Sword2033

Threat Actor Profile Updated 3 months ago
Download STIX
Preview STIX
Sword2033 is a new and previously undocumented backdoor tool used by the China-linked threat actor known as Alloy Taurus. This group, also referred to as GALLIUM or Softcell, has been actively targeting Linux systems with a variant of the PingPull backdoor, while also deploying Sword2033 in their operations. The use of Sword2033 was first identified by researchers from Palo Alto Networks' Unit 42 in April 2023, during their investigation into the infrastructure leveraged by Alloy Taurus for the PingPull Linux variant. The Sword2033 backdoor is relatively simple in its functionality but effective in its purpose. It supports three basic functions: uploading files to the system, downloading files from the system, and executing commands. The analysis of the C2 domain yrhsywu2009.zapto[.]org, found in both the PingPull Linux variant and the first Sword2033 sample, shows that it was most recently hosted on 5.181.25[.]99 until early February 2023. Alloy Taurus continues to pose a significant threat to telecommunications, finance, and government organizations across Southeast Asia, Europe, and Africa. The identification of a Linux variant of the PingPull malware, along with the recent use of the Sword2033 backdoor, suggests that this group is continuously evolving their operations in support of their espionage activities. As such, cybersecurity measures must be enhanced to counteract these sophisticated threats.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
GALLIUM
2
Gallium, also known as Alloy Taurus, is a China-aligned threat actor known for executing actions with malicious intent in the cyber domain. In recent years, Gallium has been associated with various significant cyber-espionage campaigns. The group targeted telecommunication entities in the Middle Eas
Alloy Taurus
2
Alloy Taurus, a threat actor group, has been identified as a significant cybersecurity concern due to its persistent attempts at cyberespionage, primarily targeting the government sector in Southeast Asia. The activity of this group was first observed in early 2022 and continued throughout 2023, dur
Softcell
1
Softcell is a recognized threat actor, also known as GALLIUM, that has gained notoriety for its targeted cyber attacks on telecommunications companies operating in Southeast Asia, Europe, and Africa. This group's activities have been meticulously tracked and documented by cybersecurity professionals
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Backdoor
Espionage
Malware
Linux
Chinese
Apt
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
PingPullUnspecified
3
PingPull is a malicious software (malware) developed by the Chinese nation-state group known as Alloy Taurus, also referred to as Gallium. The malware is designed to exploit and damage computer systems, with capabilities such as stealing personal information, disrupting operations, or holding data h
TaurusUnspecified
1
Taurus is a malicious software (malware) that has been associated with multiple cyber threat actors, notably Stately Taurus, Iron Taurus, and Starchy Taurus, all of which have connections to Chinese Advanced Persistent Threats (APTs). The malware is designed to infiltrate systems and steal personal
graphicanUnspecified
1
Graphican is a novel malware developed by the Chinese threat actor group known as Flea, APT15, or Nickel. The malware, an evolution of the group's custom backdoor Ketrican, has been used in a series of cyber-attacks against foreign affairs ministries across Central and South America between late 202
KetricanUnspecified
1
Ketrican is a type of malware, or malicious software, that was developed to exploit and damage computer systems. It's associated with the Ke3chang group and is known for its ability to infiltrate systems through suspicious downloads, emails, or websites. Once inside a system, Ketrican can steal pers
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Ke3changUnspecified
1
Ke3chang, also known as APT15, Mirage, Vixen Panda GREF, and Playful Dragon, is a prominent threat actor that has been active since at least 2010. According to the European Union Agency for Cybersecurity (ENISA), this group has consistently targeted energy, government, and military sectors. Ke3chang
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Sword2033 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
a year ago
China-linked Alloy Taurus APT uses a Linux variant of PingPull malware | IT Security News
Securityaffairs
a year ago
Alloy Taurus APT uses a Linux variant of PingPull malware
CERT-EU
a year ago
Chinese APT group Alloy Taurus unleashes new Linux variant of PingPull malware
CERT-EU
a year ago
Chinese Hackers Spotted Using Linux Variant of PingPull in Targeted Cyberattacks - GIXtools
CERT-EU
a year ago
Chinese Hackers Spotted Using Linux Variant of PingPull in Targeted Cyberattacks
CERT-EU
a year ago
State-purchased spyware prevalent
CERT-EU
a year ago
Chinese APT Alloy Taurus Is Back - Linux Variant of PingPull Malware Is Active
CERT-EU
10 months ago
My Tea's not cold : an overview of China's cyber threat – Global Security Mag Online
CERT-EU
a year ago
New Linux malware variants leveraged in Chinese cyberespionage campaign
Unit42
a year ago
Chinese Alloy Taurus Updates PingPull Malware
CERT-EU
a year ago
Traffic to South African military websites from Linux server? Infection symptom of PingPull malware