GALLIUM

Threat Actor updated 4 months ago (2024-05-04T16:05:11.871Z)
Download STIX
Preview STIX
Gallium, also known as Alloy Taurus, is a China-aligned threat actor known for executing actions with malicious intent in the cyber domain. In recent years, Gallium has been associated with various significant cyber-espionage campaigns. The group targeted telecommunication entities in the Middle East during the SoftCell campaign and launched an espionage campaign against an African telecommunications organization between November 2022 and April 2023. Gallium's modus operandi includes leveraging vulnerabilities in network devices and developing custom malware such as BlackMould, a native webshell for servers running Microsoft IIS. In the geopolitical and IT supply chain realm, China made a critical move in 2023 by restricting exports of gallium and germanium, two minerals used in high-performance chips. This tactic not only affects the global chip supply chain but also serves as a countermeasure in the ongoing trade war. In August of the same year, Beijing further tightened its export controls by requiring Chinese exporters of gallium and germanium to obtain government licenses for overseas shipments. The activities of Gallium extend beyond telecommunications operators to include targeting government organizations worldwide, exploiting weaknesses in systems like Microsoft Exchange servers or IIS servers. Other groups associated with China’s People's Liberation Army or government, such as APT27, APT30, APT31, Ke3chang, and Mustang Panda, share similar tactics and targets. Despite the shared toolset among these threat actors, attribution to specific groups remains challenging due to the complex nature of these operations. As Gallium continues its cyber-espionage activities, it poses a significant threat to telecommunications companies, financial institutions, and government entities.
Description last updated: 2024-03-18T09:16:35.884Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Alloy Taurus
3
Alloy Taurus, a threat actor group, has been identified as a significant cybersecurity concern due to its persistent attempts at cyberespionage, primarily targeting the government sector in Southeast Asia. The activity of this group was first observed in early 2022 and continued throughout 2023, dur
Softcell
2
Softcell is a recognized threat actor, also known as GALLIUM, that has gained notoriety for its targeted cyber attacks on telecommunications companies operating in Southeast Asia, Europe, and Africa. This group's activities have been meticulously tracked and documented by cybersecurity professionals
Granite Typhoon
2
Granite Typhoon is a notable malware that has been implicated in several cyber-attacks on various organizations and entities. The malware, which operates by infiltrating systems through suspicious downloads, emails, or websites, has been linked to attacks on telecommunications firms in 2023, an oper
Sword2033
2
Sword2033 is a new and previously undocumented backdoor tool used by the China-linked threat actor known as Alloy Taurus. This group, also referred to as GALLIUM or Softcell, has been actively targeting Linux systems with a variant of the PingPull backdoor, while also deploying Sword2033 in their op
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Apt
Malware
Lateral Move...
State Sponso...
Backdoor
Exploit
Iis
Government
Windows
Linux
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
IDTypeVotesProfile Description
PingPullUnspecified
4
PingPull is a malicious software (malware) developed by the Chinese nation-state group known as Alloy Taurus, also referred to as Gallium. The malware is designed to exploit and damage computer systems, with capabilities such as stealing personal information, disrupting operations, or holding data h
BlackMouldUnspecified
2
BlackMould is a type of malware, specifically a native web shell, that has been observed in use by GALLIUM, a China-aligned intrusion group. This malicious software is designed to exploit and damage computer systems, often infiltrating them through suspicious downloads, emails, or websites without t
China ChopperUnspecified
2
China Chopper is a well-known malware that has been utilized extensively by various cyber threat actors, including the notorious BRONZE UNION group. This web shell, designed to provide remote access and control over compromised web servers, was found embedded in multiple SharePoint server webshells
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
IDTypeVotesProfile Description
APT41Unspecified
3
APT41, a threat actor attributed to China, has been actively targeting organizations in at least 14 countries since 2012. The group is known for its use of an extensive range of malware, with at least 46 different code families and tools observed in their operations. They are associated with various
APT31Unspecified
2
APT31, also known as Zirconium, is a threat actor group linked to the Chinese government that has been implicated in numerous cyber espionage activities. One of their most notable exploits was the cloning of the Equation Group's exploit, EpMe (CVE-2017-0005). This exploit was initially discovered du
Mustang PandaUnspecified
2
Mustang Panda, also known as Bronze President, Nomad Panda, Naikon, Earth Preta, and Stately Taurus, is a Chinese-aligned threat actor that has been associated with widespread attacks against various countries in the Asia-Pacific region. The group's malicious activities were first traced back to Mar
Ke3changUnspecified
2
Ke3chang, also known as APT15, Mirage, Vixen Panda GREF, and Playful Dragon, is a prominent threat actor that has been active since at least 2010. According to the European Union Agency for Cybersecurity (ENISA), this group has consistently targeted energy, government, and military sectors. Ke3chang
APT27Unspecified
2
APT27, also known as Iron Taurus, is a threat actor group suspected to be attributed to China. Engaging in cyber operations with the primary goal of intellectual property theft, APT27 targets organizations globally, with a focus on North and South America, Europe, and the Middle East. The group's mo
APT30Unspecified
2
APT30, a threat actor suspected to be attributed to China, has been active since at least 2005. This group primarily targets members of the Association of Southeast Asian Nations (ASEAN). APT30 is notable for its sustained activity over an extended period and its ability to adapt and modify source c
Source Document References
Information about the GALLIUM Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
CERT-EU
8 months ago
What Risks Upsetting the Australia-China Detente in 2024?
Trend Micro
6 months ago
Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks
DARKReading
6 months ago
China-Linked Cyber Spies Blend Watering Hole, Supply Chain Attacks
CERT-EU
8 months ago
2023 Year-end Review: Geopolitical Risk and Technology
CERT-EU
9 months ago
Dealing With Europe’s Economic (In-)Security – Analysis
CERT-EU
10 months ago
A fragile global economy is at stake as US and China seek to cool tensions at APEC summit
CERT-EU
10 months ago
Globalization Transformed and the Global Chip IT Supply Chain Disruption
CERT-EU
10 months ago
ESET APT Activity Report Q2–Q3 2023
CERT-EU
a year ago
Multiple Chinese APTs are attacking European targets, EU cyber agency warns | #ukscams | #datingscams | #european | #datingscams | #love | #relationships | #scams | #pof | #match.com | #dating | National Cyber Security Consulting
CERT-EU
a year ago
Biden’s Call For Democracy Versus Sino-Russian Entente – OpEd
Unit42
a year ago
Persistent Attempts at Cyberespionage Against Southeast Asian Government Target Have Links to Alloy Taurus
Unit42
a year ago
Unit 42 Researchers Discover Multiple Espionage Operations Targeting Southeast Asian Government
CERT-EU
a year ago
My Tea's not cold : an overview of China's cyber threat – Global Security Mag Online
CERT-EU
a year ago
S’pore among countries most at risk from rising geopolitical tensions: WTO
CERT-EU
a year ago
China hits back against Western sanctions
CERT-EU
a year ago
China Is Striking Back in the Tech War With the U.S.
CERT-EU
a year ago
Technological independence key focus in Germany's China strategy
CERT-EU
a year ago
U.S. mulls barring US firms from selling AI cloud services to China
CERT-EU
a year ago
Yellen Heads to China for Economic Talks Amid Escalating 'Chip War'
CERT-EU
a year ago
US says it opposes export controls by China on metals, will consult allies