Chinese Group Grayfly Uses SideWalk Backdoor

 Chinese Group Grayfly Uses SideWalk Backdoor

A campaign that targeted the U.S. media organizations and retailers using SideWalk backdoor last month has been spotted again. At that time, it was used by the SparklingGoblin APT group, whereas it has been recently spotted in Grayfly campaigns.

Discussing Grayfly campaigns

Grayfly is a threat group active since March 2017 and known to use the custom backdoor Motnug (aka CrossWalk), a custom loader Trojan.Chattak, Cobalt Strike, and additional tools in their attacks.
  • While most victims in the recent campaign are from the telecom sector, some victims also belong from the media, IT, and finance firms located in Vietnam, Mexico, the U.S., and Taiwan.
  • The group is focused on targeting vulnerable Microsoft Exchange or MySQL servers. The initial vector could be the abuse of various vulnerabilities in public servers.
  • In one of the attacks, a suspicious Exchange activity was found using PowerShell commands for installing an unknown web shell backdoor.
  • After the backdoor is installed, the attackers deliver a custom version of Mimikatz (a credential-dumping tool).

An incident from last year 

  • In 2020, three men were charged in the U.S. for playing a role in the Grayfly attacks. All three individuals were Chinese and worked for the Chengdu 404 firm. 
  • The firm describes itself as a network security specialist and claims to have a team of white hat hackers who can carry out penetration testing and other security operations.
  • All men were involved in attacks against over 100 different organizations based in the U.S., South Korea, Japan, India, Taiwan, Hong Kong, Malaysia, Vietnam, and India, among other countries. 
  • One of the individuals was believed to have a working relationship with the Chinese Ministry of State Security, which is surmised to be providing them some sort of state protection.


Grayfly was observed refining its tools and evasion tactics to become more successful, indicating that the group will maximize its target victims in Asia and Europe, across multiple industries. Therefore, it is important for security experts to keep an eye on this threat while using shared threat intelligence to detect and stop these attacks.
Next Post Previous Post
Related Post
Chiese Hacker,Hacking