PingPull

Malware updated 7 months ago (2024-05-04T18:18:46.231Z)

Download STIX

Preview STIX

PingPull is a malicious software (malware) developed by the Chinese nation-state group known as Alloy Taurus, also referred to as Gallium. The malware is designed to exploit and damage computer systems, with capabilities such as stealing personal information, disrupting operations, or holding data hostage. In Q3 and Q4 of 2022, telemetry suggested that Alloy Taurus was active within an environment that overlapped with the IP address 196.216.136[.]139, aligning with CL-STA-0045 activity. PingPull communicates via a TCP beacon, issuing commands and sending results, including a unique identifier string beginning with PROJECT. Alloy Taurus has updated PingPull to target Linux systems, expanding its reach beyond the initial Windows focus. This new variant has been reported as an active threat across Southeast Asia, Europe, and Africa, particularly targeting telecommunications, finance, and government organizations. Notably, PingPull's functionality extends to running commands on cmd.exe, acting as a reverse shell for the actor, allowing it to perform a variety of activities on the file system. In addition to PingPull, researchers from Unit 42 at Palo Alto Networks have identified another backdoor, Sword2033, being used by the same actors. This discovery highlights the evolving nature of the threats posed by these groups, emphasizing the need for continuous vigilance and robust cybersecurity measures. It's also worth noting that other instances of similar malware activity clusters have included LuckyMouse, APT15, and ChamelGang, each developing their own variants to target different operating systems.

Description last updated: 2024-05-04T17:38:44.314Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Aliases We are not currently tracking any aliases

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Espionage

Linux

Windows

Backdoor

Web Shell

Trojan

Apt

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The China Chopper Malware is associated with PingPull. China Chopper is a notorious malware, a harmful program designed to exploit and damage computer systems. It has been primarily used by the threat actor group BRONZE UNION to establish connections to China Chopper web shells on compromised servers, as seen in multiple instances where its code was fou	Unspecified	3

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Alloy Taurus Threat Actor is associated with PingPull. Alloy Taurus, a threat actor group, has been identified as a significant cybersecurity concern due to its persistent attempts at cyberespionage, primarily targeting the government sector in Southeast Asia. The activity of this group was first observed in early 2022 and continued throughout 2023, dur	Unspecified	4
The GALLIUM Threat Actor is associated with PingPull. Gallium, also known as Alloy Taurus, is a threat actor group that has been associated with significant cyber-espionage campaigns and is believed to have ties with China. The group has been linked to multiple intrusion sets targeting network devices, including routers and servers. Gallium notably tar	Unspecified	4
The Sword2033 Threat Actor is associated with PingPull. Sword2033 is a new and previously undocumented backdoor tool used by the China-linked threat actor known as Alloy Taurus. This group, also referred to as GALLIUM or Softcell, has been actively targeting Linux systems with a variant of the PingPull backdoor, while also deploying Sword2033 in their op	Unspecified	3

Source Document References

Information about the PingPull Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
InfoSecurity-magazine	a year ago	North Korean Hackers Target macOS Crypto Engineers With Kandykorn
Unit42	a year ago	Persistent Attempts at Cyberespionage Against Southeast Asian Government Target Have Links to Alloy Taurus
CERT-EU	a year ago	My Tea's not cold : an overview of China's cyber threat – Global Security Mag Online
MITRE	2 years ago	GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool
Securityaffairs	2 years ago	China-linked hackers target telecommunication providers in the Middle East
CERT-EU	2 years ago	Operation Soft Cell: Chinese Hackers Breach Middle East Telecom Providers
CERT-EU	2 years ago	Operation Tainted Love \| ZDNet.de
CERT-EU	2 years ago	SentinelOne beleuchtet Cyberspionage-Gruppe „Operation Tainted Love“ – Global Security Mag Online
Unit42	2 years ago	Chinese Alloy Taurus Updates PingPull Malware
CERT-EU	2 years ago	Chinese Hackers Spotted Using Linux Variant of PingPull in Targeted Cyberattacks
CERT-EU	2 years ago	Chinese APT group Alloy Taurus unleashes new Linux variant of PingPull malware
CERT-EU	2 years ago	Новый бэкдор Sword2033 выдаёт китайские хакерские атаки за действия южноафриканских военных
CERT-EU	2 years ago	State-purchased spyware prevalent
CERT-EU	2 years ago	New Linux malware variants leveraged in Chinese cyberespionage campaign
Securityaffairs	2 years ago	Alloy Taurus APT uses a Linux variant of PingPull malware
CERT-EU	2 years ago	Chinese Hackers Spotted Using Linux Variant of PingPull in Targeted Cyberattacks - GIXtools
CERT-EU	2 years ago	Traffic to South African military websites from Linux server? Infection symptom of PingPull malware
CERT-EU	2 years ago	China-linked Alloy Taurus APT uses a Linux variant of PingPull malware \| IT Security News
CERT-EU	2 years ago	Chinese APT Alloy Taurus Is Back - Linux Variant of PingPull Malware Is Active
CERT-EU	2 years ago	Cyber security week in review: April 28, 2023