A previously unknown APT tracked as Grayling targeted multiple Taiwanese sectors between February and May 2023. Symantec did not geolocate the threat actor but noted the heavy targeting of Taiwanese organizations strongly suggests the organization is based in China.

The APT also targeted US and Vietnamese organizations, as well as an Asia-Pacific government with intelligence-gathering missions. Grayling employed various tools during the campaign including the C2 framework Havoc, Cobalt Strike, NetSpy spyware, and the Mimikatz credential dumper. After obtaining initial access, the hackers uploaded various payloads via DLL sideloading through an exported API SbieDll_Hook. Symantec reiterated that the campaign’s primary objective was to remain undetected and gather intelligence. Achieving persistent access in manufacturing, IT, biomedical, and government sectors also indicates the campaign was less financially motivated.

Read More: