GRAYRABBIT
GRAYRABBIT is a custom backdoor associated primarily with the PRC-nexus threat actor UNC3569 and also observed in activity tracked as SHADOW-VOID-044 and SHADOW-EARTH-045. The content identifies it as one of UNC3569’s primary backdoors alongside DRAFTGRAPH and CROSSWALK. UNC3569 has targeted organizations worldwide across government, education, technology, finance, media, telecommunications, airlines, heavy industry, and energy, with operations concentrated in East and Southeast Asia and extending to the United States and other regions. The group commonly gains initial access by exploiting known n-day vulnerabilities in internet-facing products from Apache, Microsoft, IBM, VMware, and Oracle, then deploys tooling including SIDESTEP, OXEEYE, Cobalt Strike BEACON, and GRAYRABBIT.
Observed delivery and execution methods for GRAYRABBIT include DLL sideloading and a PowerShell-based chain using UuidFromStringA to read, decode, and execute the payload. UNC3569 also distributed encrypted GRAYRABBIT payloads via GitHub accounts kkecho123 and powerhelp over raw.githubusercontent.com, and the same cloud storage used for DRAFTGRAPH C2 also held SIDESTEP, OXEEYE, CROSSWALK, and GRAYRABBIT payloads. In July 2023, researchers observed UNC3569 using OXEEYE and GRAYRABBIT in an operation that abused Microsoft OneDrive as DRAFTGRAPH command-and-control infrastructure.
Infrastructure and indicators directly mentioned in the content include a GRAYRABBIT sample hosted on 47.238.219.111 in SHADOW-VOID-044 activity; a C2 domain center.myrnicrosoft.com that matched infrastructure previously associated with UNC3569; a GitHub-hosted GRAYRABBIT payload decrypting to a sample with MD5 8def8c562e718d38291baae0dbeb683e; and network communication from that sample to 103.218.242.86:443. The malware’s presence was used as an attribution overlap linking SHADOW-VOID-044 to UNC3569 with moderate-to-high confidence. The content also states that Shadow-Earth attackers used the previously identified GrayRabbit backdoor together with HoloDonut in their operations. High-confidence victimology tied to activity involving GRAYRABBIT includes the Chinese gambling industry, Asian government entities, private organizations, and a Philippine educational institution, although some actor links outside UNC3569 are described with lower confidence.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
A primary backdoor – DRAFTGRAPH, CROSSWALK or the custom GRAYRABBIT – is included in the attack to offer other remote control features.
Techniques & procedures
9 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 techniqueUNC3569 leverages cloud services like OneDrive for operational infrastructure and strategic cloud storage to complement operations. In one example, a DRAFTGRAPH sample... was configured to abuse OneDrive as its C2 server.
Initial Access
2 techniques"In watering-hole scenarios, malicious scripts injected into websites trigger downloads of the main PeckBirdy script upon victim visitation, often leading to fake software update pages that prompt execution of malicious files."
Since 2021, UNC3569 has exploited popular n-day CVEs in widely used software, such as CVE-2021-44228 and CVE‑2022-21587, to gain access to target organizations.
Execution
1 technique"...combined with the UuidFromStringA function of PowerShell to read, decode, and execute the backdoor payload."
Stealth
3 techniquesTo cover the malicious traffic, the attackers registered C2 domains masquerading as normal AWS or AlibabaCloud domains... This cluster of activity has previously targeted entities... using malicious domains that masquerade as services such as Amazon Web Services and Microsoft Support Services.
The payload is often obfuscated with an additional binary layer, including techniques such as XOR encoding, custom shellcode loaders... The shellcode decrypts the embedded PE payload using a simple XOR operation and then executes the payload.
To evade detection and anti-virus software, UNC3569 developed multiple shellcode runners and backdoor droppers... The use of a Rust-based shellcode runner...
Command and Control
2 techniquesUNC3569’s command-and-control (C2) infrastructure reveals patterns in server configurations and subdomain usage. These C&C servers are multifunctional, hosting various malware controllers and serving as distribution points for malware.
UNC3569 used BEACON stager samples to download additional payloads from GitHub accounts. This allowed the attacker to easily switch payloads as needed.
Recent activity
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Backdoor found on SHADOW-VOID-044 infrastructure; noted as previously associated with UNC3569.
Backdoor used in the Shadow-Earth-045 activity and previously associated with China-backed UNC3569.
Backdoor previously deployed by UNC3569; observed on infrastructure operated by SHADOW-VOID-044, suggesting possible linkage or shared infrastructure/tooling.
Backdoor observed hosted on SHADOW-VOID-044 infrastructure; sample variant used DLL sideloading and leveraged PowerShell with UuidFromStringA to read/decode/execute the payload; shared C2 domain with UNC3569-linked activity.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.