Sword2033

Threat Actor updated 4 months ago (2024-05-04T17:53:14.522Z)

Download STIX

Preview STIX

Sword2033 is a new and previously undocumented backdoor tool used by the China-linked threat actor known as Alloy Taurus. This group, also referred to as GALLIUM or Softcell, has been actively targeting Linux systems with a variant of the PingPull backdoor, while also deploying Sword2033 in their operations. The use of Sword2033 was first identified by researchers from Palo Alto Networks' Unit 42 in April 2023, during their investigation into the infrastructure leveraged by Alloy Taurus for the PingPull Linux variant. The Sword2033 backdoor is relatively simple in its functionality but effective in its purpose. It supports three basic functions: uploading files to the system, downloading files from the system, and executing commands. The analysis of the C2 domain yrhsywu2009.zapto[.]org, found in both the PingPull Linux variant and the first Sword2033 sample, shows that it was most recently hosted on 5.181.25[.]99 until early February 2023. Alloy Taurus continues to pose a significant threat to telecommunications, finance, and government organizations across Southeast Asia, Europe, and Africa. The identification of a Linux variant of the PingPull malware, along with the recent use of the Sword2033 backdoor, suggests that this group is continuously evolving their operations in support of their espionage activities. As such, cybersecurity measures must be enhanced to counteract these sophisticated threats.

Description last updated: 2024-05-04T17:38:43.444Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
GALLIUM	2	Gallium, also known as Alloy Taurus, is a China-aligned threat actor known for executing actions with malicious intent in the cyber domain. In recent years, Gallium has been associated with various significant cyber-espionage campaigns. The group targeted telecommunication entities in the Middle Eas
Alloy Taurus	2	Alloy Taurus, a threat actor group, has been identified as a significant cybersecurity concern due to its persistent attempts at cyberespionage, primarily targeting the government sector in Southeast Asia. The activity of this group was first observed in early 2022 and continued throughout 2023, dur

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Linux

Backdoor

Malware

Espionage

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

ID	Type	Votes	Profile Description
PingPull	Unspecified	3	PingPull is a malicious software (malware) developed by the Chinese nation-state group known as Alloy Taurus, also referred to as Gallium. The malware is designed to exploit and damage computer systems, with capabilities such as stealing personal information, disrupting operations, or holding data h

Source Document References

Information about the Sword2033 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	a year ago	China-linked Alloy Taurus APT uses a Linux variant of PingPull malware \| IT Security News
Securityaffairs	a year ago	Alloy Taurus APT uses a Linux variant of PingPull malware
CERT-EU	a year ago	Chinese APT group Alloy Taurus unleashes new Linux variant of PingPull malware
CERT-EU	a year ago	Chinese Hackers Spotted Using Linux Variant of PingPull in Targeted Cyberattacks - GIXtools
CERT-EU	a year ago	Chinese Hackers Spotted Using Linux Variant of PingPull in Targeted Cyberattacks
CERT-EU	a year ago	State-purchased spyware prevalent
CERT-EU	a year ago	Chinese APT Alloy Taurus Is Back - Linux Variant of PingPull Malware Is Active
CERT-EU	a year ago	My Tea's not cold : an overview of China's cyber threat – Global Security Mag Online
CERT-EU	a year ago	New Linux malware variants leveraged in Chinese cyberespionage campaign
Unit42	a year ago	Chinese Alloy Taurus Updates PingPull Malware
CERT-EU	a year ago	Traffic to South African military websites from Linux server? Infection symptom of PingPull malware