Alloy Taurus

Threat Actor Profile Updated 25 days ago
Download STIX
Preview STIX
Alloy Taurus, a threat actor group, has been identified as a significant cybersecurity concern due to its persistent attempts at cyberespionage, primarily targeting the government sector in Southeast Asia. The activity of this group was first observed in early 2022 and continued throughout 2023, during which they employed uncommon techniques to bypass security products, enabling long-term persistence and reconnaissance within their target environments. Alloy Taurus has been linked with moderate confidence to three distinct clusters known as Stately Taurus (aka Mustang Panda), Alloy Taurus (aka Granite Typhoon), and Gelsemium, all of which targeted various governmental entities such as critical infrastructure, public healthcare institutions, financial administrators, and ministries. The activities attributed to Alloy Taurus have demonstrated a sophisticated modus operandi, including the use of updated PingPull malware to target Linux systems, abuse of the remote administration tool AnyDesk for lateral movement, and credential theft within infiltrated environments. One particular instance of activity, dubbed CL-STA-0045, has been associated with Alloy Taurus based on the combination of tools used, victimology, and overlaps with internal telemetry from Unit 42. This cluster of activity has also shown connections with Chinese state interests, further solidifying the threat posed by Alloy Taurus. In Q3 and Q4 of 2022, telemetry suggested that Alloy Taurus was active in the same environment as the CL-STA-0045 activity, indicating a sustained period of malicious activity. Communication was observed with an infrastructure overlapping with the IP address 196.216.136[.]139, previously mentioned in relation to Alloy Taurus' update of the PingPull malware. With these consistent and advanced attacks, Alloy Taurus continues to pose a significant threat, demonstrating an ability to fly under the radar while persistently targeting high-value entities.
What's your take? (Question 1 of 5)
67a182c6-5f6b-4e73-bfb9-4f1e8d9406df Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
GALLIUM
3
Gallium, also known as Alloy Taurus, is a China-aligned threat actor known for executing actions with malicious intent in the cyber domain. In recent years, Gallium has been associated with various significant cyber-espionage campaigns. The group targeted telecommunication entities in the Middle Eas
Taurus
3
Taurus is a malicious software (malware) that has been associated with multiple cyber threat actors, notably Stately Taurus, Iron Taurus, and Starchy Taurus, all of which have connections to Chinese Advanced Persistent Threats (APTs). The malware is designed to infiltrate systems and steal personal
Stately Taurus
2
Stately Taurus, also known as Mustang Panda, Bronze President, Red Delta, LuminousMoth, Earth Preta, and Camaro Dragon, is a malicious software (malware) that has been active since at least 2012. It is associated with a Chinese Advanced Persistent Threat (APT) group and is believed to have originate
Gelsemium
2
Gelsemium is a sophisticated malware, designed to exploit and damage computer systems by infiltrating them through suspicious downloads, emails, or websites. This malicious software has the capability to steal personal information, disrupt operations, and even hold data hostage for ransom. The Gelse
Sword2033
2
Sword2033 is a new and previously undocumented backdoor tool used by the China-linked threat actor known as Alloy Taurus. This group, also referred to as GALLIUM or Softcell, has been actively targeting Linux systems with a variant of the PingPull backdoor, while also deploying Sword2033 in their op
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Apt
Linux
Backdoor
Vpn
Espionage
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
PingPullUnspecified
4
PingPull is a malicious software (malware) developed by the Chinese nation-state group known as Alloy Taurus, also referred to as Gallium. The malware is designed to exploit and damage computer systems, with capabilities such as stealing personal information, disrupting operations, or holding data h
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Alloy Taurus Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
a year ago
China-linked Alloy Taurus APT uses a Linux variant of PingPull malware | IT Security News
CERT-EU
a year ago
Traffic to South African military websites from Linux server? Infection symptom of PingPull malware
CERT-EU
a year ago
Cyber security week in review: April 28, 2023
CERT-EU
a year ago
New Linux malware variants leveraged in Chinese cyberespionage campaign
Unit42
8 months ago
Unit 42 Researchers Discover Multiple Espionage Operations Targeting Southeast Asian Government
CERT-EU
a year ago
Chinese APT Alloy Taurus Is Back - Linux Variant of PingPull Malware Is Active
InfoSecurity-magazine
7 months ago
North Korean Hackers Target macOS Crypto Engineers With Kandykorn
CERT-EU
8 months ago
New Report Uncovers 3 Distinct Clusters of China-Nexus Attacks on Southeast Asian Government
CERT-EU
a year ago
State-purchased spyware prevalent
Unit42
8 months ago
Cyberespionage Attacks Against Southeast Asian Government Linked to Stately Taurus, Aka Mustang Panda
InfoSecurity-magazine
8 months ago
Sophisticated APT Clusters Target Southeast Asia
CERT-EU
8 months ago
My Tea's not cold : an overview of China's cyber threat – Global Security Mag Online
CERT-EU
a year ago
Новый бэкдор Sword2033 выдаёт китайские хакерские атаки за действия южноафриканских военных
Securityaffairs
a year ago
Alloy Taurus APT uses a Linux variant of PingPull malware
CERT-EU
a year ago
Chinese Hackers Spotted Using Linux Variant of PingPull in Targeted Cyberattacks
Unit42
8 months ago
Persistent Attempts at Cyberespionage Against Southeast Asian Government Target Have Links to Alloy Taurus
Unit42
a year ago
Chinese Alloy Taurus Updates PingPull Malware
CERT-EU
a year ago
Chinese APT group Alloy Taurus unleashes new Linux variant of PingPull malware
Unit42
8 months ago
Rare Backdoors Suspected to be Tied to Gelsemium APT Found in Targeted Attack in Southeast Asian Government
CERT-EU
a year ago
Chinese Hackers Spotted Using Linux Variant of PingPull in Targeted Cyberattacks - GIXtools