Sword2033

Threat Actor updated 6 months ago (2024-05-04T17:53:14.522Z)
Download STIX
Preview STIX
Sword2033 is a new and previously undocumented backdoor tool used by the China-linked threat actor known as Alloy Taurus. This group, also referred to as GALLIUM or Softcell, has been actively targeting Linux systems with a variant of the PingPull backdoor, while also deploying Sword2033 in their operations. The use of Sword2033 was first identified by researchers from Palo Alto Networks' Unit 42 in April 2023, during their investigation into the infrastructure leveraged by Alloy Taurus for the PingPull Linux variant. The Sword2033 backdoor is relatively simple in its functionality but effective in its purpose. It supports three basic functions: uploading files to the system, downloading files from the system, and executing commands. The analysis of the C2 domain yrhsywu2009.zapto[.]org, found in both the PingPull Linux variant and the first Sword2033 sample, shows that it was most recently hosted on 5.181.25[.]99 until early February 2023. Alloy Taurus continues to pose a significant threat to telecommunications, finance, and government organizations across Southeast Asia, Europe, and Africa. The identification of a Linux variant of the PingPull malware, along with the recent use of the Sword2033 backdoor, suggests that this group is continuously evolving their operations in support of their espionage activities. As such, cybersecurity measures must be enhanced to counteract these sophisticated threats.
Description last updated: 2024-05-04T17:38:43.444Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
GALLIUM is a possible alias for Sword2033. Gallium, also known as Alloy Taurus, is a China-aligned threat actor known for executing actions with malicious intent in the cyber domain. In recent years, Gallium has been associated with various significant cyber-espionage campaigns. The group targeted telecommunication entities in the Middle Eas
2
Alloy Taurus is a possible alias for Sword2033. Alloy Taurus, a threat actor group, has been identified as a significant cybersecurity concern due to its persistent attempts at cyberespionage, primarily targeting the government sector in Southeast Asia. The activity of this group was first observed in early 2022 and continued throughout 2023, dur
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Linux
Backdoor
Malware
Espionage
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The PingPull Malware is associated with Sword2033. PingPull is a malicious software (malware) developed by the Chinese nation-state group known as Alloy Taurus, also referred to as Gallium. The malware is designed to exploit and damage computer systems, with capabilities such as stealing personal information, disrupting operations, or holding data hUnspecified
3
Source Document References
Information about the Sword2033 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
CERT-EU
2 years ago
Securityaffairs
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
CERT-EU
a year ago
CERT-EU
2 years ago
Unit42
2 years ago
CERT-EU
2 years ago