HOMETHREATSPhantomRelay
APT / THREAT GROUP

PhantomRelay

2
aliases
Last seen:Jun 11, 2026

Intelligence Profile

According to WithSecure, PhantomRelay is a PowerShell-based RAT developed under the GREYVIBE activity cluster. It uses a two-stage execution chain (fingerprinting first, then the main RAT loaded in memory) with C2 communications over WebSockets, and its design is modular to enable additional post-compromise payloads. The family includes several variants, such as PhantomRelayLite and PhantomRelayV1/V2, which feature progressive obfuscation and persistence enhancements. The operators are Russian-speaking and Moscow-time aligned, with the tooling observed across GREYVIBE-related campaigns and related cybercrime activity.

Threat Analysis

PhantomRelay is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.

External References

Quick Facts

TypeAPT / Threat Group
Aliases2

Also Known As

PhantomRelayps1.phantom_relay

External Intelligence

Malpedia: ps1.phantom_relay

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.
PhantomRelay — APT / Threat Group | Threat Intelligence | CTIWATCH.COM