Sword2033

Threat Actor updated 4 days ago (2024-11-29T14:13:11.765Z)
Download STIX
Preview STIX
Sword2033 is a new and previously undocumented backdoor tool used by the China-linked threat actor known as Alloy Taurus. This group, also referred to as GALLIUM or Softcell, has been actively targeting Linux systems with a variant of the PingPull backdoor, while also deploying Sword2033 in their operations. The use of Sword2033 was first identified by researchers from Palo Alto Networks' Unit 42 in April 2023, during their investigation into the infrastructure leveraged by Alloy Taurus for the PingPull Linux variant. The Sword2033 backdoor is relatively simple in its functionality but effective in its purpose. It supports three basic functions: uploading files to the system, downloading files from the system, and executing commands. The analysis of the C2 domain yrhsywu2009.zapto[.]org, found in both the PingPull Linux variant and the first Sword2033 sample, shows that it was most recently hosted on 5.181.25[.]99 until early February 2023. Alloy Taurus continues to pose a significant threat to telecommunications, finance, and government organizations across Southeast Asia, Europe, and Africa. The identification of a Linux variant of the PingPull malware, along with the recent use of the Sword2033 backdoor, suggests that this group is continuously evolving their operations in support of their espionage activities. As such, cybersecurity measures must be enhanced to counteract these sophisticated threats.
Description last updated: 2024-05-04T17:38:43.444Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
GALLIUM is a possible alias for Sword2033. Gallium, also known as Alloy Taurus, is a threat actor group that has been associated with significant cyber-espionage campaigns and is believed to have ties with China. The group has been linked to multiple intrusion sets targeting network devices, including routers and servers. Gallium notably tar
2
Alloy Taurus is a possible alias for Sword2033. Alloy Taurus, a threat actor group, has been identified as a significant cybersecurity concern due to its persistent attempts at cyberespionage, primarily targeting the government sector in Southeast Asia. The activity of this group was first observed in early 2022 and continued throughout 2023, dur
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Linux
Backdoor
Malware
Espionage
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The PingPull Malware is associated with Sword2033. PingPull is a malicious software (malware) developed by the Chinese nation-state group known as Alloy Taurus, also referred to as Gallium. The malware is designed to exploit and damage computer systems, with capabilities such as stealing personal information, disrupting operations, or holding data hUnspecified
3