Graphite

Description

(Cluster25) Once obtained a new OAuth2 token, the Graphite malware will query the Microsoft GraphAPIs for new commands by enumerating the child files in the check OneDrive subdirectory. If a new file is found, the content is downloaded and decrypted through an AES-256-CBCdecryption algorithm. The monitoring of task executions and the uploading of their results is managed through a dedicated thread. Finally, the malware allows remote command execution by allocating a new region of memory and executing the received shellcode by calling a new dedicated thread.

Names

Name
Graphite

Type

Backdoor

Information

https://blog.cluster25.duskrise.com/2022/09/23/in-the-footsteps-of-the-fancy-bear-powerpoint-graphite/
https://www.trellix.com/en-gb/about/newsroom/stories/threat-labs/prime-ministers-office-compromised.html
https://citizenlab.ca/2025/03/a-first-look-at-paragons-proliferating-spyware-operations/
https://citizenlab.ca/2025/06/first-forensic-confirmation-of-paragons-ios-mercenary-spyware-finds-journalists-targeted/

Malpedia

https://malpedia.caad.fkie.fraunhofer.de/details/win.graphite

Other Information

Uuid

54731956-6a9c-4fac-8622-2623eb886502

Last Card Change

2025-06-28

Threat Intelligence Garden

Explorer

Graphite

Graphite

Description

Names

Category

Type

Information

Malpedia

Other Information

Uuid

Last Card Change

Graph View

Table of Contents

Backlinks