MALWARE FAMILY

Grager

Internal ID: win.grager
1
aliases
Last seen:Mar 17, 2026

Intelligence Profile

Grager is a backdoor deployed against three organizations in Taiwan, Hong Kong, and Vietnam in April 2024. Analysis of this backdoor revealed that it uses the Graph API to communicate with a command and control (C&C) server hosted on Microsoft OneDrive. The backdoor decrypts a client ID and refresh token for OneDrive from a blob contained within its file body. It supports the following commands:

- Retrieve machine information, including machine name, user, IP address, and machine architecture

- Download or upload a file

- Execute a file

- Gather file system information, including available drives, their sizes, and types of drives

Threat Analysis

Grager is a malware family tracked by threat intelligence researchers and catalogued in the Malpedia dataset. It represents a distinct malicious software lineage with identifiable code characteristics, behaviors, and victimology.

External References

Quick Facts

TypeMalware Family
Aliases1

Also Known As

win.grager

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.