{ "id": "bb3cca15-81a1-46da-9a56-433bbbac8c58", "created_at": "2026-04-06T00:10:26.830234Z", "updated_at": "2026-04-10T13:12:06.164832Z", "deleted_at": null, "sha1_hash": "c368530729bc264c33603ae2ed9134646a42a8d1", "title": "Grayfly: Chinese Threat Actor Uses Newly-discovered Sidewalk Malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 50550, "plain_text": "Grayfly: Chinese Threat Actor Uses Newly-discovered Sidewalk\r\nMalware\r\nBy About the Author\r\nArchived: 2026-04-05 14:33:09 UTC\r\nSymantec, part of Broadcom Software, has linked the recently discovered Sidewalk backdoor to the China-linked\r\nGrayfly espionage group. The malware, which is related to the older Crosswalk backdoor (Backdoor.Motnug) has\r\nbeen deployed in recent Grayfly campaigns against a number of organizations in Taiwan, Vietnam, the United\r\nStates, and Mexico. A feature of this recent campaign was that a large number of targets were in the telecoms\r\nsector. The group also attacked organizations in the IT, media, and finance sectors.\r\nSidewalk was recently documented by ESET, who attributed it to a new group it called SparklingGoblin, which it\r\nlinked to the Winnti malware family. Symantec’s Threat Hunter Team has attributed Sidewalk to Grayfly, a\r\nlongstanding Chinese espionage operation. Members of the group were indicted in the U.S. in 2020. The recent\r\ncampaign involving Sidewalk suggests that Grayfly has been undeterred by the publicity surrounding the\r\nindictments.\r\nWho are Grayfly?\r\nGrayfly (aka GREF and Wicked Panda) is a targeted attack group that has been active since at least March 2017\r\nusing a custom backdoor known as Backdoor.Motnug (aka TOMMYGUN/CROSSWALK), a custom loader called\r\nTrojan.Chattak, Cobalt Strike (aka Trojan.Agentemis), and ancillary tools in its attacks.\r\nGrayfly has been observed targeting a number of countries in Asia, Europe, and North America across a variety of\r\nindustries, including food, financial, healthcare, hospitality, manufacturing, and telecommunications. In more\r\nrecent activity, Grayfly has continued with its focus on telecommunications but has also been observed targeting\r\norganizations operating within the media, finance, and IT service provider sectors. Typically Grayfly targets\r\npublicly facing web servers to install web shells for initial intrusion, before spreading further within the network.\r\nOnce a network has been compromised, Grayfly may install its custom backdoors onto additional systems. These\r\ntools allow the attackers to have comprehensive remote access to the network and proxy connections allowing\r\nthem to access hard-to-reach segments of a target's network.\r\nAlthough sometimes labeled APT41, we consider Grayfly the espionage arm of APT41. Similarly, Symantec\r\ntracks other sub-groups of APT41 separately, such as Blackfly, its cyber-crime arm.\r\nSidewalk campaign\r\nA characteristic of the recent campaign was that the group appeared to be particularly interested in attacking\r\nexposed Microsoft Exchange or MySQL servers. This suggests that the initial vector may be the exploit of\r\nmultiple vulnerabilities against public-facing servers.\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/grayfly-china-sidewalk-malware\r\nPage 1 of 3\n\nIn at least one attack, the suspicious Exchange activity was followed by PowerShell commands used to install an\r\nunidentified web shell. Following this, the malicious backdoor was executed.\r\nAfter the installation of the backdoor, the attackers deployed a custom version of the credential-dumping tool\r\nMimikatz. This version of Mimikatz has been used previously in Grayfly attacks.\r\nVictim case study\r\nThe first indication of attacker activity was identified at 20:39 local time, where a Base64-encoded PowerShell\r\ncommand was executed via a legitimate Exchange Server-related process. The command was used to execute\r\ncertutil to decode and install a web shell:\r\n\u003e(^_certutil -decode -f C:\\Windows\\Temp\\ImportContactList_-.aspx\r\nC:\\Windows\\Temp\\ImportContactList.aspx;if((dir C:\\Windows\\Temp\\ImportContactList.aspx).Length -eq212)\r\n{Remove-Item -Force C:\\Windows\\Temp\\ImportContactList_*-*.aspx}*\r\nNext, another Base64-encoded PowerShell command was executed. This command was used to move the web\r\nshell to the Exchange install path, accessible by the attackers – specifically the ClientAccess\\ecp directory.\r\nmv  C:\\Windows\\Temp\\ImportContactList.aspx $envExchangeInstallPath\\ClientAccess\\esp\\ -Force\r\nSeveral minutes later, a backdoor was executed via installutil.exe:\r\nCSIDL_WINDOWS\\microsoft.net\\framework64\\v4.0.30319\\installutil.exe /logfile= /LogToConsole=false\r\n/ParentProc=none /U\r\nCSIDL_WINDOWS\\microsoft.net\\framework64\\v4.0.30319\\microsoft.webapi.config\r\nRoughly an hour later, the attackers were observed executing a WMIC command in order to run a Windows batch\r\nfile. This file was used to create a scheduled task to execute the backdoor and ensure persistence:\r\nWMIC /NODE:\u0026quot;172.16.140.234\u0026quot; process call create \u0026quot;cmd.exe /c\r\nc:\\users\\public\\schtask.bat\u0026quot;\r\nShortly after this, Mimikatz was executed to dump credentials:\r\nsha2:b3eb783b017da32e33d19670b39eae0b11de8e983891dd4feb873d6e9333608d (Mimikatz) -\r\ncsidl_system_drive\\perflogs\\ulsassx64.exe\r\nAfter this point, no further activity was observed.\r\nIndictments\r\nThree Chinese men were indicted in the U.S. in 2020 for their involvement in attacks that involved Grayfly tools\r\nand tactics. At the time of the indictment, Jiang Lizhi, Qian Chuan, and Fu Qiang were based in the Chinese city\r\nof Chengdu and held senior positions in a company called Chengdu 404. The company describes itself as a\r\nnetwork security specialist and claims to employ a team of white hat hackers who can perform penetration testing\r\nalong with other security operations.\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/grayfly-china-sidewalk-malware\r\nPage 2 of 3\n\nThe indictment charged the men with involvement in attacks against over 100 different organizations in the U.S.,\r\nSouth Korea, Japan, India, Taiwan, Hong Kong, Malaysia, Vietnam, India, Pakistan, Australia, the United\r\nKingdom, Chile, Indonesia, Singapore, and Thailand. Jiang was said to have a “working relationship” with the\r\nChinese Ministry of State Security which would provide him and his associates with a degree of state protection.\r\nLikely to continue\r\nGrayfly is a capable actor, likely to continue to pose a risk to organizations in Asia and Europe across a variety of\r\nindustries, including telecommunications, finance, and media. It's likely this group will continue to develop and\r\nimprove its custom tools to enhance evasion tactics along with using commodity tools such as publicly available\r\nexploits and web shells to assist in their attacks.\r\nProtection/Mitigation\r\nFor the latest protection updates, please visit the Symantec Protection Bulletin.\r\nIndicators of Compromise\r\nSource: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/grayfly-china-sidewalk-malware\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/grayfly-china-sidewalk-malware\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/grayfly-china-sidewalk-malware" ], "report_names": [ "grayfly-china-sidewalk-malware" ], "threat_actors": [ { "id": "c8b57a00-18f4-4e49-9954-849de5e97506", "created_at": "2023-11-05T02:00:08.065073Z", "updated_at": "2026-04-10T02:00:03.395154Z", "deleted_at": null, "main_name": "SparklingGoblin", "aliases": [], "source_name": "MISPGALAXY:SparklingGoblin", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0a03e7f0-2f75-4153-9c4f-c46d12d3962e", "created_at": "2022-10-25T15:50:23.453824Z", "updated_at": "2026-04-10T02:00:05.28793Z", "deleted_at": null, "main_name": "Ke3chang", "aliases": [ "Ke3chang", "APT15", "Vixen Panda", "GREF", "Playful Dragon", "RoyalAPT", "Nylon Typhoon" ], "source_name": "MITRE:Ke3chang", "tools": [ "Okrum", "Systeminfo", "netstat", "spwebmember", "Mimikatz", "Tasklist", "MirageFox", "Neoichor", "ipconfig" ], "source_id": "MITRE", "reports": null }, { "id": "c7d9878a-e691-4c6f-81ae-84fb115a1345", "created_at": "2022-10-25T16:07:23.359506Z", "updated_at": "2026-04-10T02:00:04.556639Z", "deleted_at": null, "main_name": "APT 41", "aliases": [ "BrazenBamboo", "Bronze Atlas", "Double Dragon", "Earth Baku", "G0096", "Grayfly", "Operation ColunmTK", "Operation CuckooBees", "Operation ShadowHammer", "Red Kelpie", "SparklingGoblin", "TA415", "TG-2633" ], "source_name": "ETDA:APT 41", "tools": [ "9002 RAT", "ADORE.XSEC", "ASPXSpy", "ASPXTool", "AceHash", "Agent.dhwf", "Agentemis", "AndroidControl", "AngryRebel", "AntSword", "BLUEBEAM", "Barlaiy", "BlackCoffee", "Bladabindi", "BleDoor", "CCleaner Backdoor", "CHINACHOPPER", "COLDJAVA", "China Chopper", "ChyNode", "Cobalt Strike", "CobaltStrike", "Crackshot", "CrossWalk", "CurveLast", "CurveLoad", "DAYJOB", "DBoxAgent", "DEADEYE", "DEADEYE.APPEND", "DEADEYE.EMBED", "DEPLOYLOG", "DIRTCLEANER", "DUSTTRAP", "Derusbi", "Destroy RAT", "DestroyRAT", "DodgeBox", "DragonEgg", "ELFSHELF", "EasyNight", "Farfli", "FunnySwitch", "Gh0st RAT", "Ghost RAT", "HDD Rootkit", "HDRoot", "HKDOOR", "HOMEUNIX", "HUI Loader", "HidraQ", "HighNoon", "HighNote", "Homux", "Hydraq", "Jorik", "Jumpall", "KEYPLUG", "Kaba", "Korplug", "LATELUNCH", "LOLBAS", "LOLBins", "LightSpy", "Living off the Land", "Lowkey", "McRAT", "MdmBot", "MessageTap", "Meterpreter", "Mimikatz", "MoonBounce", "MoonWalk", "Motnug", "Moudour", "Mydoor", "NTDSDump", "PACMAN", "PCRat", "PINEGROVE", "PNGRAT", "POISONPLUG", "POISONPLUG.SHADOW", "POTROAST", "PRIVATELOG", "PipeMon", "PlugX", "PortReuse", "ProxIP", "ROCKBOOT", "RbDoor", "RedDelta", "RedXOR", "RibDoor", "Roarur", "RouterGod", "SAGEHIRE", "SPARKLOG", "SQLULDR2", "STASHLOG", "SWEETCANDLE", "ScrambleCross", "Sensocode", "SerialVlogger", "ShadowHammer", "ShadowPad Winnti", "SinoChopper", "Skip-2.0", "SneakCross", "Sogu", "Speculoos", "Spyder", "StealthReacher", "StealthVector", "TERA", "TIDYELF", "TIGERPLUG", "TOMMYGUN", "TVT", "Thoper", "Voldemort", "WIDETONE", "WINNKIT", "WINTERLOVE", "Winnti", "WyrmSpy", "X-Door", "XDOOR", "XMRig", "XShellGhost", "Xamtrav", "ZXShell", "ZoxPNG", "certutil", "certutil.exe", "cobeacon", "gresim", "njRAT", "pwdump", "xDll" ], "source_id": "ETDA", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "adfbe698-24b2-41fc-a701-781fef330b16", "created_at": "2024-01-09T02:00:04.17648Z", "updated_at": "2026-04-10T02:00:03.504826Z", "deleted_at": null, "main_name": "GREF", "aliases": [], "source_name": "MISPGALAXY:GREF", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "945a572f-ebe3-4e2f-a288-512fe751cfa8", "created_at": "2022-10-25T16:07:24.413971Z", "updated_at": "2026-04-10T02:00:04.97924Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "G0044", "Leopard Typhoon", "Wicked Panda", "Winnti Group" ], "source_name": "ETDA:Winnti Group", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "FunnySwitch", "RbDoor", "RibDoor", "RouterGod", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "17b1b76b-16da-4c4f-8b32-f6fede3eda8c", "created_at": "2022-10-25T16:07:23.750796Z", "updated_at": "2026-04-10T02:00:04.736762Z", "deleted_at": null, "main_name": "Ke3chang", "aliases": [ "APT 15", "BackdoorDiplomacy", "Bronze Davenport", "Bronze Idlewood", "Bronze Palace", "CTG-9246", "G0004", "G0135", "GREF", "Ke3chang", "Metushy", "Nylon Typhoon", "Operation Ke3chang", "Operation MirageFox", "Playful Dragon", "Playful Taurus", "PurpleHaze", "Red Vulture", "Royal APT", "Social Network Team", "Vixen Panda" ], "source_name": "ETDA:Ke3chang", "tools": [ "Agentemis", "Anserin", "BS2005", "BleDoor", "CarbonSteal", "Cobalt Strike", "CobaltStrike", "DarthPusher", "DoubleAgent", "EternalBlue", "GoldenEagle", "Graphican", "HenBox", "HighNoon", "IRAFAU", "Ketrican", "Ketrum", "LOLBAS", "LOLBins", "Living off the Land", "MS Exchange Tool", "Mebroot", "Mimikatz", "MirageFox", "NBTscan", "Okrum", "PluginPhantom", "PortQry", "ProcDump", "PsList", "Quarian", "RbDoor", "RibDoor", "Royal DNS", "RoyalCli", "RoyalDNS", "SAMRID", "SMBTouch", "SilkBean", "Sinowal", "SpyWaller", "Theola", "TidePool", "Torpig", "Turian", "Winnti", "XSLCmd", "cobeacon", "nbtscan", "netcat", "spwebmember" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434226, "ts_updated_at": 1775826726, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c368530729bc264c33603ae2ed9134646a42a8d1.pdf", "text": "https://archive.orkl.eu/c368530729bc264c33603ae2ed9134646a42a8d1.txt", "img": "https://archive.orkl.eu/c368530729bc264c33603ae2ed9134646a42a8d1.jpg" } }