Key Takeaways
- The PrincessClub campaign uses a fake‑romance lure on Telegram to deliver malware via a seemingly legitimate adult‑club website.
- WithSecure links the activity to a Russia‑nexus threat group called GREYVIBE, noting its blend of cybercrime tools and state‑aligned targeting.
- Unlike earlier honey‑trap operations that relied on Android apps, PrincessClub executes post‑infection data collection through browser‑based WebRTC, making malicious traffic blend in with legitimate video‑call traffic.
- The group’s Windows‑side tools (PhantomRelay and LegionRelay) are modest PowerShell RATs that perform routine‑looking actions—file enumeration, screenshots, credential theft, RDP setup—so detection must focus on behavior chains rather than isolated indicators.
- AI tools (Ideogram, ChatGPT, Gemini) accelerated development but introduced sloppy code that aided researchers; the net effect is faster malware production without a clear skill leap.
- Defenders should monitor for sequences such as a Telegram link leading to a browser‑based lure, followed by WebRTC traffic from an unknown host, PowerShell‑driven C2 communication, and credential exfiltration, rather than relying on signatures of individual malicious actions.
Background of the PrincessClub Lure
In Kharkiv, a Ukrainian service member received a Telegram message from an account posing as a woman from a local dating channel. After weeks of conversation, the operator shared a link to what appeared to be a Ukrainian adult‑club site. The target clicked the link, downloaded a file presented as a client application, and continued his duties unaware that the site silently installed malware on his Windows PC or Android phone. This classic romance‑to‑intelligence tactic—building trust before delivering a payload—has been observed for years, but PrincessClub refines it by hosting the lure entirely inside a browser tab.
Linking the Campaign to GREYVIBE
WithSecure attributed the operation to a threat cluster it tracks as GREYVIBE, publishing its findings on May 28, 2026. The analysts noted overlapping lures, targeting patterns, and working‑hour schedules consistent with Russian state interests. At the same time, the group reused an ISO builder seen in suspected TrickBot and UAC‑0098 malware families, dropped occasional cryptominers, and left informal strings like “letsrollboyos” and “cuteuwu” in development artifacts. These traits blur the line between pure cybercrime and state‑sponsored espionage, placing GREYVIBE in a grey zone where attribution is suggestive rather than definitive.
Historical Precedents of Honey‑Trap Malware
The fake‑romance lure that evolves into a surveillance channel is not novel. The Hamas‑aligned APT‑C‑23 (also known as Arid Viper) has employed identical tactics against Israeli Defense Forces personnel since at least 2017, using fake female personas—sometimes aided by voice‑changing software—to persuade targets to install bogus dating or sports apps. The resulting malware (ViperRAT, SpyC23, Phenakite) granted live camera and microphone access, call recording, and full exfiltration of messages and contacts. In the ongoing Russia‑Ukraine conflict, both sides have run similar honey‑trap operations via social‑media profiles, using harvested photos for geotargeting strikes or intelligence gathering. PrincessClub represents the latest iteration of this longstanding playbook, transposed to a browser‑centric delivery mechanism.
Technical Innovation: Browser‑Based WebRTC Collection
What distinguishes PrincessClub from its predecessors is the shift from Android‑centric malware to a browser‑based collection pipeline. After the victim visits the lure site, a remote access trojan (RAT) establishes persistence on the host. Only then does the site initiate a live WebRTC call, capturing audio and video through the same API that powers Zoom, Google Meet, and countless other legitimate services. Because WebRTC traffic resembles ordinary video‑conferencing streams, network‑based defenses that traditionally flagged unknown UDP flows or anomalous ports find it extremely difficult to block without disrupting legitimate business communications. Moreover, hosting a lure website is far cheaper and more resilient than maintaining a malicious Android app that must survive Play Store scrutiny, sideloading warnings, and on‑device antivirus scanners.
Post‑Compromise Toolset on Windows
On Windows machines, GREYVIBE deploys two PowerShell‑based RATs named PhantomRelay and LegionRelay. PhantomRelay communicates with its command‑and‑control (C2) server over WebSocket, while LegionRelay uses REST. Both tools perform a suite of seemingly benign actions: enumerating files, taking screenshots, harvesting browser data, exfiltrating Telegram and WhatsApp chats, and configuring Remote Desktop Protocol (RDP) access. Individually, each of these behaviors could be explained by legitimate administration or user activity. The detection challenge, therefore, lies not in spotting a single malicious act but in recognizing the coordinated sequence—initial lure, persistence establishment, WebRTC activation, followed by systematic data gathering and lateral‑movement preparation—across endpoint, identity, and network telemetry.
Detection Implications: Modeling Behavior Chains
Traditional security operations centers (SOCs) rely on signatures or anomalous single‑event alerts. PrincessClub evades such defenses because each step falls within the spectrum of allowed activities: visiting a website, granting browser permissions, initiating a WebRTC call, and running PowerShell scripts. To uncover this campaign, defenders must correlate events across multiple data sources: a Telegram message containing an external URL, a subsequent browser navigation to a newly registered domain, the emergence of WebRTC traffic from an uncommon source IP, PowerShell processes contacting external REST/WebSocket endpoints, and atypical credential or file‑access patterns. Behavioral analytics, machine‑learning models that score sequences of actions, and integrated endpoint‑network‑identity visibility are essential to catch the operation before significant data is exfiltrated.
Attribution Does Not Alter the Core Detection Problem
While WithSecure places GREYVIBE in a grey zone—pointing to Russian‑aligned targeting, shared code with known cybercrime families, and informal developer slang—the attribution nuance does not change what defenders must watch for. Whether the operators are state sponsored, criminal contractors, or a hybrid, the observable actions remain the same: a lure delivering a browser‑based persistence mechanism, followed by WebRTC‑based audio/video capture and stealthy data exfiltration. Consequently, defensive focus should stay on the tactics, techniques, and procedures (TTPs) rather than on the actor’s geopolitical label. Tracking the behavior chain provides a defense that is agnostic to the specific group behind the campaign.
AI’s Role: Speed Over Sophistication
WithSecure reports that GREYVIBE leveraged large language model (LLM) services—Ideogram AI, ChatGPT, and Google Gemini—to accelerate malware development. The AI assistance likely contributed to rapid iteration of the lure site and the PowerShell RATs, reducing the time needed to craft convincing social‑engineering content and functional code. However, the same reliance on generative AI introduced implementation shortcuts and sloppy code that exposed internal backend details, giving researchers months of visibility into the operation. The net effect is a faster malware production cycle without a demonstrable increase in technical skill or operational sophistication. Headlines that proclaim an “AI‑powered leap in capability” should be tempered by this trade‑off: AI can speed up development, but it can also leave detectable artifacts if not coupled with rigorous code review and operational security.
Current State and Future Outlook
PrincessClub remains an active, evolving threat. The operators continue to refine the lure—experimenting with different adult‑club facades, varying the timing of WebRTC activation, and tweaking the PowerShell RATs to evade emerging heuristics. As long as the romance‑to‑intelligence pattern yields valuable audio, video, and credential data, it will persist across conflict zones and beyond. Organizations should prioritize user education around unsolicited links in messaging platforms, enforce least‑privilege browser permissions, deploy WebRTC traffic monitoring that can differentiate benign video calls from covert sessions, and invest in behavioral analytics capable of spotting the multi‑stage infection chain described above. By focusing on the sequence of actions rather than isolated indicators, defenders can neutralize the threat even as the attackers iterate and adapt.