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping17

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.