PingPull

Malware updated 23 days ago (2024-11-29T14:09:11.685Z)
Download STIX
Preview STIX
PingPull is a malicious software (malware) developed by the Chinese nation-state group known as Alloy Taurus, also referred to as Gallium. The malware is designed to exploit and damage computer systems, with capabilities such as stealing personal information, disrupting operations, or holding data hostage. In Q3 and Q4 of 2022, telemetry suggested that Alloy Taurus was active within an environment that overlapped with the IP address 196.216.136[.]139, aligning with CL-STA-0045 activity. PingPull communicates via a TCP beacon, issuing commands and sending results, including a unique identifier string beginning with PROJECT. Alloy Taurus has updated PingPull to target Linux systems, expanding its reach beyond the initial Windows focus. This new variant has been reported as an active threat across Southeast Asia, Europe, and Africa, particularly targeting telecommunications, finance, and government organizations. Notably, PingPull's functionality extends to running commands on cmd.exe, acting as a reverse shell for the actor, allowing it to perform a variety of activities on the file system. In addition to PingPull, researchers from Unit 42 at Palo Alto Networks have identified another backdoor, Sword2033, being used by the same actors. This discovery highlights the evolving nature of the threats posed by these groups, emphasizing the need for continuous vigilance and robust cybersecurity measures. It's also worth noting that other instances of similar malware activity clusters have included LuckyMouse, APT15, and ChamelGang, each developing their own variants to target different operating systems.
Description last updated: 2024-05-04T17:38:44.314Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Espionage
Linux
Windows
Backdoor
Web Shell
Trojan
Apt
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The China Chopper Malware is associated with PingPull. China Chopper is a well-known malware that has been used extensively by Chinese-speaking actors, including the BRONZE UNION group. The malware is designed to exploit and damage computer systems, often without the knowledge of the user. It can infiltrate systems through suspicious downloads, emails, Unspecified
3
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Alloy Taurus Threat Actor is associated with PingPull. Alloy Taurus, a threat actor group, has been identified as a significant cybersecurity concern due to its persistent attempts at cyberespionage, primarily targeting the government sector in Southeast Asia. The activity of this group was first observed in early 2022 and continued throughout 2023, durUnspecified
4
The GALLIUM Threat Actor is associated with PingPull. Gallium, also known as Alloy Taurus, is a threat actor group that has been associated with significant cyber-espionage campaigns and is believed to have ties with China. The group has been linked to multiple intrusion sets targeting network devices, including routers and servers. Gallium notably tarUnspecified
4
The Sword2033 Threat Actor is associated with PingPull. Sword2033 is a new and previously undocumented backdoor tool used by the China-linked threat actor known as Alloy Taurus. This group, also referred to as GALLIUM or Softcell, has been actively targeting Linux systems with a variant of the PingPull backdoor, while also deploying Sword2033 in their opUnspecified
3
Source Document References
Information about the PingPull Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
InfoSecurity-magazine
a year ago
Unit42
a year ago
CERT-EU
a year ago
MITRE
2 years ago
Securityaffairs
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
Unit42
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
Securityaffairs
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago