PingPull
PingPull is a remote access trojan/backdoor used by GALLIUM, also referred to in the content as Alloy Taurus and linked to Operation Soft Cell/Softcell. Reporting cited in the content attributes its use to Chinese state-aligned espionage activity with targeting across telecommunications and later government and finance sectors; additional victim or targeting links mentioned include entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam. A Linux variant has also been reported.
PingPull supports command-and-control over multiple protocols, with variants communicating via ICMP, HTTP(S), or raw TCP. It is described as difficult to detect in part because it can use ICMP tunneling and can also use HTTPS over port 8080 and other non-standard ports. Its C2 traffic can be Base64-encoded, and Unit 42 reporting in the content states tasking and responses use AES-CBC encryption plus Base64 encoding. The malware can generate a unique identifier string in the format PROJECT_[uppercase executable name][uppercase computer name][uppercase hexadecimal IP address]. In the ICMP variant, commands are exchanged through ICMP Echo Request/Reply traffic; in the HTTPS variant, the initial beacon uses an HTTPS POST with the unique identifier in the URL path; in the raw TCP variant, beacons begin with a 4-byte length followed by the PROJECT_* identifier.
On compromised hosts, PingPull can execute commands via cmd.exe and provide reverse-shell-like access. It can collect data from the local system and supports file and directory discovery and file-system operations including listing directories, reading, writing, deleting, copying, and moving files, creating directories, and timestomping files. It can exfiltrate stolen victim data through its existing C2 channel.
For persistence and evasion, PingPull can install itself as a Windows service and mimic legitimate services. The content specifically notes masquerading as iphlpsvc/IP Helper using names such as Iph1psvc and display name IP He1per, as well as use of Onedrive, with legitimate-looking service descriptions. ATT&CK-style mappings in the content associate PingPull with Windows service creation/modification, Windows command shell, web protocols, encoding/decoding, encrypted channel use, exfiltration over C2, timestomping, masquerading, non-application-layer protocols, non-standard ports, and system/network discovery.
Indicators and infrastructure directly mentioned in the content include a sample named ServerMannger.exe with SHA256 de14f22c88e552b61c62ab28d27a617fb8c0737350ca7c631de5680850282761, configured to contact t1.hinitial[.]com; related hinitial[.]com subdomains including t1, v2, v3, v4, and v5; and an X.509 certificate with SHA1 76efd8ef3f64059820d937fa87acf9369775ecd5 linked to associated infrastructure. The content also mentions two observed AES keys in known samples: P29456789A1234sS and dC@133321Ikd!D^i.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
We had observed activity at the same target a few months prior, which we attributed to Gallium primarily based on the use of the group’s PingPull backdoor and TTPs.
Unit 42 recently identified a new, difficult-to-detect remote access trojan named PingPull being used by GALLIUM, an advanced persistent threat (APT) group.
After a brief hiatus, the Alloy Taurus APT (aka Gallium or Operation Soft Cell) is back on the scene, with a new Linux variant of its PingPull malware.
Techniques & procedures
17 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
1 technique
Execution
Many entries explicitly state malware 'can create a reverse shell' or 'launch a remote shell,' including 4H RAT, AuditCred, BLACKCOFFEE, Carbanak, DarkComet, Exaramel for Windows, PlugX, QuasarRAT, and ZxShell. | The content repeatedly describes use of cmd.exe, cmd /c, Windows command shell, and xp_cmdshell to execute commands, run payloads, launch binaries, perform reconnaissance, persistence, cleanup, and ransomware actions. Examples include: 'Sandworm Team used the xp_cmdshell command in MS-SQL', 'APT41 used cmd.exe /c to execute commands on remote machines', and many malware families 'can use cmd.exe to execute commands on a compromised host.'
Persistence
1 technique
Persistence
Privilege Escalation
1 technique
Privilege Escalation
Stealth
3 techniques
Stealth
APT28 has performed timestomping on victim files. APT29 has used timestomping to alter the Standard Information timestamps on their web shells to match other files in the same directory. APT32 has used scheduled task raw XML with a backdated timestamp... APT38 has modified data timestamps to mimic files that are in the same folder on a compromised host.
Discovery
3 techniques
Discovery
The content repeatedly describes malware and threat actors using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, nbtstat, netsh, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, domains, and network adapter/interface details.
The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."
The content repeatedly describes malware and threat actors listing files and directories, enumerating drives, searching for files by extension/name/path, retrieving file metadata, and browsing file systems (for example: "APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection" and "cmd can be used to find files and directories with native functionality such as dir commands").
Collection
1 technique
Collection
Command and Control
7 techniques
Command and Control
The content repeatedly describes threat actors and malware using HTTP and HTTPS for command and control, such as: "Sandworm Team used BlackEnergy to communicate between compromised hosts and their command-and-control servers via HTTP post requests."
"Anchor has used ICMP in C2 communications." / "COATHANGER uses ICMP for transmitting configuration information..." / "PHOREAL communicates via ICMP for C2." / "Regin ... can use ICMP to communicate between infected computers." / "Cobalt Strike can be configured to use TCP, ICMP, and UDP for C2 communications."
C2 traffic from ADVSTORESHELL is encrypted, then encoded with Base64 encoding... APT19 HTTP malware variant used Base64 to encode communications to the C2 server... APT33 has used base64 to encode command and control traffic.
Exfiltration
1 technique
Exfiltration
ADVSTORESHELL exfiltrates data over the same channel used for C2... Agrius exfiltrated staged data using tools such as Putty and WinSCP, communicating with command and control servers... numerous malware and groups sent victim data, files, credentials, or host information over existing C2 channels.
Recent activity
19 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A backdoor previously used by Gallium at the same target, cited here as attribution-supporting tooling connected to earlier activity.
Malware capable of timestomping files.
PingPull is a backdoor used by Gallium (Alloy Taurus) for remote access and espionage, with variants for Windows and Linux platforms.
A malware family used by the Alloy Taurus (Gallium / Operation Soft Cell) espionage actor; the content notes a retooled Linux variant, implying continued development and cross-platform capability for remote access/backdoor functionality.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.