ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Home > List all groups > Grayling

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Grayling

NamesGrayling (Symantec)
MotivationInformation theft and espionage
First seen2023
Description(Symantec) A previously unknown advanced persistent threat (APT) group used custom malware and multiple publicly available tools to target a number of organizations in the manufacturing, IT, and biomedical sectors in Taiwan.

A government agency located in the Pacific Islands, as well as organizations in Vietnam and the U.S., also appear to have been hit as part of this campaign. This activity began in February 2023 and continued until at least May 2023.

The Symantec Threat Hunter Team, part of Broadcom, has attributed this activity to a new group we are calling Grayling. This activity stood out due to the use by Grayling of a distinctive DLL sideloading technique that uses a custom decryptor to deploy payloads. The motivation driving this activity appears to be intelligence gathering.
ObservedSectors: Government, IT, Manufacturing, Pharmaceutical.
Countries: Taiwan, USA, Vietnam and Pacific Islands.
Tools usedCobalt Strike, Havoc, Mimikatz, NetSpy.

Last change to this card: 13 October 2023

Download this actor card in PDF or JSON format

Previous: Gorgon Group
Next: Group5

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]