withsecure.2026.greyvibe-phantommail-teasoup-phantomrelayv2
GREYVIBE PhantomMail: Ukrainian spear-phishing RAR to TEASOUP JS loader and PhantomRelayV2 C2 pool
WithSecure-attributed GREYVIBE PhantomMail lane. April 2026 spear-phishing likely impersonated Ukraine’s State Service of Special Communications and Information Protection, delivered Google Drive-hosted RAR archives, ran TEASOUP-obfuscated JavaScript loaders, and initiated PhantomRelayV2. Confirmed PhantomRelayV2 artifacts and C2 domains are taken from the original WithSecureLabs IOC repository. Exact URL/hash/C2 pairings that are not published are marked likely.
Infrastructure map
Role-based chain map
Chain storyline
ordered IIM positionsoffice.cip.ua.gov@gmail.com / office.gov.cips@gmail.com
url
Google Drive-hosted malicious RAR archives used in April 2026 PhantomMail
hash
bd3f35b91bf83427e953d4cf531a0ee4b5ec9fc76b91700274effe0eba22510f
hash
2abb318455960b446d034967c8403ec4339ba248b946f02cb1307ed7e6f4e327
file
PhantomRelayV2 watchdog / RzUpdateManager.ps1 / ee144c883784c635ef84e0ae6a12b03553c1fd65646621f22d08511bd3e6d42a
file
PhantomRelayV2 RAT client / RzTelemetry.ps1 / 03beb07ce116a2a69f360dd3fab8c3aa55bb42ce580d43f1924642874e388efe
file
%LOCALAPPDATA%\Razer Update staging directory + Razer Synapse Service Helper scheduled task
domain
nycpartnersenterprise.com
domain
chiselworksenterprise.com
domain
newrentalsenterprise.com
domain
bluelagoonaenterprise.com
domain
heltaskeltahenterprise.com
domain
newequipmentsolutions.com
Relations
directed infrastructure edgese001referencese002
likely
e002downloade003
likely
e003dropse004
confirmed
e004executee005
likely
e004executee006
likely
e005referencese007
confirmed
e006referencese007
confirmed
e006connecte008
likely
e006connecte009
likely
e006connecte010
likely
e006connecte011
likely
e006connecte012
likely
e006connecte013
likely
Entities & evidence
observable inventory| ID | Type | Value | Source / evidence |
|---|---|---|---|
e001 |
office.cip.ua.gov@gmail.com / office.gov.cips@gmail.com |
https://labs.withsecure.com/publications/greyvibe
https://labs.withsecure.com/content/dam/labs/docs/WithSecure_GREYVIBE.pdf
https://github.com/WithSecureLabs/iocs/tree/master/GREYVIBE/
WithSecure describes an April 2026 PhantomMail campaign likely impersonating Ukraine’s State Service of Special Communications and Information Protection. WithSecureLabs IOC CSV lists office.cip.ua.gov@gmail.com and office.gov.cips@gmail.com as PhantomMail spearphishing e-mail addresses used in April 2026. |
|
e002 |
url | Google Drive-hosted malicious RAR archives used in April 2026 PhantomMail |
https://labs.withsecure.com/publications/greyvibe
https://labs.withsecure.com/content/dam/labs/docs/WithSecure_GREYVIBE.pdf
https://github.com/WithSecureLabs/iocs/tree/master/GREYVIBE/
WithSecure states the April 2026 campaign used malicious RAR archives hosted on Google Drive. WithSecureLabs IOC CSV lists multiple Google Drive file URLs as PhantomMail initial-stage malware download links. |
e003 |
hash | bd3f35b91bf83427e953d4cf531a0ee4b5ec9fc76b91700274effe0eba22510f |
https://labs.withsecure.com/publications/greyvibe
https://github.com/WithSecureLabs/iocs/tree/master/GREYVIBE/
https://raw.githubusercontent.com/WithSecureLabs/iocs/refs/heads/master/GREYVIBE/greyvibe_iocs.csv
WithSecureLabs IOC CSV identifies this SHA256 as PhantomMail: RAR - April 2026. |
e004 |
hash | 2abb318455960b446d034967c8403ec4339ba248b946f02cb1307ed7e6f4e327 |
https://labs.withsecure.com/publications/greyvibe
https://github.com/WithSecureLabs/iocs/tree/master/GREYVIBE/
https://raw.githubusercontent.com/WithSecureLabs/iocs/refs/heads/master/GREYVIBE/greyvibe_iocs.csv
WithSecureLabs IOC CSV identifies this SHA256 as PhantomMail: JS loader (TEASOUPJS) - April 2026. WithSecure states April 2026 archives contained JavaScript files obfuscated with TEASOUP that displayed an error popup and executed PhantomRelayV2. |
e005 |
file | PhantomRelayV2 watchdog / RzUpdateManager.ps1 / ee144c883784c635ef84e0ae6a12b03553c1fd65646621f22d08511bd3e6d42a |
https://labs.withsecure.com/publications/greyvibe
https://github.com/WithSecureLabs/iocs/tree/master/GREYVIBE/
https://raw.githubusercontent.com/WithSecureLabs/iocs/refs/heads/master/GREYVIBE/greyvibe_iocs.csv
WithSecureLabs IOC CSV identifies ee144c883784c635ef84e0ae6a12b03553c1fd65646621f22d08511bd3e6d42a as PhantomRelayV2 persistence script obfuscated with DAYLIGHT and lists RzUpdateManager.ps1 as the watchdog filename. |
e006 |
file | PhantomRelayV2 RAT client / RzTelemetry.ps1 / 03beb07ce116a2a69f360dd3fab8c3aa55bb42ce580d43f1924642874e388efe |
https://labs.withsecure.com/publications/greyvibe
https://github.com/WithSecureLabs/iocs/tree/master/GREYVIBE/
https://raw.githubusercontent.com/WithSecureLabs/iocs/refs/heads/master/GREYVIBE/greyvibe_iocs.csv
WithSecureLabs IOC CSV identifies 03beb07ce116a2a69f360dd3fab8c3aa55bb42ce580d43f1924642874e388efe as PhantomRelayV2 RAT client script obfuscated with DAYLIGHT and lists RzTelemetry.ps1 as the RAT client filename. WithSecure describes PhantomRelay as a PowerShell RAT using WebSockets to communicate with C2 and execute PowerShell scripts and Windows commands. |
e007 |
file | %LOCALAPPDATA%\Razer Update staging directory + Razer Synapse Service Helper scheduled task |
https://labs.withsecure.com/publications/greyvibe
https://github.com/WithSecureLabs/iocs/tree/master/GREYVIBE/
https://raw.githubusercontent.com/WithSecureLabs/iocs/refs/heads/master/GREYVIBE/greyvibe_iocs.csv
WithSecureLabs IOC CSV lists %LOCALAPPDATA%\Razer Update as the PhantomRelayV2 staging directory, razer_update.log as a log file, and Razer Synapse Service Helper as the PhantomRelayV2 scheduled task name. |
e008 |
domain | nycpartnersenterprise.com |
https://labs.withsecure.com/publications/greyvibe
https://github.com/WithSecureLabs/iocs/tree/master/GREYVIBE/
https://raw.githubusercontent.com/WithSecureLabs/iocs/refs/heads/master/GREYVIBE/greyvibe_iocs.csv
WithSecureLabs IOC CSV identifies nycpartnersenterprise.com as PhantomRelayV2 C2. |
e009 |
domain | chiselworksenterprise.com |
https://labs.withsecure.com/publications/greyvibe
https://github.com/WithSecureLabs/iocs/tree/master/GREYVIBE/
https://raw.githubusercontent.com/WithSecureLabs/iocs/refs/heads/master/GREYVIBE/greyvibe_iocs.csv
WithSecureLabs IOC CSV identifies chiselworksenterprise.com as PhantomRelayV2 C2. |
e010 |
domain | newrentalsenterprise.com |
https://labs.withsecure.com/publications/greyvibe
https://github.com/WithSecureLabs/iocs/tree/master/GREYVIBE/
https://raw.githubusercontent.com/WithSecureLabs/iocs/refs/heads/master/GREYVIBE/greyvibe_iocs.csv
WithSecureLabs IOC CSV identifies newrentalsenterprise.com as PhantomRelayV2 C2. |
e011 |
domain | bluelagoonaenterprise.com |
https://labs.withsecure.com/publications/greyvibe
https://github.com/WithSecureLabs/iocs/tree/master/GREYVIBE/
https://raw.githubusercontent.com/WithSecureLabs/iocs/refs/heads/master/GREYVIBE/greyvibe_iocs.csv
WithSecureLabs IOC CSV identifies bluelagoonaenterprise.com as PhantomRelayV2 C2. |
e012 |
domain | heltaskeltahenterprise.com |
https://labs.withsecure.com/publications/greyvibe
https://github.com/WithSecureLabs/iocs/tree/master/GREYVIBE/
https://raw.githubusercontent.com/WithSecureLabs/iocs/refs/heads/master/GREYVIBE/greyvibe_iocs.csv
WithSecureLabs IOC CSV identifies heltaskeltahenterprise.com as PhantomRelayV2 C2. |
e013 |
domain | newequipmentsolutions.com |
https://labs.withsecure.com/publications/greyvibe
https://github.com/WithSecureLabs/iocs/tree/master/GREYVIBE/
https://raw.githubusercontent.com/WithSecureLabs/iocs/refs/heads/master/GREYVIBE/greyvibe_iocs.csv
WithSecureLabs IOC CSV identifies newequipmentsolutions.com as PhantomRelayV2 C2. |
ATT&CK annotations
optional complementary mappingSpear-phishing delivered malicious archives.
Google Drive used as third-party initial-stage hosting.
TEASOUP-obfuscated JavaScript loader.
PhantomRelay is PowerShell-based.
Raw IIM JSON canonical body from MANTIS expand
{
"iim_version": "1.1",
"chain_id": "withsecure.2026.greyvibe-phantommail-teasoup-phantomrelayv2",
"title": "GREYVIBE PhantomMail: Ukrainian spear-phishing RAR to TEASOUP JS loader and PhantomRelayV2 C2 pool",
"description": "WithSecure-attributed GREYVIBE PhantomMail lane. April 2026 spear-phishing likely impersonated Ukraine’s State Service of Special Communications and Information Protection, delivered Google Drive-hosted RAR archives, ran TEASOUP-obfuscated JavaScript loaders, and initiated PhantomRelayV2. Confirmed PhantomRelayV2 artifacts and C2 domains are taken from the original WithSecureLabs IOC repository. Exact URL/hash/C2 pairings that are not published are marked likely.",
"actor_id": "GREYVIBE",
"observed_at": "2026-04-30T00:00:00Z",
"confidence": "likely",
"needs_review": false,
"import_source": "manual-osint-report-to-iim-conversion",
"x_attribution": {
"actor": "GREYVIBE",
"attribution_source": "WithSecure",
"confidence": "WithSecure tracks this activity as GREYVIBE and assesses Russia-nexus/state-aligned Ukraine-focused objectives.",
"caveat": "WithSecure has not identified definitive links between GREYVIBE and any previously tracked threat group."
},
"x_source": {
"title": "GREYVIBE: A Russia-nexus group leveraging AI across state-aligned operations",
"publisher": "WithSecure Labs",
"author": "Mohammad Kazem Hassan Nejad",
"url": "https://labs.withsecure.com/publications/greyvibe",
"pdf_url": "https://labs.withsecure.com/content/dam/labs/docs/WithSecure_GREYVIBE.pdf",
"ioc_url": "https://github.com/WithSecureLabs/iocs/tree/master/GREYVIBE/",
"ioc_raw_url": "https://raw.githubusercontent.com/WithSecureLabs/iocs/refs/heads/master/GREYVIBE/greyvibe_iocs.csv",
"published_at": "2026-05-28",
"analysis_cutoff": "2026-04-30",
"accessed_at": "2026-05-31T19:14:15.240001+00:00",
"source_type": "original vendor research report + original IOC repository",
"source_policy": "Only WithSecure Labs report/PDF and WithSecureLabs IOC repository were used."
},
"x_source_urls": [
"https://labs.withsecure.com/publications/greyvibe",
"https://labs.withsecure.com/content/dam/labs/docs/WithSecure_GREYVIBE.pdf",
"https://github.com/WithSecureLabs/iocs/tree/master/GREYVIBE/",
"https://raw.githubusercontent.com/WithSecureLabs/iocs/refs/heads/master/GREYVIBE/greyvibe_iocs.csv"
],
"x_resource_links_verified": [
{
"url": "https://labs.withsecure.com/publications/greyvibe",
"status": "opened via web retrieval",
"verified_at": "2026-05-31T19:14:15.240001+00:00",
"notes": "Verified GREYVIBE actor tracking, Ukraine targeting, attack vectors, Russian-nexus attribution caveat."
},
{
"url": "https://labs.withsecure.com/content/dam/labs/docs/WithSecure_GREYVIBE.pdf",
"status": "opened via web retrieval",
"verified_at": "2026-05-31T19:14:15.240001+00:00",
"notes": "Verified PhantomMail and April 2026 RAR/Google Drive/TEASOUP/PhantomRelayV2 flow."
},
{
"url": "https://raw.githubusercontent.com/WithSecureLabs/iocs/refs/heads/master/GREYVIBE/greyvibe_iocs.csv",
"status": "opened via web retrieval",
"verified_at": "2026-05-31T19:14:15.240001+00:00",
"notes": "Verified selected hashes, e-mail addresses, PhantomRelayV2 script names, staging path, scheduled task and C2 domains."
}
],
"x_iocs": {
"emails": [
"office.cip.ua.gov@gmail.com",
"office.gov.cips@gmail.com"
],
"sha256": [
"bd3f35b91bf83427e953d4cf531a0ee4b5ec9fc76b91700274effe0eba22510f",
"2abb318455960b446d034967c8403ec4339ba248b946f02cb1307ed7e6f4e327",
"ee144c883784c635ef84e0ae6a12b03553c1fd65646621f22d08511bd3e6d42a",
"03beb07ce116a2a69f360dd3fab8c3aa55bb42ce580d43f1924642874e388efe"
],
"domains": [
"nycpartnersenterprise.com",
"chiselworksenterprise.com",
"newrentalsenterprise.com",
"bluelagoonaenterprise.com",
"heltaskeltahenterprise.com",
"newequipmentsolutions.com"
],
"filenames": [
"RzUpdateManager.ps1",
"RzTelemetry.ps1",
"razer_update.log",
"форма акта перевірки.XLS.js",
"форма акта перевірки територій.rar"
]
},
"x_limitations": [
"WithSecure does not publish a complete one-to-one mapping of every Google Drive URL to archive hash or loader to C2 domain. Those edges are marked likely.",
"Sensitive victimology/actions on objectives omitted by WithSecure were not reconstructed.",
"DroneLink and PrincessClub overlaps are not merged into this PhantomMail-focused chain."
],
"entities": [
{
"id": "e001",
"type": "email",
"value": "office.cip.ua.gov@gmail.com / office.gov.cips@gmail.com",
"observed_at": "2026-04-30T00:00:00Z",
"source": "WithSecure GREYVIBE report + WithSecureLabs IOC repository",
"evidence": [
"WithSecure describes an April 2026 PhantomMail campaign likely impersonating Ukraine’s State Service of Special Communications and Information Protection.",
"WithSecureLabs IOC CSV lists office.cip.ua.gov@gmail.com and office.gov.cips@gmail.com as PhantomMail spearphishing e-mail addresses used in April 2026."
],
"x_reference_url": "https://raw.githubusercontent.com/WithSecureLabs/iocs/refs/heads/master/GREYVIBE/greyvibe_iocs.csv",
"x_chain_stage": "spearphishing_sender_set"
},
{
"id": "e002",
"type": "url",
"value": "Google Drive-hosted malicious RAR archives used in April 2026 PhantomMail",
"observed_at": "2026-04-30T00:00:00Z",
"source": "WithSecure GREYVIBE report + WithSecureLabs IOC repository",
"evidence": [
"WithSecure states the April 2026 campaign used malicious RAR archives hosted on Google Drive.",
"WithSecureLabs IOC CSV lists multiple Google Drive file URLs as PhantomMail initial-stage malware download links."
],
"x_reference_url": "https://labs.withsecure.com/content/dam/labs/docs/WithSecure_GREYVIBE.pdf",
"x_google_drive_urls": [
"https://drive.google.com/file/d/1RDXHPZtCzOXn6GN7UidXPo4qqZOA_UGd",
"https://drive.google.com/file/d/12ffiBTWHm6GW8chJNIXuOeALPI82VnNs",
"https://drive.google.com/file/d/1wkgvtTw_g5CvK84rWiHCr6HPZZb_OeKd",
"https://drive.google.com/file/d/1aSIXJgZUT7AQEp5B_D7gyHRq74EFUxoz"
],
"x_chain_stage": "trusted_file_hosting"
},
{
"id": "e003",
"type": "hash",
"value": "bd3f35b91bf83427e953d4cf531a0ee4b5ec9fc76b91700274effe0eba22510f",
"observed_at": "2026-04-30T00:00:00Z",
"source": "WithSecureLabs GREYVIBE IOC repository",
"evidence": [
"WithSecureLabs IOC CSV identifies this SHA256 as PhantomMail: RAR - April 2026."
],
"x_reference_url": "https://raw.githubusercontent.com/WithSecureLabs/iocs/refs/heads/master/GREYVIBE/greyvibe_iocs.csv",
"x_file_role": "malicious_rar_archive",
"x_chain_stage": "archive_container"
},
{
"id": "e004",
"type": "hash",
"value": "2abb318455960b446d034967c8403ec4339ba248b946f02cb1307ed7e6f4e327",
"observed_at": "2026-04-30T00:00:00Z",
"source": "WithSecureLabs GREYVIBE IOC repository",
"evidence": [
"WithSecureLabs IOC CSV identifies this SHA256 as PhantomMail: JS loader (TEASOUPJS) - April 2026.",
"WithSecure states April 2026 archives contained JavaScript files obfuscated with TEASOUP that displayed an error popup and executed PhantomRelayV2."
],
"x_reference_url": "https://raw.githubusercontent.com/WithSecureLabs/iocs/refs/heads/master/GREYVIBE/greyvibe_iocs.csv",
"x_file_role": "TEASOUP_obfuscated_JS_loader",
"x_chain_stage": "loader"
},
{
"id": "e005",
"type": "file",
"value": "PhantomRelayV2 watchdog / RzUpdateManager.ps1 / ee144c883784c635ef84e0ae6a12b03553c1fd65646621f22d08511bd3e6d42a",
"observed_at": "2026-04-30T00:00:00Z",
"source": "WithSecureLabs GREYVIBE IOC repository",
"evidence": [
"WithSecureLabs IOC CSV identifies ee144c883784c635ef84e0ae6a12b03553c1fd65646621f22d08511bd3e6d42a as PhantomRelayV2 persistence script obfuscated with DAYLIGHT and lists RzUpdateManager.ps1 as the watchdog filename."
],
"x_reference_url": "https://raw.githubusercontent.com/WithSecureLabs/iocs/refs/heads/master/GREYVIBE/greyvibe_iocs.csv",
"x_sha256": "ee144c883784c635ef84e0ae6a12b03553c1fd65646621f22d08511bd3e6d42a",
"x_chain_stage": "persistence_watchdog"
},
{
"id": "e006",
"type": "file",
"value": "PhantomRelayV2 RAT client / RzTelemetry.ps1 / 03beb07ce116a2a69f360dd3fab8c3aa55bb42ce580d43f1924642874e388efe",
"observed_at": "2026-04-30T00:00:00Z",
"source": "WithSecureLabs GREYVIBE IOC repository",
"evidence": [
"WithSecureLabs IOC CSV identifies 03beb07ce116a2a69f360dd3fab8c3aa55bb42ce580d43f1924642874e388efe as PhantomRelayV2 RAT client script obfuscated with DAYLIGHT and lists RzTelemetry.ps1 as the RAT client filename.",
"WithSecure describes PhantomRelay as a PowerShell RAT using WebSockets to communicate with C2 and execute PowerShell scripts and Windows commands."
],
"x_reference_url": "https://raw.githubusercontent.com/WithSecureLabs/iocs/refs/heads/master/GREYVIBE/greyvibe_iocs.csv",
"x_sha256": "03beb07ce116a2a69f360dd3fab8c3aa55bb42ce580d43f1924642874e388efe",
"x_chain_stage": "rat_client"
},
{
"id": "e007",
"type": "file",
"value": "%LOCALAPPDATA%\\Razer Update staging directory + Razer Synapse Service Helper scheduled task",
"observed_at": "2026-04-30T00:00:00Z",
"source": "WithSecureLabs GREYVIBE IOC repository",
"evidence": [
"WithSecureLabs IOC CSV lists %LOCALAPPDATA%\\Razer Update as the PhantomRelayV2 staging directory, razer_update.log as a log file, and Razer Synapse Service Helper as the PhantomRelayV2 scheduled task name."
],
"x_reference_url": "https://raw.githubusercontent.com/WithSecureLabs/iocs/refs/heads/master/GREYVIBE/greyvibe_iocs.csv",
"x_chain_stage": "local_staging_and_persistence"
},
{
"id": "e008",
"type": "domain",
"value": "nycpartnersenterprise.com",
"observed_at": "2026-04-30T00:00:00Z",
"source": "WithSecureLabs GREYVIBE IOC repository",
"evidence": [
"WithSecureLabs IOC CSV identifies nycpartnersenterprise.com as PhantomRelayV2 C2."
],
"x_reference_url": "https://raw.githubusercontent.com/WithSecureLabs/iocs/refs/heads/master/GREYVIBE/greyvibe_iocs.csv",
"x_chain_stage": "c2_domain"
},
{
"id": "e009",
"type": "domain",
"value": "chiselworksenterprise.com",
"observed_at": "2026-04-30T00:00:00Z",
"source": "WithSecureLabs GREYVIBE IOC repository",
"evidence": [
"WithSecureLabs IOC CSV identifies chiselworksenterprise.com as PhantomRelayV2 C2."
],
"x_reference_url": "https://raw.githubusercontent.com/WithSecureLabs/iocs/refs/heads/master/GREYVIBE/greyvibe_iocs.csv",
"x_chain_stage": "c2_domain"
},
{
"id": "e010",
"type": "domain",
"value": "newrentalsenterprise.com",
"observed_at": "2026-04-30T00:00:00Z",
"source": "WithSecureLabs GREYVIBE IOC repository",
"evidence": [
"WithSecureLabs IOC CSV identifies newrentalsenterprise.com as PhantomRelayV2 C2."
],
"x_reference_url": "https://raw.githubusercontent.com/WithSecureLabs/iocs/refs/heads/master/GREYVIBE/greyvibe_iocs.csv",
"x_chain_stage": "c2_domain"
},
{
"id": "e011",
"type": "domain",
"value": "bluelagoonaenterprise.com",
"observed_at": "2026-04-30T00:00:00Z",
"source": "WithSecureLabs GREYVIBE IOC repository",
"evidence": [
"WithSecureLabs IOC CSV identifies bluelagoonaenterprise.com as PhantomRelayV2 C2."
],
"x_reference_url": "https://raw.githubusercontent.com/WithSecureLabs/iocs/refs/heads/master/GREYVIBE/greyvibe_iocs.csv",
"x_chain_stage": "c2_domain"
},
{
"id": "e012",
"type": "domain",
"value": "heltaskeltahenterprise.com",
"observed_at": "2026-04-30T00:00:00Z",
"source": "WithSecureLabs GREYVIBE IOC repository",
"evidence": [
"WithSecureLabs IOC CSV identifies heltaskeltahenterprise.com as PhantomRelayV2 C2."
],
"x_reference_url": "https://raw.githubusercontent.com/WithSecureLabs/iocs/refs/heads/master/GREYVIBE/greyvibe_iocs.csv",
"x_chain_stage": "c2_domain"
},
{
"id": "e013",
"type": "domain",
"value": "newequipmentsolutions.com",
"observed_at": "2026-04-30T00:00:00Z",
"source": "WithSecureLabs GREYVIBE IOC repository",
"evidence": [
"WithSecureLabs IOC CSV identifies newequipmentsolutions.com as PhantomRelayV2 C2."
],
"x_reference_url": "https://raw.githubusercontent.com/WithSecureLabs/iocs/refs/heads/master/GREYVIBE/greyvibe_iocs.csv",
"x_chain_stage": "c2_domain"
}
],
"chain": [
{
"entity_id": "e001",
"role": "entry",
"techniques": [],
"role_confidence": "likely",
"technique_confidence": "confirmed",
"needs_review": false
},
{
"entity_id": "e002",
"role": "redirector",
"techniques": [
"IIM-T006"
],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"needs_review": false
},
{
"entity_id": "e003",
"role": "staging",
"techniques": [
"IIM-T024"
],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"needs_review": false
},
{
"entity_id": "e004",
"role": "staging",
"techniques": [],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"needs_review": false
},
{
"entity_id": "e005",
"role": "payload",
"techniques": [],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"needs_review": false
},
{
"entity_id": "e006",
"role": "payload",
"techniques": [],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"needs_review": false
},
{
"entity_id": "e007",
"role": "staging",
"techniques": [],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"needs_review": false
},
{
"entity_id": "e008",
"role": "c2",
"techniques": [
"IIM-T011"
],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"needs_review": false
},
{
"entity_id": "e009",
"role": "c2",
"techniques": [
"IIM-T011"
],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"needs_review": false
},
{
"entity_id": "e010",
"role": "c2",
"techniques": [
"IIM-T011"
],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"needs_review": false
},
{
"entity_id": "e011",
"role": "c2",
"techniques": [
"IIM-T011"
],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"needs_review": false
},
{
"entity_id": "e012",
"role": "c2",
"techniques": [
"IIM-T011"
],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"needs_review": false
},
{
"entity_id": "e013",
"role": "c2",
"techniques": [
"IIM-T011"
],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"needs_review": false
}
],
"relations": [
{
"from": "e001",
"to": "e002",
"type": "references",
"sequence_order": 1,
"observed_at": "2026-04-30T00:00:00Z",
"confidence": "likely",
"x_evidence": [
"WithSecure states April 2026 PhantomMail impersonated a Ukrainian state communications body and delivered Google Drive-hosted malicious RAR archives; IOC CSV lists April 2026 sender addresses and Google Drive URLs."
]
},
{
"from": "e002",
"to": "e003",
"type": "download",
"sequence_order": 2,
"observed_at": "2026-04-30T00:00:00Z",
"confidence": "likely",
"x_evidence": [
"IOC set identifies a PhantomMail RAR hash for April 2026 and the report says April RARs were hosted on Google Drive; exact URL-to-hash pairing is not published."
]
},
{
"from": "e003",
"to": "e004",
"type": "drops",
"sequence_order": 3,
"observed_at": "2026-04-30T00:00:00Z",
"confidence": "confirmed",
"x_evidence": [
"WithSecure states April 2026 RAR archives contained TEASOUP-obfuscated JavaScript."
]
},
{
"from": "e004",
"to": "e005",
"type": "execute",
"sequence_order": 4,
"observed_at": "2026-04-30T00:00:00Z",
"confidence": "likely",
"x_evidence": [
"WithSecure says the TEASOUP JS initiated PhantomRelayV2; watchdog artifact is identified as PhantomRelayV2 in the IOC set."
]
},
{
"from": "e004",
"to": "e006",
"type": "execute",
"sequence_order": 5,
"observed_at": "2026-04-30T00:00:00Z",
"confidence": "likely",
"x_evidence": [
"WithSecure says the TEASOUP JS initiated PhantomRelayV2; client artifact is identified as PhantomRelayV2 in the IOC set."
]
},
{
"from": "e005",
"to": "e007",
"type": "references",
"sequence_order": 6,
"observed_at": "2026-04-30T00:00:00Z",
"confidence": "confirmed",
"x_evidence": [
"WithSecureLabs IOC CSV links PhantomRelayV2 watchdog, staging directory and scheduled task names."
]
},
{
"from": "e006",
"to": "e007",
"type": "references",
"sequence_order": 7,
"observed_at": "2026-04-30T00:00:00Z",
"confidence": "confirmed",
"x_evidence": [
"WithSecureLabs IOC CSV links PhantomRelayV2 RAT client, staging directory and log file."
]
},
{
"from": "e006",
"to": "e008",
"type": "connect",
"sequence_order": 8,
"observed_at": "2026-04-30T00:00:00Z",
"confidence": "likely",
"x_evidence": [
"WithSecureLabs IOC CSV identifies nycpartnersenterprise.com as PhantomRelayV2 C2. Exact April 2026 loader-to-domain pairing is not published, so edge is likely."
]
},
{
"from": "e006",
"to": "e009",
"type": "connect",
"sequence_order": 9,
"observed_at": "2026-04-30T00:00:00Z",
"confidence": "likely",
"x_evidence": [
"WithSecureLabs IOC CSV identifies chiselworksenterprise.com as PhantomRelayV2 C2. Exact April 2026 loader-to-domain pairing is not published, so edge is likely."
]
},
{
"from": "e006",
"to": "e010",
"type": "connect",
"sequence_order": 10,
"observed_at": "2026-04-30T00:00:00Z",
"confidence": "likely",
"x_evidence": [
"WithSecureLabs IOC CSV identifies newrentalsenterprise.com as PhantomRelayV2 C2. Exact April 2026 loader-to-domain pairing is not published, so edge is likely."
]
},
{
"from": "e006",
"to": "e011",
"type": "connect",
"sequence_order": 11,
"observed_at": "2026-04-30T00:00:00Z",
"confidence": "likely",
"x_evidence": [
"WithSecureLabs IOC CSV identifies bluelagoonaenterprise.com as PhantomRelayV2 C2. Exact April 2026 loader-to-domain pairing is not published, so edge is likely."
]
},
{
"from": "e006",
"to": "e012",
"type": "connect",
"sequence_order": 12,
"observed_at": "2026-04-30T00:00:00Z",
"confidence": "likely",
"x_evidence": [
"WithSecureLabs IOC CSV identifies heltaskeltahenterprise.com as PhantomRelayV2 C2. Exact April 2026 loader-to-domain pairing is not published, so edge is likely."
]
},
{
"from": "e006",
"to": "e013",
"type": "connect",
"sequence_order": 13,
"observed_at": "2026-04-30T00:00:00Z",
"confidence": "likely",
"x_evidence": [
"WithSecureLabs IOC CSV identifies newequipmentsolutions.com as PhantomRelayV2 C2. Exact April 2026 loader-to-domain pairing is not published, so edge is likely."
]
}
],
"attack_annotations": [
{
"technique_id": "T1566.001",
"name": "Phishing: Spearphishing Attachment",
"tactic": "Initial Access",
"comment": "Spear-phishing delivered malicious archives."
},
{
"technique_id": "T1102",
"name": "Web Service",
"tactic": "Command and Control",
"comment": "Google Drive used as third-party initial-stage hosting."
},
{
"technique_id": "T1059.007",
"name": "Command and Scripting Interpreter: JavaScript",
"tactic": "Execution",
"comment": "TEASOUP-obfuscated JavaScript loader."
},
{
"technique_id": "T1059.001",
"name": "Command and Scripting Interpreter: PowerShell",
"tactic": "Execution",
"comment": "PhantomRelay is PowerShell-based."
}
]
}