← feed

withsecure.2026.greyvibe-phantommail-teasoup-phantomrelayv2

GREYVIBE PhantomMail: Ukrainian spear-phishing RAR to TEASOUP JS loader and PhantomRelayV2 C2 pool

WithSecure-attributed GREYVIBE PhantomMail lane. April 2026 spear-phishing likely impersonated Ukraine’s State Service of Special Communications and Information Protection, delivered Google Drive-hosted RAR archives, ran TEASOUP-obfuscated JavaScript loaders, and initiated PhantomRelayV2. Confirmed PhantomRelayV2 artifacts and C2 domains are taken from the original WithSecureLabs IOC repository. Exact URL/hash/C2 pairings that are not published are marked likely.

likely IIM v1.1 GREYVIBE
Raw JSON
entities13
relations13
techniques3
published2026-05-31 19:17:43

Infrastructure map

Role-based chain map

click nodes or numbered relations to inspect the infrastructure path
entryredirectorstagingpayloadc2

Chain storyline

ordered IIM positions
1
entry

email

office.cip.ua.gov@gmail.com / office.gov.cips@gmail.com

2
redirector

url

Google Drive-hosted malicious RAR archives used in April 2026 PhantomMail

IIM-T006
3
staging

hash

bd3f35b91bf83427e953d4cf531a0ee4b5ec9fc76b91700274effe0eba22510f

IIM-T024
4
staging

hash

2abb318455960b446d034967c8403ec4339ba248b946f02cb1307ed7e6f4e327

5
payload

file

PhantomRelayV2 watchdog / RzUpdateManager.ps1 / ee144c883784c635ef84e0ae6a12b03553c1fd65646621f22d08511bd3e6d42a

6
payload

file

PhantomRelayV2 RAT client / RzTelemetry.ps1 / 03beb07ce116a2a69f360dd3fab8c3aa55bb42ce580d43f1924642874e388efe

7
staging

file

%LOCALAPPDATA%\Razer Update staging directory + Razer Synapse Service Helper scheduled task

8
c2

domain

nycpartnersenterprise.com

IIM-T011
9
c2

domain

chiselworksenterprise.com

IIM-T011
10
c2

domain

newrentalsenterprise.com

IIM-T011
11
c2

domain

bluelagoonaenterprise.com

IIM-T011
12
c2

domain

heltaskeltahenterprise.com

IIM-T011
13
c2

domain

newequipmentsolutions.com

IIM-T011

Relations

directed infrastructure edges
e001referencese002 likely
e002downloade003 likely
e003dropse004 confirmed
e004executee005 likely
e004executee006 likely
e005referencese007 confirmed
e006referencese007 confirmed
e006connecte008 likely
e006connecte009 likely
e006connecte010 likely
e006connecte011 likely
e006connecte012 likely
e006connecte013 likely

Entities & evidence

observable inventory
IDTypeValueSource / evidence
e001 office.cip.ua.gov@gmail.com / office.gov.cips@gmail.com
WithSecure describes an April 2026 PhantomMail campaign likely impersonating Ukraine’s State Service of Special Communications and Information Protection.
WithSecureLabs IOC CSV lists office.cip.ua.gov@gmail.com and office.gov.cips@gmail.com as PhantomMail spearphishing e-mail addresses used in April 2026.
e002 url Google Drive-hosted malicious RAR archives used in April 2026 PhantomMail
WithSecure states the April 2026 campaign used malicious RAR archives hosted on Google Drive.
WithSecureLabs IOC CSV lists multiple Google Drive file URLs as PhantomMail initial-stage malware download links.
e003 hash bd3f35b91bf83427e953d4cf531a0ee4b5ec9fc76b91700274effe0eba22510f
WithSecureLabs IOC CSV identifies this SHA256 as PhantomMail: RAR - April 2026.
e004 hash 2abb318455960b446d034967c8403ec4339ba248b946f02cb1307ed7e6f4e327
WithSecureLabs IOC CSV identifies this SHA256 as PhantomMail: JS loader (TEASOUPJS) - April 2026.
WithSecure states April 2026 archives contained JavaScript files obfuscated with TEASOUP that displayed an error popup and executed PhantomRelayV2.
e005 file PhantomRelayV2 watchdog / RzUpdateManager.ps1 / ee144c883784c635ef84e0ae6a12b03553c1fd65646621f22d08511bd3e6d42a
WithSecureLabs IOC CSV identifies ee144c883784c635ef84e0ae6a12b03553c1fd65646621f22d08511bd3e6d42a as PhantomRelayV2 persistence script obfuscated with DAYLIGHT and lists RzUpdateManager.ps1 as the watchdog filename.
e006 file PhantomRelayV2 RAT client / RzTelemetry.ps1 / 03beb07ce116a2a69f360dd3fab8c3aa55bb42ce580d43f1924642874e388efe
WithSecureLabs IOC CSV identifies 03beb07ce116a2a69f360dd3fab8c3aa55bb42ce580d43f1924642874e388efe as PhantomRelayV2 RAT client script obfuscated with DAYLIGHT and lists RzTelemetry.ps1 as the RAT client filename.
WithSecure describes PhantomRelay as a PowerShell RAT using WebSockets to communicate with C2 and execute PowerShell scripts and Windows commands.
e007 file %LOCALAPPDATA%\Razer Update staging directory + Razer Synapse Service Helper scheduled task
WithSecureLabs IOC CSV lists %LOCALAPPDATA%\Razer Update as the PhantomRelayV2 staging directory, razer_update.log as a log file, and Razer Synapse Service Helper as the PhantomRelayV2 scheduled task name.
e008 domain nycpartnersenterprise.com
WithSecureLabs IOC CSV identifies nycpartnersenterprise.com as PhantomRelayV2 C2.
e009 domain chiselworksenterprise.com
WithSecureLabs IOC CSV identifies chiselworksenterprise.com as PhantomRelayV2 C2.
e010 domain newrentalsenterprise.com
WithSecureLabs IOC CSV identifies newrentalsenterprise.com as PhantomRelayV2 C2.
e011 domain bluelagoonaenterprise.com
WithSecureLabs IOC CSV identifies bluelagoonaenterprise.com as PhantomRelayV2 C2.
e012 domain heltaskeltahenterprise.com
WithSecureLabs IOC CSV identifies heltaskeltahenterprise.com as PhantomRelayV2 C2.
e013 domain newequipmentsolutions.com
WithSecureLabs IOC CSV identifies newequipmentsolutions.com as PhantomRelayV2 C2.

ATT&CK annotations

optional complementary mapping
T1566.001Phishing: Spearphishing Attachment

Spear-phishing delivered malicious archives.

T1102Web Service

Google Drive used as third-party initial-stage hosting.

T1059.007Command and Scripting Interpreter: JavaScript

TEASOUP-obfuscated JavaScript loader.

T1059.001Command and Scripting Interpreter: PowerShell

PhantomRelay is PowerShell-based.

Raw IIM JSON canonical body from MANTIS expand
{
  "iim_version": "1.1",
  "chain_id": "withsecure.2026.greyvibe-phantommail-teasoup-phantomrelayv2",
  "title": "GREYVIBE PhantomMail: Ukrainian spear-phishing RAR to TEASOUP JS loader and PhantomRelayV2 C2 pool",
  "description": "WithSecure-attributed GREYVIBE PhantomMail lane. April 2026 spear-phishing likely impersonated Ukraine’s State Service of Special Communications and Information Protection, delivered Google Drive-hosted RAR archives, ran TEASOUP-obfuscated JavaScript loaders, and initiated PhantomRelayV2. Confirmed PhantomRelayV2 artifacts and C2 domains are taken from the original WithSecureLabs IOC repository. Exact URL/hash/C2 pairings that are not published are marked likely.",
  "actor_id": "GREYVIBE",
  "observed_at": "2026-04-30T00:00:00Z",
  "confidence": "likely",
  "needs_review": false,
  "import_source": "manual-osint-report-to-iim-conversion",
  "x_attribution": {
    "actor": "GREYVIBE",
    "attribution_source": "WithSecure",
    "confidence": "WithSecure tracks this activity as GREYVIBE and assesses Russia-nexus/state-aligned Ukraine-focused objectives.",
    "caveat": "WithSecure has not identified definitive links between GREYVIBE and any previously tracked threat group."
  },
  "x_source": {
    "title": "GREYVIBE: A Russia-nexus group leveraging AI across state-aligned operations",
    "publisher": "WithSecure Labs",
    "author": "Mohammad Kazem Hassan Nejad",
    "url": "https://labs.withsecure.com/publications/greyvibe",
    "pdf_url": "https://labs.withsecure.com/content/dam/labs/docs/WithSecure_GREYVIBE.pdf",
    "ioc_url": "https://github.com/WithSecureLabs/iocs/tree/master/GREYVIBE/",
    "ioc_raw_url": "https://raw.githubusercontent.com/WithSecureLabs/iocs/refs/heads/master/GREYVIBE/greyvibe_iocs.csv",
    "published_at": "2026-05-28",
    "analysis_cutoff": "2026-04-30",
    "accessed_at": "2026-05-31T19:14:15.240001+00:00",
    "source_type": "original vendor research report + original IOC repository",
    "source_policy": "Only WithSecure Labs report/PDF and WithSecureLabs IOC repository were used."
  },
  "x_source_urls": [
    "https://labs.withsecure.com/publications/greyvibe",
    "https://labs.withsecure.com/content/dam/labs/docs/WithSecure_GREYVIBE.pdf",
    "https://github.com/WithSecureLabs/iocs/tree/master/GREYVIBE/",
    "https://raw.githubusercontent.com/WithSecureLabs/iocs/refs/heads/master/GREYVIBE/greyvibe_iocs.csv"
  ],
  "x_resource_links_verified": [
    {
      "url": "https://labs.withsecure.com/publications/greyvibe",
      "status": "opened via web retrieval",
      "verified_at": "2026-05-31T19:14:15.240001+00:00",
      "notes": "Verified GREYVIBE actor tracking, Ukraine targeting, attack vectors, Russian-nexus attribution caveat."
    },
    {
      "url": "https://labs.withsecure.com/content/dam/labs/docs/WithSecure_GREYVIBE.pdf",
      "status": "opened via web retrieval",
      "verified_at": "2026-05-31T19:14:15.240001+00:00",
      "notes": "Verified PhantomMail and April 2026 RAR/Google Drive/TEASOUP/PhantomRelayV2 flow."
    },
    {
      "url": "https://raw.githubusercontent.com/WithSecureLabs/iocs/refs/heads/master/GREYVIBE/greyvibe_iocs.csv",
      "status": "opened via web retrieval",
      "verified_at": "2026-05-31T19:14:15.240001+00:00",
      "notes": "Verified selected hashes, e-mail addresses, PhantomRelayV2 script names, staging path, scheduled task and C2 domains."
    }
  ],
  "x_iocs": {
    "emails": [
      "office.cip.ua.gov@gmail.com",
      "office.gov.cips@gmail.com"
    ],
    "sha256": [
      "bd3f35b91bf83427e953d4cf531a0ee4b5ec9fc76b91700274effe0eba22510f",
      "2abb318455960b446d034967c8403ec4339ba248b946f02cb1307ed7e6f4e327",
      "ee144c883784c635ef84e0ae6a12b03553c1fd65646621f22d08511bd3e6d42a",
      "03beb07ce116a2a69f360dd3fab8c3aa55bb42ce580d43f1924642874e388efe"
    ],
    "domains": [
      "nycpartnersenterprise.com",
      "chiselworksenterprise.com",
      "newrentalsenterprise.com",
      "bluelagoonaenterprise.com",
      "heltaskeltahenterprise.com",
      "newequipmentsolutions.com"
    ],
    "filenames": [
      "RzUpdateManager.ps1",
      "RzTelemetry.ps1",
      "razer_update.log",
      "форма акта перевірки.XLS.js",
      "форма акта перевірки територій.rar"
    ]
  },
  "x_limitations": [
    "WithSecure does not publish a complete one-to-one mapping of every Google Drive URL to archive hash or loader to C2 domain. Those edges are marked likely.",
    "Sensitive victimology/actions on objectives omitted by WithSecure were not reconstructed.",
    "DroneLink and PrincessClub overlaps are not merged into this PhantomMail-focused chain."
  ],
  "entities": [
    {
      "id": "e001",
      "type": "email",
      "value": "office.cip.ua.gov@gmail.com / office.gov.cips@gmail.com",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "WithSecure GREYVIBE report + WithSecureLabs IOC repository",
      "evidence": [
        "WithSecure describes an April 2026 PhantomMail campaign likely impersonating Ukraine’s State Service of Special Communications and Information Protection.",
        "WithSecureLabs IOC CSV lists office.cip.ua.gov@gmail.com and office.gov.cips@gmail.com as PhantomMail spearphishing e-mail addresses used in April 2026."
      ],
      "x_reference_url": "https://raw.githubusercontent.com/WithSecureLabs/iocs/refs/heads/master/GREYVIBE/greyvibe_iocs.csv",
      "x_chain_stage": "spearphishing_sender_set"
    },
    {
      "id": "e002",
      "type": "url",
      "value": "Google Drive-hosted malicious RAR archives used in April 2026 PhantomMail",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "WithSecure GREYVIBE report + WithSecureLabs IOC repository",
      "evidence": [
        "WithSecure states the April 2026 campaign used malicious RAR archives hosted on Google Drive.",
        "WithSecureLabs IOC CSV lists multiple Google Drive file URLs as PhantomMail initial-stage malware download links."
      ],
      "x_reference_url": "https://labs.withsecure.com/content/dam/labs/docs/WithSecure_GREYVIBE.pdf",
      "x_google_drive_urls": [
        "https://drive.google.com/file/d/1RDXHPZtCzOXn6GN7UidXPo4qqZOA_UGd",
        "https://drive.google.com/file/d/12ffiBTWHm6GW8chJNIXuOeALPI82VnNs",
        "https://drive.google.com/file/d/1wkgvtTw_g5CvK84rWiHCr6HPZZb_OeKd",
        "https://drive.google.com/file/d/1aSIXJgZUT7AQEp5B_D7gyHRq74EFUxoz"
      ],
      "x_chain_stage": "trusted_file_hosting"
    },
    {
      "id": "e003",
      "type": "hash",
      "value": "bd3f35b91bf83427e953d4cf531a0ee4b5ec9fc76b91700274effe0eba22510f",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "WithSecureLabs GREYVIBE IOC repository",
      "evidence": [
        "WithSecureLabs IOC CSV identifies this SHA256 as PhantomMail: RAR - April 2026."
      ],
      "x_reference_url": "https://raw.githubusercontent.com/WithSecureLabs/iocs/refs/heads/master/GREYVIBE/greyvibe_iocs.csv",
      "x_file_role": "malicious_rar_archive",
      "x_chain_stage": "archive_container"
    },
    {
      "id": "e004",
      "type": "hash",
      "value": "2abb318455960b446d034967c8403ec4339ba248b946f02cb1307ed7e6f4e327",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "WithSecureLabs GREYVIBE IOC repository",
      "evidence": [
        "WithSecureLabs IOC CSV identifies this SHA256 as PhantomMail: JS loader (TEASOUPJS) - April 2026.",
        "WithSecure states April 2026 archives contained JavaScript files obfuscated with TEASOUP that displayed an error popup and executed PhantomRelayV2."
      ],
      "x_reference_url": "https://raw.githubusercontent.com/WithSecureLabs/iocs/refs/heads/master/GREYVIBE/greyvibe_iocs.csv",
      "x_file_role": "TEASOUP_obfuscated_JS_loader",
      "x_chain_stage": "loader"
    },
    {
      "id": "e005",
      "type": "file",
      "value": "PhantomRelayV2 watchdog / RzUpdateManager.ps1 / ee144c883784c635ef84e0ae6a12b03553c1fd65646621f22d08511bd3e6d42a",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "WithSecureLabs GREYVIBE IOC repository",
      "evidence": [
        "WithSecureLabs IOC CSV identifies ee144c883784c635ef84e0ae6a12b03553c1fd65646621f22d08511bd3e6d42a as PhantomRelayV2 persistence script obfuscated with DAYLIGHT and lists RzUpdateManager.ps1 as the watchdog filename."
      ],
      "x_reference_url": "https://raw.githubusercontent.com/WithSecureLabs/iocs/refs/heads/master/GREYVIBE/greyvibe_iocs.csv",
      "x_sha256": "ee144c883784c635ef84e0ae6a12b03553c1fd65646621f22d08511bd3e6d42a",
      "x_chain_stage": "persistence_watchdog"
    },
    {
      "id": "e006",
      "type": "file",
      "value": "PhantomRelayV2 RAT client / RzTelemetry.ps1 / 03beb07ce116a2a69f360dd3fab8c3aa55bb42ce580d43f1924642874e388efe",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "WithSecureLabs GREYVIBE IOC repository",
      "evidence": [
        "WithSecureLabs IOC CSV identifies 03beb07ce116a2a69f360dd3fab8c3aa55bb42ce580d43f1924642874e388efe as PhantomRelayV2 RAT client script obfuscated with DAYLIGHT and lists RzTelemetry.ps1 as the RAT client filename.",
        "WithSecure describes PhantomRelay as a PowerShell RAT using WebSockets to communicate with C2 and execute PowerShell scripts and Windows commands."
      ],
      "x_reference_url": "https://raw.githubusercontent.com/WithSecureLabs/iocs/refs/heads/master/GREYVIBE/greyvibe_iocs.csv",
      "x_sha256": "03beb07ce116a2a69f360dd3fab8c3aa55bb42ce580d43f1924642874e388efe",
      "x_chain_stage": "rat_client"
    },
    {
      "id": "e007",
      "type": "file",
      "value": "%LOCALAPPDATA%\\Razer Update staging directory + Razer Synapse Service Helper scheduled task",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "WithSecureLabs GREYVIBE IOC repository",
      "evidence": [
        "WithSecureLabs IOC CSV lists %LOCALAPPDATA%\\Razer Update as the PhantomRelayV2 staging directory, razer_update.log as a log file, and Razer Synapse Service Helper as the PhantomRelayV2 scheduled task name."
      ],
      "x_reference_url": "https://raw.githubusercontent.com/WithSecureLabs/iocs/refs/heads/master/GREYVIBE/greyvibe_iocs.csv",
      "x_chain_stage": "local_staging_and_persistence"
    },
    {
      "id": "e008",
      "type": "domain",
      "value": "nycpartnersenterprise.com",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "WithSecureLabs GREYVIBE IOC repository",
      "evidence": [
        "WithSecureLabs IOC CSV identifies nycpartnersenterprise.com as PhantomRelayV2 C2."
      ],
      "x_reference_url": "https://raw.githubusercontent.com/WithSecureLabs/iocs/refs/heads/master/GREYVIBE/greyvibe_iocs.csv",
      "x_chain_stage": "c2_domain"
    },
    {
      "id": "e009",
      "type": "domain",
      "value": "chiselworksenterprise.com",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "WithSecureLabs GREYVIBE IOC repository",
      "evidence": [
        "WithSecureLabs IOC CSV identifies chiselworksenterprise.com as PhantomRelayV2 C2."
      ],
      "x_reference_url": "https://raw.githubusercontent.com/WithSecureLabs/iocs/refs/heads/master/GREYVIBE/greyvibe_iocs.csv",
      "x_chain_stage": "c2_domain"
    },
    {
      "id": "e010",
      "type": "domain",
      "value": "newrentalsenterprise.com",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "WithSecureLabs GREYVIBE IOC repository",
      "evidence": [
        "WithSecureLabs IOC CSV identifies newrentalsenterprise.com as PhantomRelayV2 C2."
      ],
      "x_reference_url": "https://raw.githubusercontent.com/WithSecureLabs/iocs/refs/heads/master/GREYVIBE/greyvibe_iocs.csv",
      "x_chain_stage": "c2_domain"
    },
    {
      "id": "e011",
      "type": "domain",
      "value": "bluelagoonaenterprise.com",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "WithSecureLabs GREYVIBE IOC repository",
      "evidence": [
        "WithSecureLabs IOC CSV identifies bluelagoonaenterprise.com as PhantomRelayV2 C2."
      ],
      "x_reference_url": "https://raw.githubusercontent.com/WithSecureLabs/iocs/refs/heads/master/GREYVIBE/greyvibe_iocs.csv",
      "x_chain_stage": "c2_domain"
    },
    {
      "id": "e012",
      "type": "domain",
      "value": "heltaskeltahenterprise.com",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "WithSecureLabs GREYVIBE IOC repository",
      "evidence": [
        "WithSecureLabs IOC CSV identifies heltaskeltahenterprise.com as PhantomRelayV2 C2."
      ],
      "x_reference_url": "https://raw.githubusercontent.com/WithSecureLabs/iocs/refs/heads/master/GREYVIBE/greyvibe_iocs.csv",
      "x_chain_stage": "c2_domain"
    },
    {
      "id": "e013",
      "type": "domain",
      "value": "newequipmentsolutions.com",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "WithSecureLabs GREYVIBE IOC repository",
      "evidence": [
        "WithSecureLabs IOC CSV identifies newequipmentsolutions.com as PhantomRelayV2 C2."
      ],
      "x_reference_url": "https://raw.githubusercontent.com/WithSecureLabs/iocs/refs/heads/master/GREYVIBE/greyvibe_iocs.csv",
      "x_chain_stage": "c2_domain"
    }
  ],
  "chain": [
    {
      "entity_id": "e001",
      "role": "entry",
      "techniques": [],
      "role_confidence": "likely",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e002",
      "role": "redirector",
      "techniques": [
        "IIM-T006"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e003",
      "role": "staging",
      "techniques": [
        "IIM-T024"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e004",
      "role": "staging",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e005",
      "role": "payload",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e006",
      "role": "payload",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e007",
      "role": "staging",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e008",
      "role": "c2",
      "techniques": [
        "IIM-T011"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e009",
      "role": "c2",
      "techniques": [
        "IIM-T011"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e010",
      "role": "c2",
      "techniques": [
        "IIM-T011"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e011",
      "role": "c2",
      "techniques": [
        "IIM-T011"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e012",
      "role": "c2",
      "techniques": [
        "IIM-T011"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e013",
      "role": "c2",
      "techniques": [
        "IIM-T011"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    }
  ],
  "relations": [
    {
      "from": "e001",
      "to": "e002",
      "type": "references",
      "sequence_order": 1,
      "observed_at": "2026-04-30T00:00:00Z",
      "confidence": "likely",
      "x_evidence": [
        "WithSecure states April 2026 PhantomMail impersonated a Ukrainian state communications body and delivered Google Drive-hosted malicious RAR archives; IOC CSV lists April 2026 sender addresses and Google Drive URLs."
      ]
    },
    {
      "from": "e002",
      "to": "e003",
      "type": "download",
      "sequence_order": 2,
      "observed_at": "2026-04-30T00:00:00Z",
      "confidence": "likely",
      "x_evidence": [
        "IOC set identifies a PhantomMail RAR hash for April 2026 and the report says April RARs were hosted on Google Drive; exact URL-to-hash pairing is not published."
      ]
    },
    {
      "from": "e003",
      "to": "e004",
      "type": "drops",
      "sequence_order": 3,
      "observed_at": "2026-04-30T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "WithSecure states April 2026 RAR archives contained TEASOUP-obfuscated JavaScript."
      ]
    },
    {
      "from": "e004",
      "to": "e005",
      "type": "execute",
      "sequence_order": 4,
      "observed_at": "2026-04-30T00:00:00Z",
      "confidence": "likely",
      "x_evidence": [
        "WithSecure says the TEASOUP JS initiated PhantomRelayV2; watchdog artifact is identified as PhantomRelayV2 in the IOC set."
      ]
    },
    {
      "from": "e004",
      "to": "e006",
      "type": "execute",
      "sequence_order": 5,
      "observed_at": "2026-04-30T00:00:00Z",
      "confidence": "likely",
      "x_evidence": [
        "WithSecure says the TEASOUP JS initiated PhantomRelayV2; client artifact is identified as PhantomRelayV2 in the IOC set."
      ]
    },
    {
      "from": "e005",
      "to": "e007",
      "type": "references",
      "sequence_order": 6,
      "observed_at": "2026-04-30T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "WithSecureLabs IOC CSV links PhantomRelayV2 watchdog, staging directory and scheduled task names."
      ]
    },
    {
      "from": "e006",
      "to": "e007",
      "type": "references",
      "sequence_order": 7,
      "observed_at": "2026-04-30T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "WithSecureLabs IOC CSV links PhantomRelayV2 RAT client, staging directory and log file."
      ]
    },
    {
      "from": "e006",
      "to": "e008",
      "type": "connect",
      "sequence_order": 8,
      "observed_at": "2026-04-30T00:00:00Z",
      "confidence": "likely",
      "x_evidence": [
        "WithSecureLabs IOC CSV identifies nycpartnersenterprise.com as PhantomRelayV2 C2. Exact April 2026 loader-to-domain pairing is not published, so edge is likely."
      ]
    },
    {
      "from": "e006",
      "to": "e009",
      "type": "connect",
      "sequence_order": 9,
      "observed_at": "2026-04-30T00:00:00Z",
      "confidence": "likely",
      "x_evidence": [
        "WithSecureLabs IOC CSV identifies chiselworksenterprise.com as PhantomRelayV2 C2. Exact April 2026 loader-to-domain pairing is not published, so edge is likely."
      ]
    },
    {
      "from": "e006",
      "to": "e010",
      "type": "connect",
      "sequence_order": 10,
      "observed_at": "2026-04-30T00:00:00Z",
      "confidence": "likely",
      "x_evidence": [
        "WithSecureLabs IOC CSV identifies newrentalsenterprise.com as PhantomRelayV2 C2. Exact April 2026 loader-to-domain pairing is not published, so edge is likely."
      ]
    },
    {
      "from": "e006",
      "to": "e011",
      "type": "connect",
      "sequence_order": 11,
      "observed_at": "2026-04-30T00:00:00Z",
      "confidence": "likely",
      "x_evidence": [
        "WithSecureLabs IOC CSV identifies bluelagoonaenterprise.com as PhantomRelayV2 C2. Exact April 2026 loader-to-domain pairing is not published, so edge is likely."
      ]
    },
    {
      "from": "e006",
      "to": "e012",
      "type": "connect",
      "sequence_order": 12,
      "observed_at": "2026-04-30T00:00:00Z",
      "confidence": "likely",
      "x_evidence": [
        "WithSecureLabs IOC CSV identifies heltaskeltahenterprise.com as PhantomRelayV2 C2. Exact April 2026 loader-to-domain pairing is not published, so edge is likely."
      ]
    },
    {
      "from": "e006",
      "to": "e013",
      "type": "connect",
      "sequence_order": 13,
      "observed_at": "2026-04-30T00:00:00Z",
      "confidence": "likely",
      "x_evidence": [
        "WithSecureLabs IOC CSV identifies newequipmentsolutions.com as PhantomRelayV2 C2. Exact April 2026 loader-to-domain pairing is not published, so edge is likely."
      ]
    }
  ],
  "attack_annotations": [
    {
      "technique_id": "T1566.001",
      "name": "Phishing: Spearphishing Attachment",
      "tactic": "Initial Access",
      "comment": "Spear-phishing delivered malicious archives."
    },
    {
      "technique_id": "T1102",
      "name": "Web Service",
      "tactic": "Command and Control",
      "comment": "Google Drive used as third-party initial-stage hosting."
    },
    {
      "technique_id": "T1059.007",
      "name": "Command and Scripting Interpreter: JavaScript",
      "tactic": "Execution",
      "comment": "TEASOUP-obfuscated JavaScript loader."
    },
    {
      "technique_id": "T1059.001",
      "name": "Command and Scripting Interpreter: PowerShell",
      "tactic": "Execution",
      "comment": "PhantomRelay is PowerShell-based."
    }
  ]
}