{ "id": "b103d22f-e50a-42eb-8042-5b3c728847de", "created_at": "2026-04-06T00:19:26.518376Z", "updated_at": "2026-04-10T13:12:08.011624Z", "deleted_at": null, "sha1_hash": "d938565f3c44ebbd1dbf64051ef3b1c8eb2c3730", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 44362, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 21:50:01 UTC\r\n APT group: Grayling\r\nNames Grayling (Symantec)\r\nCountry [Unknown]\r\nMotivation Information theft and espionage\r\nFirst seen 2023\r\nDescription\r\n(Symantec) A previously unknown advanced persistent threat (APT) group used custom\r\nmalware and multiple publicly available tools to target a number of organizations in the\r\nmanufacturing, IT, and biomedical sectors in Taiwan.\r\nA government agency located in the Pacific Islands, as well as organizations in Vietnam and\r\nthe U.S., also appear to have been hit as part of this campaign. This activity began in February\r\n2023 and continued until at least May 2023.\r\nThe Symantec Threat Hunter Team, part of Broadcom, has attributed this activity to a new\r\ngroup we are calling Grayling. This activity stood out due to the use by Grayling of a\r\ndistinctive DLL sideloading technique that uses a custom decryptor to deploy payloads. The\r\nmotivation driving this activity appears to be intelligence gathering.\r\nObserved\r\nSectors: Government, IT, Manufacturing, Pharmaceutical.\r\nCountries: Taiwan, USA, Vietnam and Pacific Islands.\r\nTools used Cobalt Strike, Havoc, Mimikatz, NetSpy.\r\nInformation\r\n\u003chttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/grayling-taiwan-cyber-attacks\u003e\r\nLast change to this card: 13 October 2023\r\nDownload this actor card in PDF or JSON format\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=2a0a5e70-688e-4480-9267-154163b45f8f\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=2a0a5e70-688e-4480-9267-154163b45f8f\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=2a0a5e70-688e-4480-9267-154163b45f8f" ], "report_names": [ "showcard.cgi?u=2a0a5e70-688e-4480-9267-154163b45f8f" ], "threat_actors": [ { "id": "9d2b77c7-ddb6-4ab3-9ae7-d3ecd11e0527", "created_at": "2023-10-14T02:03:14.230825Z", "updated_at": "2026-04-10T02:00:04.712961Z", "deleted_at": null, "main_name": "Grayling", "aliases": [], "source_name": "ETDA:Grayling", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "Havokiz", "Mimikatz", "NetSpy", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "11d9bc85-5bb6-4aa7-a237-a103ff31b1a2", "created_at": "2023-10-21T02:00:12.136874Z", "updated_at": "2026-04-10T02:00:02.901347Z", "deleted_at": null, "main_name": "Grayling", "aliases": [], "source_name": "MISPGALAXY:Grayling", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434766, "ts_updated_at": 1775826728, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d938565f3c44ebbd1dbf64051ef3b1c8eb2c3730.pdf", "text": "https://archive.orkl.eu/d938565f3c44ebbd1dbf64051ef3b1c8eb2c3730.txt", "img": "https://archive.orkl.eu/d938565f3c44ebbd1dbf64051ef3b1c8eb2c3730.jpg" } }