Connect with us

Hi, what are you looking for?



New ‘Grayling’ APT Targeting Organizations in Taiwan, US

A previously unknown APT group is targeting organizations in biomedical, IT, and manufacturing sectors in Taiwan.

A previously unknown advanced persistent threat (APT) actor has been targeting Taiwanese organizations across multiple sectors, Broadcom’s Symantec cybersecurity unit reports.

As part of a campaign running between February and May 2023, the APT group, which Symantec tracks as Grayling, also targeted a government entity in the Asia-Pacific region, as well as organizations in the US and Vietnam, likely for intelligence gathering. 

Symantec could not definitively link Grayling to a specific geography, but noted that “the heavy targeting of Taiwanese organizations does indicate that they likely operate from a region with a strategic interest in Taiwan.” This typically indicates that the threat actor may be linked to China.  

The observed attacks likely exploited web-facing assets for initial access and employed a distinctive DLL sideloading technique to deploy both custom malware and publicly available tools. On some machines, the threat actor deployed web shells prior to executing additional payloads.

Some of the observed tools included Havoc (post-exploitation command-and-control framework), Cobalt Strike, NetSpy (publicly available spyware), Mimikatz (credential dumping), various downloaders, and an unknown payload.

Additionally, the threat actor was seen exploiting CVE-2019-0803, a privilege escalation bug in Windows that is triggered when “the Win32k component fails to properly handle objects in memory,” killing processes, and performing Active Directory discovery.

Following initial access to a victim’s environment, Grayling performed DLL sideloading through an exported API SbieDll_Hook to execute various post-exploitation tools.

The use of both custom and publicly available tools is characteristic to most APTs lately, as it allows them to bypass protections, stay undetected, and prevent attribution. Furthermore, Symantec points out, it is easier for attackers to use readily available tools instead of developing their own with similar features.

Advertisement. Scroll to continue reading.

Grayling, Symantec also notes, was clearly interested in staying hidden, given the killing of processes to prevent detection, and was likely looking to gather intelligence from the compromised networks.

“While we do not see data being exfiltrated from victim machines, the activity we do see and the tools deployed point to the motivation behind this activity being intelligence gathering. The sectors the victims operate in – manufacturing, IT, biomedical, and government – are also sectors that are most likely to be targeted for intelligence gathering rather than for financial reasons,” Symantec notes.

Related: UAE-Linked APT Targets Middle East Government With New ‘Deadglyph’ Backdoor

Related: New ‘Sandman’ APT Group Hitting Telcos With Rare LuaJIT Malware

Related: New ‘GoldenJackal’ APT Targets Middle East, South Asia Governments

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.


On the first anniversary of Russia’s invasion of Ukraine, cybersecurity companies summarize the cyber operations they have seen and their impact.


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet