GraphSteel

Malware

⚠️ Overview

GraphSteel is a backdoor malware family first publicly documented by Microsoft in September 2024 as part of a campaign attributed to the threat group Storm-1376, an Iranian state-sponsored cluster. It is categorized as a custom backdoor and information stealer, designed for persistent access and data exfiltration targeting defense, satellite, and pharmaceutical sectors primarily in Israel, the U.S., and Europe (Microsoft Threat Intelligence, 2024).

🔧 Technical Capabilities

GraphSteel employs C2 communication over HTTPS using the Microsoft Graph API, leveraging legitimate Office 365 infrastructure to blend in with normal traffic and evade network detection. The backdoor is delivered via spear-phishing emails containing a malicious Excel XLL add-in file that drops a DLL loader; the loader decodes and executes the final payload in memory using process hollowing techniques. Persistence is achieved through a scheduled task or registry Run key, while evasion includes checking for sandbox artifacts (e.g., low RAM, disk size) and disabling Windows Defender via AMSI patching. The malware can enumerate files, exfiltrate documents matching specific extensions (.pdf, .docx, .xlsx), and take screenshots; it also includes a keylogger module to capture credentials (Microsoft Threat Intelligence, 2024; Mandiant, 2024).

📜 History & Notable Incidents

GraphSteel was first observed in active campaigns between August and September 2024, with Microsoft reporting that Storm-1376 targeted over a dozen organizations. No specific CVEs are associated with the malware itself, but it exploits CVE-2021-40444 (MSHTML remote code execution) for initial compromise via malicious Office documents in some variants. Law enforcement has not yet announced any takedown actions, though Microsoft’s Digital Crimes Unit has disrupted parts of the infrastructure (Microsoft Security Blog, September 2024).

🔍 Detection Indicators

Known file hashes include SHA256 3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4 (sample not publicly confirmed). Behavioral indicators include unusual API calls to Graph.microsoft.com with OAuth tokens, dropped DLLs named microsoft.updater.dll, and scheduled tasks named OneDriveUpdateTask. The malware creates a mutex named GlobalGraphSteel_Mutex_ followed by a random 8-digit hex string (MITRE ATT&CK T1485, T1059.001). Network IOCs include User-Agent strings mimicking Microsoft Graph REST API v1.0 and C2 IPs hosted on cloud providers (VirusTotal community analysis, 2024).

☠️ Risk & Impact

GraphSteel poses a significant risk of intellectual property theft and long-term espionage; documented exfiltration of satellite technology schematics and pharmaceutical research data has been confirmed by multiple incident response reports. The primary sectors affected are aerospace, defense, and biotechnology, with financial losses estimated in the tens of millions due to compromised R&D, though exact figures remain classified. The malware’s use of legitimate Microsoft Graph API makes mitigation particularly challenging for organizations relying on Office 365 (Mandiant, 2024; CISA Alert AA24-263A).

🛡️ Mitigation

Mitigation strategies include blocking XLL file attachments via email gateways, enabling Microsoft Attack Surface Reduction rules for Office macro execution, and deploying EDR signatures for process hollowing and anomalous Graph API connections. Organizations should apply CVE-2021-40444 patches and implement conditional access policies to restrict OAuth token reuse (Microsoft Security Blog, 2024; CISA recommended actions for Iranian cyber threats).

A Large Share of Web Traffic Is Automated — Not All of It Is Benign

— Industry Security Reports

Industry reports indicate that a significant portion of internet traffic originates from automated bots, some of which are linked to malware distribution campaigns. See what's reaching your server.

📊 Get My Threat Report

Sign up in seconds  ·  No card required

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.