PingPull
PingPull is a remote access trojan (RAT) used by GALLIUM, also referred to in the provided content as Alloy Taurus and associated with Operation Soft Cell/Softcell. Unit 42 reported it as a difficult-to-detect tool and linked its use to GALLIUM activity targeting telecommunications, government, and finance sectors. Additional reporting in the content states GALLIUM historically targeted telecommunications providers and later expanded to financial institutions and government entities, with observed victim or targeting links across Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam.
The malware supports command and control over multiple protocols, including ICMP, HTTP(S), and raw TCP; other content also notes ICMP or TCP variants and HTTPS over port 8080. Its C2 traffic can be Base64-encoded, and Unit 42 reported that tasking and responses use AES-CBC encryption plus Base64 encoding. PingPull can execute commands via cmd.exe and provide reverse-shell-like access. It can collect data from a compromised host, perform file and directory discovery, and supports file-system operations including listing directories, reading, writing, deleting, copying, and moving files, creating directories, and timestomping files. The content also states it can exfiltrate stolen victim data through its C2 channel.
For persistence and evasion, PingPull can install itself as a Windows service and masquerade as legitimate services. Reported examples include mimicking the IP Helper service with names/descriptions such as iphlpsvc, IP Helper, Iph1psvc, IP He1per, and Onedrive. ATT&CK-style mappings in the content associate PingPull with web protocols, Windows Command Shell, Windows Service, Encoding/Decoding, Encrypted Channel, Exfiltration Over C2 Channel, Timestomp, Non-Standard Port, masquerading as tasks/services, and system/network discovery.
The content also notes a Linux variant of PingPull attributed to Alloy Taurus/GALLIUM. Known infrastructure and sample details directly mentioned include a sample named ServerMannger.exe with SHA256 de14f22c88e552b61c62ab28d27a617fb8c0737350ca7c631de5680850282761, configured to contact t1.hinitial[.]com, with related hinitial[.]com subdomains including t1, v2, v3, v4, and v5, and an associated X.509 certificate SHA1 76efd8ef3f64059820d937fa87acf9369775ecd5.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool.
Unit 42 recently identified a new, difficult-to-detect remote access trojan named PingPull being used by GALLIUM, an advanced persistent threat (APT) group.
After a brief hiatus, the Alloy Taurus APT (aka Gallium or Operation Soft Cell) is back on the scene, with a new Linux variant of its PingPull malware.
Techniques & procedures
17 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
1 techniqueMany entries explicitly state malware 'can create a reverse shell' or 'launch a remote shell,' including 4H RAT, AuditCred, BLACKCOFFEE, Carbanak, DarkComet, Exaramel for Windows, PlugX, QuasarRAT, and ZxShell. | The content repeatedly describes use of cmd.exe, cmd /c, Windows command shell, and xp_cmdshell to execute commands, run payloads, launch binaries, perform reconnaissance, persistence, cleanup, and ransomware actions. Examples include: 'Sandworm Team used the xp_cmdshell command in MS-SQL', 'APT41 used cmd.exe /c to execute commands on remote machines', and many malware families 'can use cmd.exe to execute commands on a compromised host.'
Persistence
1 technique“Sandworm Team used an arbitrary system service to load at system boot for persistence for Industroyer… replaced the ImagePath registry value of a Windows service with a new backdoor binary… [multiple groups/malware] creating a service / installing as a service / modifying service configurations for persistence.”
Privilege Escalation
1 technique“Sandworm Team used an arbitrary system service to load at system boot for persistence for Industroyer… replaced the ImagePath registry value of a Windows service with a new backdoor binary… [multiple groups/malware] creating a service / installing as a service / modifying service configurations for persistence.”
Stealth
3 techniquesAPT28 has performed timestomping on victim files. APT29 has used timestomping to alter the Standard Information timestamps on their web shells to match other files in the same directory. APT32 has used scheduled task raw XML with a backdated timestamp... APT38 has modified data timestamps to mimic files that are in the same folder on a compromised host.
The content repeatedly describes malware and threat actors decoding, decrypting, or deobfuscating payloads, strings, configuration data, commands, and C2 traffic prior to execution or use, e.g., 'APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload' and 'Action RAT can use Base64 to decode actor-controlled C2 server communications.'
Discovery
3 techniquesThe content repeatedly describes actors and malware using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, netsh interface show, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, and network adapter/interface details.
The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."
“3PARA RAT has a command to retrieve metadata for files on disk as well as a command to list the current working directory… admin@338 actors used… dir c:\ >> %temp%\download … APT28 has used Forfiles to locate PDF, Excel, and Word documents…”
Collection
1 techniqueThe content repeatedly describes threat actors and malware collecting, stealing, identifying, copying, or staging files, documents, credentials, logs, databases, and other information from compromised hosts or local systems.
Command and Control
7 techniquesThe content repeatedly describes threat actors, malware, and campaigns using HTTP and/or HTTPS for command and control, including examples such as BlackEnergy communicating with C2 over HTTP POST requests and many other families using HTTP/S for C2.
"Anchor has used ICMP in C2 communications." / "COATHANGER uses ICMP for transmitting configuration information..." / "PHOREAL communicates via ICMP for C2." / "Regin ... can use ICMP to communicate between infected computers." / "Cobalt Strike can be configured to use TCP, ICMP, and UDP for C2 communications."
C2 traffic from ADVSTORESHELL is encrypted, then encoded with Base64 encoding... APT19 HTTP malware variant used Base64 to encode communications to the C2 server... APT33 has used base64 to encode command and control traffic.
4H RAT has the capability to create a remote shell. AuditCred can open a reverse shell on the system to execute commands. PlugX allows actors to spawn a reverse shell on a victim. QuasarRAT can launch a remote shell to execute commands on the victim’s machine.
Exfiltration
1 techniqueADVSTORESHELL exfiltrates data over the same channel used for C2... Agrius exfiltrated staged data using tools such as Putty and WinSCP, communicating with command and control servers... numerous malware and groups sent victim data, files, credentials, or host information over existing C2 channels.
Recent activity
17 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Malware capable of timestomping files.
PingPull is a backdoor used by Gallium (Alloy Taurus) for remote access and espionage, with variants for Windows and Linux platforms.
A malware family used by the Alloy Taurus (Gallium / Operation Soft Cell) espionage actor; the content notes a retooled Linux variant, implying continued development and cross-platform capability for remote access/backdoor functionality.
Remote access trojan (RAT) referenced as newly reported by Unit 42; used by a threat group (tracked by Microsoft as GALLIUM) targeting multiple industries.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.