GALLIUM

Threat Actor updated 13 days ago (2024-11-08T12:25:48.692Z)

Download STIX

Preview STIX

Gallium, also known as Alloy Taurus, is a threat actor group that has been associated with significant cyber-espionage campaigns and is believed to have ties with China. The group has been linked to multiple intrusion sets targeting network devices, including routers and servers. Gallium notably targeted telecommunication entities in the Middle East during the SoftCell campaign, and was also involved in the DaggerFly cyber espionage campaign against an African telecommunications organization between November 2022 and April 2023. The group utilizes custom malware such as BlackMould, a native webshell for servers running Microsoft IIS, based on China Chopper. In the geopolitical sphere, China made a significant move in July 2023 by restricting exports of gallium and germanium, two minerals used in high-performance chips, as part of its countermeasures in the global chip supply chain war. This restriction was seen as retaliation for U.S. technology export bans and marked a critical point in the IT supply chain. In August, Beijing further escalated the situation by requiring Chinese exporters of gallium and germanium to obtain government licenses to send these metals overseas. The activities of Gallium extend beyond the telecommunications sector, with the group also targeting financial institutions and government organizations worldwide. The group's tactics include exploiting vulnerabilities in systems like Microsoft Exchange servers or IIS servers. Analysis of the threat actor behind CL-STA-0045, combined with third-party reporting, presents noteworthy overlaps with the reported modus operandi of Gallium. Despite the shared toolset among different threat actors, reports attribute, with moderate confidence, certain clusters using RESHELL malware to Gallium.

Description last updated: 2024-11-08T00:03:11.619Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Alloy Taurus is a possible alias for GALLIUM. Alloy Taurus, a threat actor group, has been identified as a significant cybersecurity concern due to its persistent attempts at cyberespionage, primarily targeting the government sector in Southeast Asia. The activity of this group was first observed in early 2022 and continued throughout 2023, dur	3
Granite Typhoon is a possible alias for GALLIUM. Granite Typhoon is a malware attributed to China-based cyber actors, specifically the groups Raspberry Typhoon, Flax Typhoon, and Granite Typhoon. These entities have been known to target IT, military, and government interests around the South China Sea. The malicious software can infiltrate systems	2
Softcell is a possible alias for GALLIUM. Softcell is a recognized threat actor, also known as GALLIUM, that has gained notoriety for its targeted cyber attacks on telecommunications companies operating in Southeast Asia, Europe, and Africa. This group's activities have been meticulously tracked and documented by cybersecurity professionals	2
Sword2033 is a possible alias for GALLIUM. Sword2033 is a new and previously undocumented backdoor tool used by the China-linked threat actor known as Alloy Taurus. This group, also referred to as GALLIUM or Softcell, has been actively targeting Linux systems with a variant of the PingPull backdoor, while also deploying Sword2033 in their op	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Vpn

Apt

Backdoor

Malware

Lateral Move...

State Sponso...

Linux

Government

Windows

Exploit

Iis

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The PingPull Malware is associated with GALLIUM. PingPull is a malicious software (malware) developed by the Chinese nation-state group known as Alloy Taurus, also referred to as Gallium. The malware is designed to exploit and damage computer systems, with capabilities such as stealing personal information, disrupting operations, or holding data h	Unspecified	4
The BlackMould Malware is associated with GALLIUM. BlackMould is a type of malware, specifically a native web shell, that has been observed in use by GALLIUM, a China-aligned intrusion group. This malicious software is designed to exploit and damage computer systems, often infiltrating them through suspicious downloads, emails, or websites without t	Unspecified	2
The China Chopper Malware is associated with GALLIUM. China Chopper is a notorious malware, a harmful program designed to exploit and damage computer systems. It has been primarily used by the threat actor group BRONZE UNION to establish connections to China Chopper web shells on compromised servers, as seen in multiple instances where its code was fou	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Flax Typhoon Threat Actor is associated with GALLIUM. Flax Typhoon is a threat actor reportedly linked to China that has been actively targeting Taiwan, as well as other regions globally. This group, also known by aliases such as RedJuliett and Ethereal Panda, has been implicated in cyberespionage activities against critical infrastructure entities, go	Unspecified	3
The APT41 Threat Actor is associated with GALLIUM. APT41, also known as Winnti, is a threat actor suspected to be originating from China, with its activities dating back to as early as 2012. It has targeted organizations in at least 14 countries and has been associated with the use of at least 46 different code families and tools. The group's activi	Unspecified	3
The Ke3chang Threat Actor is associated with GALLIUM. Ke3chang, also known as APT15, Mirage, Vixen Panda GREF, and Playful Dragon, is a prominent threat actor that has been active since at least 2010. According to the European Union Agency for Cybersecurity (ENISA), this group has consistently targeted energy, government, and military sectors. Ke3chang	Unspecified	2
The APT27 Threat Actor is associated with GALLIUM. APT27, also known as Emissary Panda or Iron Taurus, is a threat actor suspected to be associated with China and has been involved in cyber operations primarily aimed at intellectual property theft. The group targets organizations globally, including those in North and South America, Europe, and the	Unspecified	2
The APT30 Threat Actor is associated with GALLIUM. APT30, a threat actor suspected to be attributed to China, has been active since at least 2005. This group primarily targets members of the Association of Southeast Asian Nations (ASEAN). APT30 is notable for its sustained activity over an extended period and its ability to adapt and modify source c	Unspecified	2
The APT31 Threat Actor is associated with GALLIUM. APT31, also known as Zirconium, is a threat actor believed to be linked to the Chinese government. This group has been associated with numerous cyber attacks, including a significant exploit of CVE-2017-0005. This exploit, dubbed "Jian," was initially attributed to APT31 but upon further analysis by	Unspecified	2
The Mustang Panda Threat Actor is associated with GALLIUM. Mustang Panda, a China-aligned Advanced Persistent Threat (APT) group, has been identified as a significant cyber threat actor involved in a series of malicious activities. Notably, Mustang Panda was found to be associated with the BRONZE PRESIDENT phishing lure, which delivered PlugX and used modif	Unspecified	2

Source Document References

Information about the GALLIUM Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
ESET	13 days ago	ESET APT Activity Report Q2 2024–Q3 2024
DARKReading	14 days ago	China-Backed MirrorFace Trains Sights on EU Diplomats
BankInfoSecurity	14 days ago	Breach Roundup: Chinese Cyberespionage Using Open Source VPN
CERT-EU	a year ago	What Risks Upsetting the Australia-China Detente in 2024?
Trend Micro	8 months ago	Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks
DARKReading	8 months ago	China-Linked Cyber Spies Blend Watering Hole, Supply Chain Attacks
CERT-EU	a year ago	2023 Year-end Review: Geopolitical Risk and Technology
CERT-EU	a year ago	Dealing With Europe’s Economic (In-)Security – Analysis
CERT-EU	a year ago	A fragile global economy is at stake as US and China seek to cool tensions at APEC summit
CERT-EU	a year ago	Globalization Transformed and the Global Chip IT Supply Chain Disruption
CERT-EU	a year ago	ESET APT Activity Report Q2–Q3 2023
CERT-EU	a year ago	Multiple Chinese APTs are attacking European targets, EU cyber agency warns \| #ukscams \| #datingscams \| #european \| #datingscams \| #love \| #relationships \| #scams \| #pof \| #match.com \| #dating \| National Cyber Security Consulting
CERT-EU	a year ago	Biden’s Call For Democracy Versus Sino-Russian Entente – OpEd
Unit42	a year ago	Persistent Attempts at Cyberespionage Against Southeast Asian Government Target Have Links to Alloy Taurus
Unit42	a year ago	Unit 42 Researchers Discover Multiple Espionage Operations Targeting Southeast Asian Government
CERT-EU	a year ago	My Tea's not cold : an overview of China's cyber threat – Global Security Mag Online
CERT-EU	a year ago	S’pore among countries most at risk from rising geopolitical tensions: WTO
CERT-EU	a year ago	China hits back against Western sanctions
CERT-EU	a year ago	China Is Striking Back in the Tech War With the U.S.
CERT-EU	a year ago	Technological independence key focus in Germany's China strategy