Graceful Spider

Threat Actor updated 10 months ago (2024-11-29T14:11:11.207Z)

Download STIX

Preview STIX

Graceful Spider, also known as TA505, is a threat actor recognized for its malicious cyber activities. This entity has been identified by the cybersecurity industry as the driving force behind various targeted campaigns with harmful intent. The group could be a single individual, a private organization, or part of a government entity, reflecting the diverse nature of threat actors in the digital landscape. Graceful Spider's activities are characterized by sophisticated methods and advanced tools, making it a significant concern in the realm of cybersecurity. In May 2023, Graceful Spider was associated with Truebot campaigns, during which it delivered FlawedGrace and LummaStealer payloads. Elastic Security Labs traced the infrastructure used in these campaigns back to Graceful Spider, confirming their involvement. These operations demonstrated the group's capabilities and intentions, reinforcing the need for robust defensive measures against such advanced persistent threats. Furthermore, Graceful Spider was linked to an IP address previously attributed to the Clop ransomware group, another notorious cyber threat actor. This connection emerged when the same IP address was used to exploit the SolarWinds Serv-U product within the same timeframe. Such overlap in resources indicates the possible collaboration or shared infrastructure between these threat actors, further complicating the challenge posed by these malicious entities in the cybersecurity landscape.

Description last updated: 2023-10-10T18:12:09.558Z

What's your take? (Question 1 of 4)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Aliases We are not currently tracking any aliases

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Exploit

Oracle

Crowdstrike

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Clop Malware is associated with Graceful Spider. Clop, a malicious software (malware), is linked to a Russian-speaking cybercriminal group also known as Cl0p. It is designed to exploit and damage computer systems by stealing personal information, disrupting operations, or holding data hostage for ransom. In May 2023, the Clop group began exploitin	Unspecified	3

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

Alias Description	Association Type	Votes
The vulnerability CVE-2025-61882 is associated with Graceful Spider.	Unspecified	2

Source Document References

Information about the Graceful Spider Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securityaffairs	21 hours ago	CrowdStrike ties Oracle EBS RCE (CVE-2025-61882) to Cl0p attacks began Aug 9, 2025
CrowdStrike	a day ago	CrowdStrike Identifies Campaign Targeting Oracle E-Business Suite via Zero-Day Vulnerability Tracked as CVE-2025-61882
CrowdStrike	8 months ago	Detect Data Exfiltration with Falcon Next-Gen SIEM \| CrowdStrike
CERT-EU	2 years ago	New Malware Granting Threat Actors Hidden VNC Access
CISA	2 years ago	Increased Truebot Activity Infects U.S. and Canada Based Networks \| CISA
CERT-EU	2 years ago	MOVEit Transfer Vulnerability (CVE-2023-34362) \| Kroll \| #ransomware \| #cybercrime \| National Cyber Security Consulting