How GREYVIBE Rewrote the Dating-Lure Surveillance Playbook

https://www.cybersecurity-insiders.com/how-greyvibe-rewrote-the-dating-lure-surveillance-playbook/

Publish Date: 2026-06-28 08:28:00

Source Domain: www.cybersecurity-insiders.com

Author:

Using an unordered list, summarize the following article with between 4 and 8 key points.

In Kharkiv, a Ukrainian combatant gets a message on Telegram. The account on the other end looks like a woman from a local dating channel, and the pair talk for a while. Eventually, she shares a link to what looks like a Ukrainian adult-club site. He follows it, downloads what he thinks is a client app, and goes on with his day.
The site appears normal, but without him knowing it also drops a remote access trojan onto his Windows machine, or spyware onto his Android phone. In a later version of the site, after the infection has landed, it opens a live WebRTC call and starts capturing his audio and video.
WithSecure tied this campaign, which it calls PrincessClub, to a new Russia-nexus group it tracks as GREYVIBE, in a report published on May 28, 2026. Most coverage focused on the AI angle, which is the loudest finding but not the most operationally interesting one. The PrincessClub design choice, which turns the lure site itself into a human intelligence collection endpoint, deserves more attention;so does its history.
This playbook is not new
The fake-romance lure that becomes a surveillance channel is a pattern researchers have been tracking for nearly a decade. The clearest precedent is Arid Viper, also tracked as APT-C-23, an operator aligned with Hamas that has been running this exact pattern against Israeli Defense Forces personnel since at least 2017.
Arid Viper’s operators use fake female personas, sometimes with voice-changing software, to build trust over weeks before pushing a target to install a fake dating or sports app. In 2018, the IDF disclosed that around 100 soldiers had been compromised through three apps called Glance Love, Winkchat, and Golden Cup. The malware that followed, tracked variously as ViperRAT, SpyC23, and Phenakite, has supported live camera and microphone access, call recording, and full message and contact exfiltration.
This is not the only precedent. In the Russia-Ukraine war, both sides have run honey-trap operations through fake social-media profiles. Ukrainian operators have catfished Russian troops into sending photos that were geolocated and used to direct strikes. Russian intelligence services have run similar operations against dissidents and military targets in Europe. The romance-into-intelligence pattern is part of the war.
So PrincessClub is just the latest case of an attacker using a fake intimate relationship to install a microphone in a soldier’s pocket.
What GREYVIBE actually changed
What’s new here is the technical layer.
Arid Viper runs on Android. The malware asks the operating system for camera and microphone permissions, the user grants them at install time, and the spyware collects from then on. That is what mobile detection is built to flag.
GREYVIBE’s PrincessClub runs in the browser. The post-infection collection happens through WebRTC, the same browser API used by Zoom, Google Meet, and every modern video product. WithSecure documents that the WebRTC capture is accessible only after PhantomRelay or LegionRelay has established persistence on the host. From the network, the traffic is indistinguishable from a real video call.
The collection has moved out of a traffic category the security operations center (SOC) instrumented years ago, into one that is overwhelmingly benign at scale and that no one wants to block. The cost of running the lure drops at the same time: a website is cheaper to spin up and harder to take down than an Android app that has to survive the Play Store, sideloading prompts, and on-device antivirus.
The post-compromise toolset is the easy part
The Windows side of GREYVIBE’s operation is purposely straightforward. PhantomRelay and LegionRelay, the group’s two PowerShell-based RATs, talk to their command-and-control servers over WebSocket and REST, respectively. On the host, they enumerate files, take screenshots, pull browser data, exfiltrate Telegram and WhatsApp data, and set up RDP access. Every one of those actions, taken on its own, has a benign explanation.
Nothing they did ever looked wrong.
The detection problem is not that any single action is invisible, but that every action belongs to the set of behaviors the SOC has to allow for the business to work. The only way to see this kind of operation is to model the sequence of behaviors, not the individual actions, and to do it across endpoint, identity, and network at the same time.
Attribution does not change the detection question
WithSecure places GREYVIBE in a grey zone. Activity, lures, targeting, and working hours align with Russian state interests. At the same time, the group shares an ISO builder with suspected TrickBot and UAC-0098 lineage, drops cryptominers on a small number of victim machines, and uses internet slang like “letsrollboyos” and “cuteuwu” in development artifacts. WithSecure says the line between cybercrime and state activity is blurred here.
The closest precursor for the PrincessClub design is a Hamas-aligned operator working on Android, while the current example is a Russia-nexus group working in the browser, with a toolset that mixes cybercrime and state code. None of that changes the question the SOC has to answer, which is whether a PowerShell process talking REST out to an unknown host, exfiltrating browser data and setting up RDP, fires in the environment.
Track the behavior, not the brand.
AI made them faster, not better
WithSecure describes the group’s use of AI as operationally integrated rather than experimental, naming Ideogram AI, ChatGPT, and Google Gemini as the AI services in play. The same LLM-assisted development likely introduced the design flaws in LegionRelay that exposed the malware’s backend and gave WithSecure months of research visibility into the operation. The benefits to the attacker are real: faster development, and fewer reusable artifacts that aid attribution. The corresponding cost is the kind of sloppy code that hands a research team an inside view of your backend.
Keep that trade-off in mind whenever a headline credits LLM-assisted attackers with a leap in capability. The evidence here points to faster output at roughly the same level of skill.
PrincessClub is worth watching because the lure now runs in a browser tab. The operators are still iterating.