{
  "iim_version": "1.1",
  "chain_id": "withsecure.2026.greyvibe-phantommail-teasoup-phantomrelayv2",
  "title": "GREYVIBE PhantomMail: Ukrainian spear-phishing RAR to TEASOUP JS loader and PhantomRelayV2 C2 pool",
  "description": "WithSecure-attributed GREYVIBE PhantomMail lane. April 2026 spear-phishing likely impersonated Ukraine’s State Service of Special Communications and Information Protection, delivered Google Drive-hosted RAR archives, ran TEASOUP-obfuscated JavaScript loaders, and initiated PhantomRelayV2. Confirmed PhantomRelayV2 artifacts and C2 domains are taken from the original WithSecureLabs IOC repository. Exact URL/hash/C2 pairings that are not published are marked likely.",
  "actor_id": "GREYVIBE",
  "observed_at": "2026-04-30T00:00:00Z",
  "confidence": "likely",
  "needs_review": false,
  "import_source": "manual-osint-report-to-iim-conversion",
  "x_attribution": {
    "actor": "GREYVIBE",
    "attribution_source": "WithSecure",
    "confidence": "WithSecure tracks this activity as GREYVIBE and assesses Russia-nexus/state-aligned Ukraine-focused objectives.",
    "caveat": "WithSecure has not identified definitive links between GREYVIBE and any previously tracked threat group."
  },
  "x_source": {
    "title": "GREYVIBE: A Russia-nexus group leveraging AI across state-aligned operations",
    "publisher": "WithSecure Labs",
    "author": "Mohammad Kazem Hassan Nejad",
    "url": "https://labs.withsecure.com/publications/greyvibe",
    "pdf_url": "https://labs.withsecure.com/content/dam/labs/docs/WithSecure_GREYVIBE.pdf",
    "ioc_url": "https://github.com/WithSecureLabs/iocs/tree/master/GREYVIBE/",
    "ioc_raw_url": "https://raw.githubusercontent.com/WithSecureLabs/iocs/refs/heads/master/GREYVIBE/greyvibe_iocs.csv",
    "published_at": "2026-05-28",
    "analysis_cutoff": "2026-04-30",
    "accessed_at": "2026-05-31T19:14:15.240001+00:00",
    "source_type": "original vendor research report + original IOC repository",
    "source_policy": "Only WithSecure Labs report/PDF and WithSecureLabs IOC repository were used."
  },
  "x_source_urls": [
    "https://labs.withsecure.com/publications/greyvibe",
    "https://labs.withsecure.com/content/dam/labs/docs/WithSecure_GREYVIBE.pdf",
    "https://github.com/WithSecureLabs/iocs/tree/master/GREYVIBE/",
    "https://raw.githubusercontent.com/WithSecureLabs/iocs/refs/heads/master/GREYVIBE/greyvibe_iocs.csv"
  ],
  "x_resource_links_verified": [
    {
      "url": "https://labs.withsecure.com/publications/greyvibe",
      "status": "opened via web retrieval",
      "verified_at": "2026-05-31T19:14:15.240001+00:00",
      "notes": "Verified GREYVIBE actor tracking, Ukraine targeting, attack vectors, Russian-nexus attribution caveat."
    },
    {
      "url": "https://labs.withsecure.com/content/dam/labs/docs/WithSecure_GREYVIBE.pdf",
      "status": "opened via web retrieval",
      "verified_at": "2026-05-31T19:14:15.240001+00:00",
      "notes": "Verified PhantomMail and April 2026 RAR/Google Drive/TEASOUP/PhantomRelayV2 flow."
    },
    {
      "url": "https://raw.githubusercontent.com/WithSecureLabs/iocs/refs/heads/master/GREYVIBE/greyvibe_iocs.csv",
      "status": "opened via web retrieval",
      "verified_at": "2026-05-31T19:14:15.240001+00:00",
      "notes": "Verified selected hashes, e-mail addresses, PhantomRelayV2 script names, staging path, scheduled task and C2 domains."
    }
  ],
  "x_iocs": {
    "emails": [
      "office.cip.ua.gov@gmail.com",
      "office.gov.cips@gmail.com"
    ],
    "sha256": [
      "bd3f35b91bf83427e953d4cf531a0ee4b5ec9fc76b91700274effe0eba22510f",
      "2abb318455960b446d034967c8403ec4339ba248b946f02cb1307ed7e6f4e327",
      "ee144c883784c635ef84e0ae6a12b03553c1fd65646621f22d08511bd3e6d42a",
      "03beb07ce116a2a69f360dd3fab8c3aa55bb42ce580d43f1924642874e388efe"
    ],
    "domains": [
      "nycpartnersenterprise.com",
      "chiselworksenterprise.com",
      "newrentalsenterprise.com",
      "bluelagoonaenterprise.com",
      "heltaskeltahenterprise.com",
      "newequipmentsolutions.com"
    ],
    "filenames": [
      "RzUpdateManager.ps1",
      "RzTelemetry.ps1",
      "razer_update.log",
      "форма акта перевірки.XLS.js",
      "форма акта перевірки територій.rar"
    ]
  },
  "x_limitations": [
    "WithSecure does not publish a complete one-to-one mapping of every Google Drive URL to archive hash or loader to C2 domain. Those edges are marked likely.",
    "Sensitive victimology/actions on objectives omitted by WithSecure were not reconstructed.",
    "DroneLink and PrincessClub overlaps are not merged into this PhantomMail-focused chain."
  ],
  "entities": [
    {
      "id": "e001",
      "type": "email",
      "value": "office.cip.ua.gov@gmail.com / office.gov.cips@gmail.com",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "WithSecure GREYVIBE report + WithSecureLabs IOC repository",
      "evidence": [
        "WithSecure describes an April 2026 PhantomMail campaign likely impersonating Ukraine’s State Service of Special Communications and Information Protection.",
        "WithSecureLabs IOC CSV lists office.cip.ua.gov@gmail.com and office.gov.cips@gmail.com as PhantomMail spearphishing e-mail addresses used in April 2026."
      ],
      "x_reference_url": "https://raw.githubusercontent.com/WithSecureLabs/iocs/refs/heads/master/GREYVIBE/greyvibe_iocs.csv",
      "x_chain_stage": "spearphishing_sender_set"
    },
    {
      "id": "e002",
      "type": "url",
      "value": "Google Drive-hosted malicious RAR archives used in April 2026 PhantomMail",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "WithSecure GREYVIBE report + WithSecureLabs IOC repository",
      "evidence": [
        "WithSecure states the April 2026 campaign used malicious RAR archives hosted on Google Drive.",
        "WithSecureLabs IOC CSV lists multiple Google Drive file URLs as PhantomMail initial-stage malware download links."
      ],
      "x_reference_url": "https://labs.withsecure.com/content/dam/labs/docs/WithSecure_GREYVIBE.pdf",
      "x_google_drive_urls": [
        "https://drive.google.com/file/d/1RDXHPZtCzOXn6GN7UidXPo4qqZOA_UGd",
        "https://drive.google.com/file/d/12ffiBTWHm6GW8chJNIXuOeALPI82VnNs",
        "https://drive.google.com/file/d/1wkgvtTw_g5CvK84rWiHCr6HPZZb_OeKd",
        "https://drive.google.com/file/d/1aSIXJgZUT7AQEp5B_D7gyHRq74EFUxoz"
      ],
      "x_chain_stage": "trusted_file_hosting"
    },
    {
      "id": "e003",
      "type": "hash",
      "value": "bd3f35b91bf83427e953d4cf531a0ee4b5ec9fc76b91700274effe0eba22510f",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "WithSecureLabs GREYVIBE IOC repository",
      "evidence": [
        "WithSecureLabs IOC CSV identifies this SHA256 as PhantomMail: RAR - April 2026."
      ],
      "x_reference_url": "https://raw.githubusercontent.com/WithSecureLabs/iocs/refs/heads/master/GREYVIBE/greyvibe_iocs.csv",
      "x_file_role": "malicious_rar_archive",
      "x_chain_stage": "archive_container"
    },
    {
      "id": "e004",
      "type": "hash",
      "value": "2abb318455960b446d034967c8403ec4339ba248b946f02cb1307ed7e6f4e327",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "WithSecureLabs GREYVIBE IOC repository",
      "evidence": [
        "WithSecureLabs IOC CSV identifies this SHA256 as PhantomMail: JS loader (TEASOUPJS) - April 2026.",
        "WithSecure states April 2026 archives contained JavaScript files obfuscated with TEASOUP that displayed an error popup and executed PhantomRelayV2."
      ],
      "x_reference_url": "https://raw.githubusercontent.com/WithSecureLabs/iocs/refs/heads/master/GREYVIBE/greyvibe_iocs.csv",
      "x_file_role": "TEASOUP_obfuscated_JS_loader",
      "x_chain_stage": "loader"
    },
    {
      "id": "e005",
      "type": "file",
      "value": "PhantomRelayV2 watchdog / RzUpdateManager.ps1 / ee144c883784c635ef84e0ae6a12b03553c1fd65646621f22d08511bd3e6d42a",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "WithSecureLabs GREYVIBE IOC repository",
      "evidence": [
        "WithSecureLabs IOC CSV identifies ee144c883784c635ef84e0ae6a12b03553c1fd65646621f22d08511bd3e6d42a as PhantomRelayV2 persistence script obfuscated with DAYLIGHT and lists RzUpdateManager.ps1 as the watchdog filename."
      ],
      "x_reference_url": "https://raw.githubusercontent.com/WithSecureLabs/iocs/refs/heads/master/GREYVIBE/greyvibe_iocs.csv",
      "x_sha256": "ee144c883784c635ef84e0ae6a12b03553c1fd65646621f22d08511bd3e6d42a",
      "x_chain_stage": "persistence_watchdog"
    },
    {
      "id": "e006",
      "type": "file",
      "value": "PhantomRelayV2 RAT client / RzTelemetry.ps1 / 03beb07ce116a2a69f360dd3fab8c3aa55bb42ce580d43f1924642874e388efe",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "WithSecureLabs GREYVIBE IOC repository",
      "evidence": [
        "WithSecureLabs IOC CSV identifies 03beb07ce116a2a69f360dd3fab8c3aa55bb42ce580d43f1924642874e388efe as PhantomRelayV2 RAT client script obfuscated with DAYLIGHT and lists RzTelemetry.ps1 as the RAT client filename.",
        "WithSecure describes PhantomRelay as a PowerShell RAT using WebSockets to communicate with C2 and execute PowerShell scripts and Windows commands."
      ],
      "x_reference_url": "https://raw.githubusercontent.com/WithSecureLabs/iocs/refs/heads/master/GREYVIBE/greyvibe_iocs.csv",
      "x_sha256": "03beb07ce116a2a69f360dd3fab8c3aa55bb42ce580d43f1924642874e388efe",
      "x_chain_stage": "rat_client"
    },
    {
      "id": "e007",
      "type": "file",
      "value": "%LOCALAPPDATA%\\Razer Update staging directory + Razer Synapse Service Helper scheduled task",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "WithSecureLabs GREYVIBE IOC repository",
      "evidence": [
        "WithSecureLabs IOC CSV lists %LOCALAPPDATA%\\Razer Update as the PhantomRelayV2 staging directory, razer_update.log as a log file, and Razer Synapse Service Helper as the PhantomRelayV2 scheduled task name."
      ],
      "x_reference_url": "https://raw.githubusercontent.com/WithSecureLabs/iocs/refs/heads/master/GREYVIBE/greyvibe_iocs.csv",
      "x_chain_stage": "local_staging_and_persistence"
    },
    {
      "id": "e008",
      "type": "domain",
      "value": "nycpartnersenterprise.com",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "WithSecureLabs GREYVIBE IOC repository",
      "evidence": [
        "WithSecureLabs IOC CSV identifies nycpartnersenterprise.com as PhantomRelayV2 C2."
      ],
      "x_reference_url": "https://raw.githubusercontent.com/WithSecureLabs/iocs/refs/heads/master/GREYVIBE/greyvibe_iocs.csv",
      "x_chain_stage": "c2_domain"
    },
    {
      "id": "e009",
      "type": "domain",
      "value": "chiselworksenterprise.com",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "WithSecureLabs GREYVIBE IOC repository",
      "evidence": [
        "WithSecureLabs IOC CSV identifies chiselworksenterprise.com as PhantomRelayV2 C2."
      ],
      "x_reference_url": "https://raw.githubusercontent.com/WithSecureLabs/iocs/refs/heads/master/GREYVIBE/greyvibe_iocs.csv",
      "x_chain_stage": "c2_domain"
    },
    {
      "id": "e010",
      "type": "domain",
      "value": "newrentalsenterprise.com",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "WithSecureLabs GREYVIBE IOC repository",
      "evidence": [
        "WithSecureLabs IOC CSV identifies newrentalsenterprise.com as PhantomRelayV2 C2."
      ],
      "x_reference_url": "https://raw.githubusercontent.com/WithSecureLabs/iocs/refs/heads/master/GREYVIBE/greyvibe_iocs.csv",
      "x_chain_stage": "c2_domain"
    },
    {
      "id": "e011",
      "type": "domain",
      "value": "bluelagoonaenterprise.com",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "WithSecureLabs GREYVIBE IOC repository",
      "evidence": [
        "WithSecureLabs IOC CSV identifies bluelagoonaenterprise.com as PhantomRelayV2 C2."
      ],
      "x_reference_url": "https://raw.githubusercontent.com/WithSecureLabs/iocs/refs/heads/master/GREYVIBE/greyvibe_iocs.csv",
      "x_chain_stage": "c2_domain"
    },
    {
      "id": "e012",
      "type": "domain",
      "value": "heltaskeltahenterprise.com",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "WithSecureLabs GREYVIBE IOC repository",
      "evidence": [
        "WithSecureLabs IOC CSV identifies heltaskeltahenterprise.com as PhantomRelayV2 C2."
      ],
      "x_reference_url": "https://raw.githubusercontent.com/WithSecureLabs/iocs/refs/heads/master/GREYVIBE/greyvibe_iocs.csv",
      "x_chain_stage": "c2_domain"
    },
    {
      "id": "e013",
      "type": "domain",
      "value": "newequipmentsolutions.com",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "WithSecureLabs GREYVIBE IOC repository",
      "evidence": [
        "WithSecureLabs IOC CSV identifies newequipmentsolutions.com as PhantomRelayV2 C2."
      ],
      "x_reference_url": "https://raw.githubusercontent.com/WithSecureLabs/iocs/refs/heads/master/GREYVIBE/greyvibe_iocs.csv",
      "x_chain_stage": "c2_domain"
    }
  ],
  "chain": [
    {
      "entity_id": "e001",
      "role": "entry",
      "techniques": [],
      "role_confidence": "likely",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e002",
      "role": "redirector",
      "techniques": [
        "IIM-T006"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e003",
      "role": "staging",
      "techniques": [
        "IIM-T024"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e004",
      "role": "staging",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e005",
      "role": "payload",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e006",
      "role": "payload",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e007",
      "role": "staging",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e008",
      "role": "c2",
      "techniques": [
        "IIM-T011"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e009",
      "role": "c2",
      "techniques": [
        "IIM-T011"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e010",
      "role": "c2",
      "techniques": [
        "IIM-T011"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e011",
      "role": "c2",
      "techniques": [
        "IIM-T011"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e012",
      "role": "c2",
      "techniques": [
        "IIM-T011"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e013",
      "role": "c2",
      "techniques": [
        "IIM-T011"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    }
  ],
  "relations": [
    {
      "from": "e001",
      "to": "e002",
      "type": "references",
      "sequence_order": 1,
      "observed_at": "2026-04-30T00:00:00Z",
      "confidence": "likely",
      "x_evidence": [
        "WithSecure states April 2026 PhantomMail impersonated a Ukrainian state communications body and delivered Google Drive-hosted malicious RAR archives; IOC CSV lists April 2026 sender addresses and Google Drive URLs."
      ]
    },
    {
      "from": "e002",
      "to": "e003",
      "type": "download",
      "sequence_order": 2,
      "observed_at": "2026-04-30T00:00:00Z",
      "confidence": "likely",
      "x_evidence": [
        "IOC set identifies a PhantomMail RAR hash for April 2026 and the report says April RARs were hosted on Google Drive; exact URL-to-hash pairing is not published."
      ]
    },
    {
      "from": "e003",
      "to": "e004",
      "type": "drops",
      "sequence_order": 3,
      "observed_at": "2026-04-30T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "WithSecure states April 2026 RAR archives contained TEASOUP-obfuscated JavaScript."
      ]
    },
    {
      "from": "e004",
      "to": "e005",
      "type": "execute",
      "sequence_order": 4,
      "observed_at": "2026-04-30T00:00:00Z",
      "confidence": "likely",
      "x_evidence": [
        "WithSecure says the TEASOUP JS initiated PhantomRelayV2; watchdog artifact is identified as PhantomRelayV2 in the IOC set."
      ]
    },
    {
      "from": "e004",
      "to": "e006",
      "type": "execute",
      "sequence_order": 5,
      "observed_at": "2026-04-30T00:00:00Z",
      "confidence": "likely",
      "x_evidence": [
        "WithSecure says the TEASOUP JS initiated PhantomRelayV2; client artifact is identified as PhantomRelayV2 in the IOC set."
      ]
    },
    {
      "from": "e005",
      "to": "e007",
      "type": "references",
      "sequence_order": 6,
      "observed_at": "2026-04-30T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "WithSecureLabs IOC CSV links PhantomRelayV2 watchdog, staging directory and scheduled task names."
      ]
    },
    {
      "from": "e006",
      "to": "e007",
      "type": "references",
      "sequence_order": 7,
      "observed_at": "2026-04-30T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "WithSecureLabs IOC CSV links PhantomRelayV2 RAT client, staging directory and log file."
      ]
    },
    {
      "from": "e006",
      "to": "e008",
      "type": "connect",
      "sequence_order": 8,
      "observed_at": "2026-04-30T00:00:00Z",
      "confidence": "likely",
      "x_evidence": [
        "WithSecureLabs IOC CSV identifies nycpartnersenterprise.com as PhantomRelayV2 C2. Exact April 2026 loader-to-domain pairing is not published, so edge is likely."
      ]
    },
    {
      "from": "e006",
      "to": "e009",
      "type": "connect",
      "sequence_order": 9,
      "observed_at": "2026-04-30T00:00:00Z",
      "confidence": "likely",
      "x_evidence": [
        "WithSecureLabs IOC CSV identifies chiselworksenterprise.com as PhantomRelayV2 C2. Exact April 2026 loader-to-domain pairing is not published, so edge is likely."
      ]
    },
    {
      "from": "e006",
      "to": "e010",
      "type": "connect",
      "sequence_order": 10,
      "observed_at": "2026-04-30T00:00:00Z",
      "confidence": "likely",
      "x_evidence": [
        "WithSecureLabs IOC CSV identifies newrentalsenterprise.com as PhantomRelayV2 C2. Exact April 2026 loader-to-domain pairing is not published, so edge is likely."
      ]
    },
    {
      "from": "e006",
      "to": "e011",
      "type": "connect",
      "sequence_order": 11,
      "observed_at": "2026-04-30T00:00:00Z",
      "confidence": "likely",
      "x_evidence": [
        "WithSecureLabs IOC CSV identifies bluelagoonaenterprise.com as PhantomRelayV2 C2. Exact April 2026 loader-to-domain pairing is not published, so edge is likely."
      ]
    },
    {
      "from": "e006",
      "to": "e012",
      "type": "connect",
      "sequence_order": 12,
      "observed_at": "2026-04-30T00:00:00Z",
      "confidence": "likely",
      "x_evidence": [
        "WithSecureLabs IOC CSV identifies heltaskeltahenterprise.com as PhantomRelayV2 C2. Exact April 2026 loader-to-domain pairing is not published, so edge is likely."
      ]
    },
    {
      "from": "e006",
      "to": "e013",
      "type": "connect",
      "sequence_order": 13,
      "observed_at": "2026-04-30T00:00:00Z",
      "confidence": "likely",
      "x_evidence": [
        "WithSecureLabs IOC CSV identifies newequipmentsolutions.com as PhantomRelayV2 C2. Exact April 2026 loader-to-domain pairing is not published, so edge is likely."
      ]
    }
  ],
  "attack_annotations": [
    {
      "technique_id": "T1566.001",
      "name": "Phishing: Spearphishing Attachment",
      "tactic": "Initial Access",
      "comment": "Spear-phishing delivered malicious archives."
    },
    {
      "technique_id": "T1102",
      "name": "Web Service",
      "tactic": "Command and Control",
      "comment": "Google Drive used as third-party initial-stage hosting."
    },
    {
      "technique_id": "T1059.007",
      "name": "Command and Scripting Interpreter: JavaScript",
      "tactic": "Execution",
      "comment": "TEASOUP-obfuscated JavaScript loader."
    },
    {
      "technique_id": "T1059.001",
      "name": "Command and Scripting Interpreter: PowerShell",
      "tactic": "Execution",
      "comment": "PhantomRelay is PowerShell-based."
    }
  ]
}