GREYVIBE PhantomMail: Ukrainian spear-phishing RAR to TEASOUP JS loader and PhantomRelayV2 C2 pool
GREYVIBE
WithSecure-attributed GREYVIBE PhantomMail lane. April 2026 spear-phishing likely impersonated Ukraine’s State Service of Special Communications and Information Protection, delivered Google Drive-hosted RAR archives, ran TEASOUP-obfuscated JavaScript loaders, and initiated PhantomRelayV2. Confirmed PhantomRelayV2 artifacts and C2 domains are taken from the original WithSecureLabs IOC repository. Exact URL/hash/C2 pairings that are not published are marked likely.
c2 · domain · nycpartnersenterprise.com · IIM-T011c2 · domain · chiselworksenterprise.com · IIM-T011c2 · domain · newrentalsenterprise.com · IIM-T011c2 · domain · bluelagoonaenterprise.com · IIM-T011