APT / THREAT GROUP

Grager

2
aliases
Last seen:Mar 17, 2026

Intelligence Profile

Grager is a backdoor deployed against three organizations in Taiwan, Hong Kong, and Vietnam in April 2024. Analysis of this backdoor revealed that it uses the Graph API to communicate with a command and control (C&C) server hosted on Microsoft OneDrive. The backdoor decrypts a client ID and refresh token for OneDrive from a blob contained within its file body. It supports the following commands:

- Retrieve machine information, including machine name, user, IP address, and machine architecture

- Download or upload a file

- Execute a file

- Gather file system information, including available drives, their sizes, and types of drives

Threat Analysis

Grager is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.

External References

Quick Facts

TypeAPT / Threat Group
Aliases2

Also Known As

win.gragerGrager

External Intelligence

Malpedia: win.grager

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.
Grager — APT / Threat Group | Threat Intelligence | CTIWATCH.COM