GREYVIBE is a low-to-moderately sophisticated threat actor associated with Russian state interests, primarily targeting Ukrainian entities. The group employs custom malware like LegionRelay and PhantomRelay, utilizing techniques such as decoy-and-payload execution logic and systematic use of GenAI and LLMs throughout their operations. Their campaigns exhibit operational overlaps with other groups, including shared C2 infrastructure and post-compromise tooling. WithSecure has identified design flaws in their malware that have provided insights into their victimology and operational behavior.