Alloy Taurus

Threat Actor updated 23 days ago (2024-11-29T14:00:36.555Z)
Download STIX
Preview STIX
Alloy Taurus, a threat actor group, has been identified as a significant cybersecurity concern due to its persistent attempts at cyberespionage, primarily targeting the government sector in Southeast Asia. The activity of this group was first observed in early 2022 and continued throughout 2023, during which they employed uncommon techniques to bypass security products, enabling long-term persistence and reconnaissance within their target environments. Alloy Taurus has been linked with moderate confidence to three distinct clusters known as Stately Taurus (aka Mustang Panda), Alloy Taurus (aka Granite Typhoon), and Gelsemium, all of which targeted various governmental entities such as critical infrastructure, public healthcare institutions, financial administrators, and ministries. The activities attributed to Alloy Taurus have demonstrated a sophisticated modus operandi, including the use of updated PingPull malware to target Linux systems, abuse of the remote administration tool AnyDesk for lateral movement, and credential theft within infiltrated environments. One particular instance of activity, dubbed CL-STA-0045, has been associated with Alloy Taurus based on the combination of tools used, victimology, and overlaps with internal telemetry from Unit 42. This cluster of activity has also shown connections with Chinese state interests, further solidifying the threat posed by Alloy Taurus. In Q3 and Q4 of 2022, telemetry suggested that Alloy Taurus was active in the same environment as the CL-STA-0045 activity, indicating a sustained period of malicious activity. Communication was observed with an infrastructure overlapping with the IP address 196.216.136[.]139, previously mentioned in relation to Alloy Taurus' update of the PingPull malware. With these consistent and advanced attacks, Alloy Taurus continues to pose a significant threat, demonstrating an ability to fly under the radar while persistently targeting high-value entities.
Description last updated: 2024-05-04T17:38:51.469Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
GALLIUM is a possible alias for Alloy Taurus. Gallium, also known as Alloy Taurus, is a threat actor group that has been associated with significant cyber-espionage campaigns and is believed to have ties with China. The group has been linked to multiple intrusion sets targeting network devices, including routers and servers. Gallium notably tar
3
Sword2033 is a possible alias for Alloy Taurus. Sword2033 is a new and previously undocumented backdoor tool used by the China-linked threat actor known as Alloy Taurus. This group, also referred to as GALLIUM or Softcell, has been actively targeting Linux systems with a variant of the PingPull backdoor, while also deploying Sword2033 in their op
2
Stately Taurus is a possible alias for Alloy Taurus. Stately Taurus, also known as Mustang Panda, Bronze President, Camaro Dragon, Earth Preta, Luminous Moth, and Red Delta, is a sophisticated malware that has been used in cyber-espionage campaigns primarily targeting government entities in Southeast Asia. It is believed to be associated with China's
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Apt
Malware
Linux
Backdoor
Vpn
Espionage
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The PingPull Malware is associated with Alloy Taurus. PingPull is a malicious software (malware) developed by the Chinese nation-state group known as Alloy Taurus, also referred to as Gallium. The malware is designed to exploit and damage computer systems, with capabilities such as stealing personal information, disrupting operations, or holding data hUnspecified
4
The Gelsemium Malware is associated with Alloy Taurus. Gelsemium is a highly sophisticated malware associated with an Advanced Persistent Threat (APT) group that has been active since at least 2014. This entity, known for its long-term, targeted attacks, is suspected to be behind a series of cyber-espionage incidents aimed at Southeast Asian governmentsis related to
2
Source Document References
Information about the Alloy Taurus Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
InfoSecurity-magazine
a year ago
InfoSecurity-magazine
a year ago
CERT-EU
a year ago
Unit42
a year ago
Unit42
a year ago
Unit42
a year ago
Unit42
a year ago
CERT-EU
a year ago
Unit42
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
Securityaffairs
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago