PhantomRelay
Intelligence Profile
According to WithSecure, PhantomRelay is a PowerShell-based RAT developed under the GREYVIBE activity cluster. It uses a two-stage execution chain (fingerprinting first, then the main RAT loaded in memory) with C2 communications over WebSockets, and its design is modular to enable additional post-compromise payloads. The family includes several variants, such as PhantomRelayLite and PhantomRelayV1/V2, which feature progressive obfuscation and persistence enhancements. The operators are Russian-speaking and Moscow-time aligned, with the tooling observed across GREYVIBE-related campaigns and related cybercrime activity.
Threat Analysis
PhantomRelay is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.