HOMETHREATSTONERJAM
APT / THREAT GROUP

TONERJAM

2
aliases
Last seen:Mar 17, 2026

Intelligence Profile

According to Symantec, Grager was deployed against three organizations in Taiwan, Hong Kong, and Vietnam in April 2024. Analysis of the backdoor revealed that it used the Graph API to communicate with a C&C server hosted on Microsoft OneDrive. Grager was downloaded from a typosquatted URL mimicking the open-source file archiver 7-Zip.

Threat Analysis

TONERJAM is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.

External References

Quick Facts

TypeAPT / Threat Group
Aliases2

Also Known As

TONERJAMwin.tonerjam

External Intelligence

Malpedia: win.tonerjam

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.
TONERJAM — APT / Threat Group | Threat Intelligence | CTIWATCH.COM