🇨🇳

Soft Cell

APT Group Information theft and espionage 13 zero-day CVEs ETDA ✓

Also Known As 8 names

G0093 Alloy Taurus GALLIUM PHANTOM PANDA Gallium Granite Typhoon Red Dev 4 Phantom Panda

Target Countries 5

Countries highlighted in red

Burkina Faso Canada Slovakia United States South Africa

Sectors Targeted

Food Services and Drinking Places 722 Telecommunications Computer Systems Design and Related Services 54151 Government Telecommunications 517 Financial National Security and International Affairs 928110 Employment Placement Agencies and Executive Search Services 56131 Oil and Gas Extraction 211

Details

Origin 🇨🇳 CN

Last Updated 11 May 2024

Malware Families 2

sorgu

NewCore

MITRE ATT&CK 59

T1003 T1003.001 T1003.002 T1005 T1016 T1018 T1021 - Remote Services T1027 - Obfuscated Files or Information T1027.002 T1027.005 T1033 T1036 - Masquerading T1036.003 T1041 T1047 T1049 T1053 T1053.005 T1055 - Process Injection T1059 - Command and Scripting Interpreter T1059.001 T1059.003 T1071.001 T1074 - Data Staged T1074.001 T1078 T1078.003 T1090 T1090.002 T1102 - Web Service T1105 T1110 - Brute Force T1133 T1134 - Access Token Manipulation T1136 T1136.002 T1140 - Deobfuscate/Decode Files or Information T1190 - Exploit Public-Facing Application T1195 - Supply Chain Compromise T1199 - Trusted Relationship T1498.001 T1505 - Server Software Component T1505.003 T1547 - Boot or Logon Autostart Execution T1550 - Use Alternate Authentication Material T1550.002 T1553 - Subvert Trust Controls T1553.002 T1560 - Archive Collected Data T1560.001 T1566 - Phishing T1570 T1574 T1574.001 T1574.002 T1583 T1583.004 T1588 T1588.002

Related Zero-Days 13

CVE-2024-43047 CVE-2024-50302 CVE-2024-53104 CVE-2024-53150 CVE-2024-53197 CVE-2025-1316 CVE-2025-22224 CVE-2025-22225 CVE-2025-22226 CVE-2025-24085 CVE-2025-24200 CVE-2025-2783 CVE-2025-38352

Known Names 5 entries

Gallium Microsoft

Phantom Panda CrowdStrike

Granite Typhoon Microsoft

Alloy Taurus Palo Alto

G0093 MITRE

Description

(Microsoft) To compromise targeted networks, GALLIUM target unpatched internet-facing services using publicly available exploits and have been known to target vulnerabilities in WildFly/JBoss. Once persistence is established in a network, GALLIUM uses common techniques and tools like Mimikatz to obtain credentials that allows for lateral movement across the target network. Within compromised networks, GALLIUM makes no attempt to obfuscate their intent and are known to use common versions of malware and publicly available toolkits with small modifications. The operators rely on low cost and easy to replace infrastructure that consists of dynamic-DNS domains and regularly reused hop points. This activity from GALLIUM has been identified predominantly through 2018 to mid-2019. GALLIUM is still active; however, activity levels have dropped when compared to what was previously observed.

Tools Used 20

BlackMould China Chopper Cobalt Strike Gh0stCringe RAT HTran LaZagne Mimikatz nbtscan netcat PingPull Plink Poison Ivy PsExec QuarkBandit QuasarRAT Reshell SoftEther VPN Sword2033 Windows Credentials Editor WinRAR

Operations 3

2021-09 Chinese Alloy Taurus Updates PingPull Malware https://unit42.paloaltonetworks.com/alloy-taurus/

2022 Early Persistent Attempts at Cyberespionage Against Southeast Asian Government Target Have Links to Alloy Taurus https://unit42.paloaltonetworks.com/alloy-taurus-targets-se-asian-government/

2022-06 GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool https://unit42.paloaltonetworks.com/pingpull-gallium/

Reports & References 1

https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/

ETDA Profile

Gallium

Origin

China

First Seen 2018

Motivation

Information theft and espionage

MITRE ATT&CK Groups

https://attack.mitre.org/groups/G0093/

View on ETDA APT Groups ↗