{"id":238275,"date":"2026-06-28T08:28:00","date_gmt":"2026-06-28T12:28:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/06\/28\/how-greyvibe-rewrote-the-dating-lure-surveillance-playbook\/"},"modified":"2026-06-28T08:40:06","modified_gmt":"2026-06-28T12:40:06","slug":"how-greyvibe-rewrote-the-dating-lure-surveillance-playbook","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/06\/28\/how-greyvibe-rewrote-the-dating-lure-surveillance-playbook\/","title":{"rendered":"How GREYVIBE Rewrote the Dating-Lure Surveillance Playbook"},"content":{"rendered":"

How GREYVIBE Rewrote the Dating-Lure Surveillance Playbook<\/a><\/p>\n

https:\/\/www.cybersecurity-insiders.com\/how-greyvibe-rewrote-the-dating-lure-surveillance-playbook\/<\/a><\/p>\n

Publish Date: 2026-06-28 08:28:00<\/a><\/p>\n

Source Domain: www.cybersecurity-insiders.com<\/a><\/p>\n

Author: <\/a><\/p>\n

Using an unordered list, summarize the following article with between 4 and 8 key points. <\/p>\n

In Kharkiv, a Ukrainian combatant gets a message on Telegram. The account on the other end looks like a woman from a local dating channel, and the pair talk for a while. Eventually, she shares a link to what looks like a Ukrainian adult-club site. He follows it, downloads what he thinks is a client app, and goes on with his day.
\nThe site appears normal, but without him knowing it also drops a remote access trojan onto his Windows machine, or spyware onto his Android phone. In a later version of the site, after the infection has landed, it opens a live WebRTC call and starts capturing his audio and video.
\nWithSecure tied this campaign, which it calls PrincessClub, to a new Russia-nexus group it tracks as GREYVIBE, in a report published on May 28, 2026. Most coverage focused on the AI angle, which is the loudest finding but not the most operationally interesting one. The PrincessClub design choice, which turns the lure site itself into a human intelligence collection endpoint, deserves more attention;so does its history.
\nThis playbook is not new\u00a0
\nThe fake-romance lure that becomes a surveillance channel is a pattern researchers have been tracking for nearly a decade. The clearest precedent is Arid Viper, also tracked as APT-C-23, an operator aligned with Hamas that has been running this exact pattern against Israeli Defense Forces personnel since at least 2017.
\nArid Viper\u2019s operators use fake female personas, sometimes with voice-changing software, to build trust over weeks before pushing a target to install a fake dating or sports app. In 2018, the IDF disclosed that around 100 soldiers had been compromised through three apps called Glance Love, Winkchat, and Golden Cup. The malware that followed, tracked variously as ViperRAT, SpyC23, and Phenakite, has supported live camera and microphone access, call recording, and full message and contact exfiltration.
\nThis is not the only precedent. In the Russia-Ukraine war, both sides have run honey-trap operations through fake social-media profiles. Ukrainian operators have catfished Russian troops into sending photos that were geolocated and used to direct strikes. Russian intelligence services have run similar operations against dissidents and military targets in Europe. The romance-into-intelligence pattern is part of the war.
\nSo PrincessClub is just the latest case of an attacker using a fake intimate relationship to install a microphone in a soldier\u2019s pocket.
\nWhat GREYVIBE actually changed
\nWhat\u2019s new here is the technical layer.
\nArid Viper runs on Android. The malware asks the operating system for camera and microphone permissions, the user grants them at install time, and the spyware collects from then on. That is what mobile detection is built to flag.
\nGREYVIBE\u2019s PrincessClub runs in the browser. The post-infection collection happens through WebRTC, the same browser API used by Zoom, Google Meet, and every modern video product. WithSecure documents that the WebRTC capture is accessible only after PhantomRelay or LegionRelay has established persistence on the host. From the network, the traffic is indistinguishable from a real video call.
\nThe collection has moved out of a traffic category the security operations center (SOC) instrumented years ago, into one that is overwhelmingly benign at scale and that no one wants to block. The cost of running the lure drops at the same time: a website is cheaper to spin up and harder to take down than an Android app that has to survive the Play Store, sideloading prompts, and on-device antivirus.
\nThe post-compromise toolset is the easy part
\nThe Windows side of GREYVIBE\u2019s operation is purposely straightforward. PhantomRelay and LegionRelay, the group\u2019s two PowerShell-based RATs, talk to their command-and-control servers over WebSocket and REST, respectively. On the host, they enumerate files, take screenshots, pull browser data, exfiltrate Telegram and WhatsApp data, and set up RDP access. Every one of those actions, taken on its own, has a benign explanation.
\nNothing they did ever looked wrong.
\nThe detection problem is not that any single action is invisible, but that every action belongs to the set of behaviors the SOC has to allow for the business to work. The only way to see this kind of operation is to model the sequence of behaviors, not the individual actions, and to do it across endpoint, identity, and network at the same time.
\nAttribution does not change the detection question
\nWithSecure places GREYVIBE in a grey zone. Activity, lures, targeting, and working hours align with Russian state interests.\u00a0At the same time, the group shares an ISO builder with suspected TrickBot and UAC-0098 lineage, drops cryptominers on a small number of victim machines, and uses internet slang like \u201cletsrollboyos\u201d and \u201ccuteuwu\u201d in development artifacts. WithSecure says the line between cybercrime and state activity is blurred here.
\nThe closest precursor for the PrincessClub design is a Hamas-aligned operator working on Android, while the current example is a Russia-nexus group working in the browser, with a toolset that mixes cybercrime and state code. None of that changes the question the SOC has to answer, which is whether a PowerShell process talking REST out to an unknown host, exfiltrating browser data and setting up RDP, fires in the environment.
\nTrack the behavior, not the brand.
\nAI made them faster, not better
\nWithSecure describes the group\u2019s use of AI as operationally integrated rather than experimental, naming Ideogram AI, ChatGPT, and Google Gemini as the AI services in play. The same LLM-assisted development likely introduced the design flaws in LegionRelay that exposed the malware\u2019s backend and gave WithSecure months of research visibility into the operation. The benefits to the attacker are real: faster development, and fewer reusable artifacts that aid attribution. The corresponding cost is the kind of sloppy code that hands a research team an inside view of your backend.
\nKeep that trade-off in mind whenever a headline credits LLM-assisted attackers with a leap in capability. The evidence here points to faster output at roughly the same level of skill.
\nPrincessClub is worth watching because the lure now runs in a browser tab. The operators are still iterating.
\n\u00a0<\/p>\n

Join our LinkedIn group Information Security Community!<\/p>\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

How GREYVIBE Rewrote the Dating-Lure Surveillance Playbook https:\/\/www.cybersecurity-insiders.com\/how-greyvibe-rewrote-the-dating-lure-surveillance-playbook\/ Publish Date: 2026-06-28 08:28:00 Source Domain: www.cybersecurity-insiders.com…<\/p>\n","protected":false},"author":1,"featured_media":238276,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.cybersecurity-insiders.com\/wp-content\/uploads\/How-GREYVIBE-Rewrote-the-Dating-Lure-Surveillance-Playbook.png","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[26,24,17,32],"class_list":["post-238275","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-ai","tag-cybersecurity","tag-llm","tag-malware"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/238275"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=238275"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/238275\/revisions"}],"predecessor-version":[{"id":238277,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/238275\/revisions\/238277"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/238276"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=238275"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=238275"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=238275"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}