MalwareUsed by 2 actors

GREYBATTLE

GREYBATTLE is an Android malware family described as a bespoke variant of the Hydra banking trojan. In reporting on defense-sector targeting, it is associated with the Russia-linked cluster UNC5125 (also tracked as FlyingYeti/UAC-0149) and was used in highly targeted campaigns against Ukrainian frontline drone units.

Capabilities and intent (as stated): GREYBATTLE was used to steal credentials and data.

Delivery and lures (as stated): UNC5125 distributed GREYBATTLE via a website spoofing a Ukrainian military artificial intelligence company, and also used Google Forms-hosted questionnaires for reconnaissance of prospective drone operators. The malware is mentioned alongside MESSYFORK (COOKBOX) as being used for reconnaissance and malware delivery.

Targeting (as stated): Ukrainian frontline drone units / prospective drone operators in Ukraine, within broader defense/battlefield-technology targeting.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

UAC-0149

"UNC5125 ... leveraged an Android malware called GREYBATTLE, a bespoke version of the Hydra banking trojan, to steal credentials and data..."

via the hacker newsthehackernews.com

UNC5125

UNC5125 targeted frontline drone units with Google Forms lures and malware like MESSYFORK and GREYBATTLE.

via security affairssecurityaffairs.com

MITRE ATT&CK

Techniques & procedures

2 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique

T1566PhishingEvidence1

“UNC5125 targeted frontline drone units with Google Forms lures…”

Command and Control

1 technique

T1102.002Bidirectional CommunicationEvidence1

MESSYFORK (COOKBOX) and GREYBATTLE... used for reconnaissance and malware delivery, often via spoofed AI company websites and Google Forms.

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app

rescana blogNews

Feb 15, 2026

Coordinated State-Sponsored Cyber Attacks Target Battlefield Management and Defense Supply Chains: Google Links China, Iran, Russia, North Korea

Hydra-variant tool used for reconnaissance and malware delivery.

security affairsNews

Feb 14, 2026

Suspected Russian hackers deploy CANFAIL malware against Ukraine

Malware used by UNC5125 in campaigns targeting frontline drone units (no further functional detail provided).

the hacker newsNews

Feb 13, 2026

Google Links China, Iran, Russia, North Korea to Coordinated Defense Sector Cyber Operations

Android credential/data-stealing malware described as a bespoke variant of the Hydra banking trojan, distributed via a spoofed website.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping2

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.