GALLIUM

Granite Typhoon, formerly known as Gallium, is a China-based / China-aligned cyberespionage threat actor. Known aliases in the provided content are GALLIUM, Alloy Taurus, Phantom Panda, and Granite Typhoon. The group has been reported targeting telecommunications providers globally, including victims across Southeast Asia, Europe, Africa, and the Middle East; additional reporting cited in the content states it expanded targeting to government and finance sectors. The content describes Granite Typhoon/GALLIUM as heavily focused on telecommunications intrusions and associated with activity overlapping Operation Soft Cell. SentinelLABS assessed with medium confidence that Gallium was involved in 2023 intrusions against Middle Eastern telecommunications providers, while noting the activity fell in the nexus of Gallium and APT41 and that exact grouping remained unclear. Another report attributed a RESHELL malware cluster to GALLIUM with moderate confidence. The content also notes possible connections to APT41 based on shared tooling and a common code-signing certificate, while explicitly acknowledging the possibility of tool sharing among Chinese state-sponsored actors or use of a shared vendor/digital quartermaster. Observed tradecraft in the provided content includes exploitation of unpatched Internet-exposed WildFly/JBoss servers and compromised Microsoft Exchange servers with webshell deployment for initial access; use of web shells including China Chopper and the IIS-based BlackMould for persistence, command execution, file operations, and payload delivery; credential theft using Mimikatz, Windows Credential Editor, and collection of password hashes from the SAM hive; reconnaissance using ipconfig /all, modified NBTscan, whoami, query user, ping, dsquery, net use, netstat, and LG; lateral movement and remote execution using compromised domain credentials, PsExec, WMI, PowerShell, and the Windows command shell; use of HTRAN as a connection bouncer/proxy; staging and exfiltration via WinRAR or multi-part archives placed in the Recycle Bin; and persistence via scheduled tasks, including for PoisonIvy. Microsoft also observed use of SoftEther VPN to maintain persistence and access internal systems as if operating from inside the victim network. The group is described as relying extensively on publicly available and low-cost tooling, often with small modifications to add functionality or evade antimalware detection. Reported malware and tooling associated with the actor in the content include modified PoisonIvy, customized Gh0st RAT variants including QuarkBandit, PingPull, HTRAN, BlackMould, China Chopper, Mimikatz, WCE, NBTscan, Netcat, PsExec, WinRAR, and SoftEther VPN. The content also states Microsoft observed GALLIUM using tools signed with stolen code-signing certificates, including certificates from Whizzimo LLC.