Cyber Security News

New APT Group Using Custom Malware to Attack Manufacturing & IT Industries

An unidentified APT group deployed custom malware and public tools to target organizations in Taiwan’s following sectors:-

  • Manufacturing
  • IT
  • Biomedical

This campaign also targeted a government agency in the Pacific Islands, along with organizations in the following two countries:-

  • Vietnam
  • The United States of America

Besides this, it started in February 2023, and until May 2023, it persisted. Cybersecurity analysts at Symantec’s Threat Hunter Team, under Broadcom, recently linked this activity to a new group dubbed “Grayling.”  

Grayling’s unique DLL sideloading with a custom decryptor suggests intel-gathering intent.

New APT Group Using Custom Malware

Grayling hints at using public infrastructure for initial access, deploying web shells, and then DLL sideloading to load the following elements:-

  • Cobalt Strike
  • NetSpy
  • Havoc

Attackers escalate privileges, scan networks, and employ downloaders upon gaining access. Here below we have mentioned all the TTPs that the attackers use:-

  • Havoc
  • Cobalt Strike
  • NetSpy
  • Exploitation of CVE-2019-0803
  • Active Directory discovery
  • Mimikatz
  • Kill processes
  • Downloaders
  • Unknown payload

This activity involves a DLL sideloading attack through API SbieDll_Hook, loading tools such as Cobalt Strike Stager, Cobalt Strike Beacon, the Havoc framework, and NetSpy.

Threat actors, in this case, encrypted the payload from imfsb.ini, then used CVE-2019-0803 to run shellcode in an effort to terminate the processes from processlist.txt, and finally sent the Mimikatz for credential dumping.

However, besides this, it’s been confirmed by the security analysts that no data exfiltration was detected, but activity suggests intel gathering, targeting the following sectors:- 

  • Manufacturing
  • IT
  • Biomedical
  • Government

APT groups commonly blend custom techniques with public tools to evade detection, with Havoc and Cobalt Strike being popular choices. 

Using existing tools is easier than creating custom ones. Public tools make attribution challenging for investigators, and the attackers prioritize hiding their activity, evident in steps like process termination.

While Grayling’s exact location remains unclear, its strong focus on Taiwanese organizations suggests ties to a region with a strategic interest in Taiwan.


File Indicators

SHA256 hashes:

da670d5acf3648b0deaecb64710ae2b7fc41fc6ae8ab8343a1415144490a9ae9 – Havoc framework
79b0e6cd366a15848742e26c3396e0b63338ead964710b6572a8582b0530db17 – Downloader 
bf1665c949935f3a741cfe44ab2509ec3751b9384b9eda7fb31c12bfbb2a12ec – Downloader 
c2a714831d8a7b0223631eda655ce62ff3c262d910c0a2ed67c5ca92ef4447e3 – Cobalt Strike Beacon
667624b10108137a889f0df8f408395ae332cc8d9ad550632a3501f6debc4f2c – Exploit for CVE-2019-0803
87a7e428d08ecc97201cc8f229877a6202545e562de231a7b4cab4d9b6bbc0f8 – Downloader 
90de98fa17294d5c918865dfb1a799be80c8771df1dc0ec2be9d1c1b772d9cf0 – Loader 
8b6c559cd145dca015f4fa06ef1c9cd2446662a1e62eb51ba2c86f4183231ed2 – Cobalt Strike Stager
d522bf1fb3b869887eaf54f6c0e52d90514d7635b3ff8a7fd2ce9f1d06449e2c – NetSpy 
4fbe8b69f5c001d00bd39e4fdb3058c96ed796326d6e5e582610d67252d11aba – DLL file
9bad71077e322031c0cf7f541d64c3fed6b1dc7c261b0b994b63e56bc3215739 – NetSpy 
f2aaedb17f96958c045f2911655bfe46f3db21a2de9b0d396936ef6e362fea1b – Downloader 
525417bdd5cdd568605fdbd3dc153bcc20a4715635c02f4965a458c5d008eba9 – Downloader 
23e5dfaf60c380837beaddaaa9eb550809cd995f2cda99e3fe4ca8b281d770ae – Downloader 
6725e38cbb15698e957d50b8bc67bd66ece554bbf6bcb90e72eaf32b1d969e50 – Downloader 
5ef2e36a53c681f6c64cfea16c2ca156cf468579cc96f6c527eca8024bfdc581 – Downloader 12924d7371310c49b1a215019621597926ef3c0b4649352e032a884750fab746 – Windump

Network Indicators


  • d3ktcnc1w6pd1f.cloudfront[.]net

IP addresses

  • 172.245.92[.]207
  • 3.0.93[.]185


  • http://45.148.120[.]23:91/version.dll
  • http://45.148.120[.]23:91/vmtools.exe

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.

Tushar Subhra Dutta

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

Volkswagen Hacked – Hackers Stolen 19,000 Documents From VW Server

Volkswagen, one of the world's leading automotive manufacturers, has fallen victim to a sophisticated hacking…

2 hours ago

Beware Of Fake MetaMask Android Apps That Steal Login Details

Threat actors exploit fake Android apps primarily for illicit reasons, such as stealing sensitive and…

4 hours ago

CrushFTP Zero-Day Could Allow Attackers To Gain Complete Server Access

CrushFTP disclosed a zero-day vulnerability (CVE-2024-4040) affecting versions below 10.7.1 and 11.1.0. The vulnerability allows…

4 hours ago

IBM QRadar XSS Flaw Let Attackers Arbitrary JavaScript Code

A significant vulnerability was detected in IBM QRadar Suite Software and Cloud Pak for Security,…

4 hours ago

Seedworm Hackers Exploit RMM Tools to Deliver Malware

The notorious hacking group Seedworm, also known as MuddyWater, has been found exploiting legitimate remote…

4 hours ago

WordPress Plugin Flaw Exposes 10k+ Websites to Cyber Attacks

A critical vulnerability in the WP Datepicker WordPress plugin was identified, affecting over 10,000 active…

5 hours ago