Gallium hackers use new PingPull malware in attacks


The group targets financial institutions and government organizations in Europe, Southeast Asia, and Africa.

The state-sponsored Gallium hacking group was found using a new ‘PingPull’ remote access trojan against financial institutions and government organizations in Europe, Southeast Asia, and Africa.

These entities are based in Australia, Russia, Philippines, Belgium, Vietnam, Malaysia, Cambodia, and Afghanistan.

The hacking group Gallium is believed to have originate from China, as it targets the telecommunications, finance, and government sectors in espionage operations, which aligns with the country’s interests.

It was found that in recent campaigns, Gallium is employing a new RAT named PingPull, which according to analysts at Unit42 (Palo Alto Networks) are particularly stealthy.

The PingPull malware gives threat actors a reverse shell on the compromised machine, allowing them to execute commands remotely.

The researchers could sample three distinct variants with similar functionality that use different C2 communication protocols, namely ICMP, HTTPS, and TCP.

The different C2 protocols might be to evade specific network detection methods/tools, with the actors deploying the suitable variant based on preliminary reconnaissance.

In all three cases, the malware installs itself as a service and has a description simulating a legitimate service, which discourages users from terminating it.

The infrastructure uncovered by Unit 42 that links to Gallium operations includes over 170 IP addresses, some of which dates back to late 2020.

Microsoft had warned about the group in 2019, highlighting a targeting scope limited to telecommunication service providers at the time.

The new campaigns by the group indicates that they are still active and an evolving threat. Based on the most recent reports, Gallium has expanded that scope to include key government entities and financial institutions in Asia, Africa, Europe, and Australia.

So, all vital organizations are advised to use the indicators of compromise provided in the Unit 42 report for timely threat detection.


Please enter your comment!
Please enter your name here