PingPull

Malware updated 4 months ago (2024-05-04T18:18:46.231Z)

Download STIX

Preview STIX

PingPull is a malicious software (malware) developed by the Chinese nation-state group known as Alloy Taurus, also referred to as Gallium. The malware is designed to exploit and damage computer systems, with capabilities such as stealing personal information, disrupting operations, or holding data hostage. In Q3 and Q4 of 2022, telemetry suggested that Alloy Taurus was active within an environment that overlapped with the IP address 196.216.136[.]139, aligning with CL-STA-0045 activity. PingPull communicates via a TCP beacon, issuing commands and sending results, including a unique identifier string beginning with PROJECT. Alloy Taurus has updated PingPull to target Linux systems, expanding its reach beyond the initial Windows focus. This new variant has been reported as an active threat across Southeast Asia, Europe, and Africa, particularly targeting telecommunications, finance, and government organizations. Notably, PingPull's functionality extends to running commands on cmd.exe, acting as a reverse shell for the actor, allowing it to perform a variety of activities on the file system. In addition to PingPull, researchers from Unit 42 at Palo Alto Networks have identified another backdoor, Sword2033, being used by the same actors. This discovery highlights the evolving nature of the threats posed by these groups, emphasizing the need for continuous vigilance and robust cybersecurity measures. It's also worth noting that other instances of similar malware activity clusters have included LuckyMouse, APT15, and ChamelGang, each developing their own variants to target different operating systems.

Description last updated: 2024-05-04T17:38:44.314Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Aliases We are not currently tracking any aliases

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Espionage

Linux

Windows

Backdoor

Web Shell

Trojan

Apt

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

ID	Type	Votes	Profile Description
China Chopper	Unspecified	3	China Chopper is a well-known malware that has been utilized extensively by various cyber threat actors, including the notorious BRONZE UNION group. This web shell, designed to provide remote access and control over compromised web servers, was found embedded in multiple SharePoint server webshells

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

ID	Type	Votes	Profile Description
Alloy Taurus	Unspecified	4	Alloy Taurus, a threat actor group, has been identified as a significant cybersecurity concern due to its persistent attempts at cyberespionage, primarily targeting the government sector in Southeast Asia. The activity of this group was first observed in early 2022 and continued throughout 2023, dur
GALLIUM	Unspecified	4	Gallium, also known as Alloy Taurus, is a China-aligned threat actor known for executing actions with malicious intent in the cyber domain. In recent years, Gallium has been associated with various significant cyber-espionage campaigns. The group targeted telecommunication entities in the Middle Eas
Sword2033	Unspecified	3	Sword2033 is a new and previously undocumented backdoor tool used by the China-linked threat actor known as Alloy Taurus. This group, also referred to as GALLIUM or Softcell, has been actively targeting Linux systems with a variant of the PingPull backdoor, while also deploying Sword2033 in their op

Source Document References

Information about the PingPull Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
InfoSecurity-magazine	10 months ago	North Korean Hackers Target macOS Crypto Engineers With Kandykorn
Unit42	a year ago	Persistent Attempts at Cyberespionage Against Southeast Asian Government Target Have Links to Alloy Taurus
CERT-EU	a year ago	My Tea's not cold : an overview of China's cyber threat – Global Security Mag Online
MITRE	2 years ago	GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool
Securityaffairs	a year ago	China-linked hackers target telecommunication providers in the Middle East
CERT-EU	a year ago	Operation Soft Cell: Chinese Hackers Breach Middle East Telecom Providers
CERT-EU	a year ago	Operation Tainted Love \| ZDNet.de
CERT-EU	a year ago	SentinelOne beleuchtet Cyberspionage-Gruppe „Operation Tainted Love“ – Global Security Mag Online
Unit42	a year ago	Chinese Alloy Taurus Updates PingPull Malware
CERT-EU	a year ago	Chinese Hackers Spotted Using Linux Variant of PingPull in Targeted Cyberattacks
CERT-EU	a year ago	Chinese APT group Alloy Taurus unleashes new Linux variant of PingPull malware
CERT-EU	a year ago	Новый бэкдор Sword2033 выдаёт китайские хакерские атаки за действия южноафриканских военных
CERT-EU	a year ago	State-purchased spyware prevalent
CERT-EU	a year ago	New Linux malware variants leveraged in Chinese cyberespionage campaign
Securityaffairs	a year ago	Alloy Taurus APT uses a Linux variant of PingPull malware
CERT-EU	a year ago	Chinese Hackers Spotted Using Linux Variant of PingPull in Targeted Cyberattacks - GIXtools
CERT-EU	a year ago	Traffic to South African military websites from Linux server? Infection symptom of PingPull malware
CERT-EU	a year ago	China-linked Alloy Taurus APT uses a Linux variant of PingPull malware \| IT Security News
CERT-EU	a year ago	Chinese APT Alloy Taurus Is Back - Linux Variant of PingPull Malware Is Active
CERT-EU	a year ago	Cyber security week in review: April 28, 2023