GALLIUM: Persistent Chinese Cyberespionage Targeting Global Critical Infrastructure
- Suspected Origin
- China
- Motivation
- Espionage, Strategic Intelligence Gathering, Data Theft
- Aliases
- Granite Typhoon
- Target Sectors
- Telecommunications, Government, Financial Institutions, Critical Infrastructure
- Associated Malware
- Poison Ivy, Gh0st RAT, China Chopper, BlackMould, PingPull, Sword2033, HTRAN, Mimikatz
Overview
GALLIUM, tracked by the MITRE ATT&CK framework as G0093, is a highly persistent and sophisticated cyberespionage group. Active since at least 2012, this advanced persistent threat (APT) actor is widely assessed to be state-sponsored by the People’s Republic of China. Known also by aliases such as Granite Typhoon, Alloy Taurus, Phantom Panda, and Red Giant 4, GALLIUM’s operations consistently align with China’s strategic intelligence collection objectives. Their primary motivation is espionage, focusing on obtaining sensitive communications data, mapping foreign infrastructure, and establishing long-term access for strategic advantage rather than direct financial gain. This scope extends to supporting China’s national security agenda and initiatives like the Belt and Road Initiative (BRI).
Initially, GALLIUM prominently targeted high-profile telecommunications companies. Over time, their operational footprint has expanded to include financial institutions, government entities, and critical infrastructure sectors across a broad geographic range. Their victimology spans countries such as Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam, with a notable focus on Southeast Asia, the Middle East, Africa, and Europe. More recent activity highlights continued targeting in Southeast Asia, including Indonesia, Malaysia, the Philippines, Cambodia, and Taiwan.
Tactics & Techniques
GALLIUM employs a diverse array of tactics, techniques, and procedures (TTPs) designed for stealthy, long-term espionage operations. Their initial access often involves exploiting publicly-facing servers, particularly unpatched internet-facing services like WildFly/JBoss application servers, for which public exploits are readily available. In some cases, they have also been observed infiltrating Microsoft Exchange servers and utilizing targeted spear-phishing against administrators and network engineers. Supply-chain compromises have also been a vector for initial intrusion.
Once a foothold is established, GALLIUM prioritizes persistence. They frequently deploy web shells, such as China Chopper and its native IIS-based variant, BlackMould, to maintain access and facilitate execution and data exfiltration. The group also leverages legitimate tools like SoftEther VPN to obscure their origins and establish long-lasting remote access tunnels, making their activity appear benign within a network. Persistence mechanisms also include creating scheduled tasks for their remote access Trojans (RATs) and establishing high-privileged domain user accounts.
For credential access, GALLIUM utilizes modified versions of well-known tools like Mimikatz and Windows Credential Editor (WCE) to harvest usernames and passwords, including dumping password hashes from the SAM hive in the Windows Registry. With valid credentials, they perform lateral movement across victim networks, often using tools like PsExec and PowerShell for execution. Internal reconnaissance is typically carried out using standard commands like ipconfig /all, netstat -oan, whoami, query user, and modified versions of NBTscan and ping.
Command and Control (C2) infrastructure often involves web shells and modified versions of HTRAN to redirect connections between networks. They frequently rely on dynamic DNS domains from providers like noip.com (e.g., ddns.net, myftp.biz) and have been observed using Taiwan-based servers exclusively for their C2 operations. Data exfiltration typically involves compressing and encrypting stolen information using WinRAR before sending it out via their C2 channels.
To evade detection, GALLIUM modifies widely available tools and obfuscates strings in their custom utilities. They also pack payloads using various packers, both known and custom, to ensure unique hashes and bypass antimalware solutions.
Notable Campaigns
One of GALLIUM’s most recognized operations is Operation Soft Cell, a long-running campaign observed between 2018 and 2020. This extensive espionage effort primarily targeted global telecommunications providers, with the objective of stealing massive amounts of call detail records, billing data, email server content, and personally identifiable information, likely to monitor high-value targets. The campaign involved the exploitation of web servers, deployment of web shells, and the use of modified versions of their RATs.
Microsoft also reported a “Global Telecom Campaign” between 2018 and 2019, which is likely overlapping with Operation Soft Cell, detailing widespread attacks against telecommunications companies leveraging publicly available exploits for WildFly/JBoss servers and using tools like HTRAN and Mimikatz for lateral movement and data theft.
In Q1 2023, SentinelLabs observed renewed initial attack phases against telecommunication providers in the Middle East, which they assessed as an evolution of tooling associated with Operation Soft Cell. This activity highlighted a highly motivated threat actor employing maintained, versioned credential theft capabilities and new dropper mechanisms, with possible connections to APT41.
Associated Malware & Tools
GALLIUM utilizes a blend of custom malware and modified, publicly available tools to achieve its objectives, often adapting them to evade detection.
Key malware families include:
- Poison Ivy: A widely accessible Remote Access Trojan (RAT), GALLIUM has used modified versions with altered communication methods.
- Gh0st RAT (QuarkBandit/Gh0stCringe RAT): Another common RAT, observed in modified forms unique to GALLIUM, such as QuarkBandit and Gh0stCringe RAT.
- Web Shells: China Chopper is a frequently used web shell, alongside BlackMould, a native IIS-based variant of China Chopper. These are crucial for persistence and command execution.
- PingPull: A relatively newer and difficult-to-detect RAT identified in 2022. PingPull is capable of leveraging ICMP, HTTP(S), and raw TCP for C2 communications. A Linux variant, sometimes referred to as PingPong, and the Linux backdoor Sword2033 have also been observed, linked to SoftEther VPN infrastructure.
- QuasarRAT: Also noted in some reports as being part of their toolkit.
Beyond these, GALLIUM’s toolkit includes several off-the-shelf and modified utilities:
- HTRAN: Used as a connection bouncer and for C2, often in a modified, obfuscated version.
- Mimikatz: A credential dumping tool, frequently modified.
- WinRAR: Used for compressing and encrypting stolen data prior to exfiltration.
- PsExec: Employed for lateral movement within compromised networks.
- NBTscan: Used for network reconnaissance, typically a modified version.
- SoftEther VPN: Utilized for accessing and maintaining persistence in victim environments, as well as obscuring intrusion origins.
- Other generic system tools like
portqry.exe,cmd.exe(often renamed), Netcat, Windows Credential Editor (WCE), Cobalt Strike, LaZagne, and Plink.
Current Status
GALLIUM remains an active and evolving threat. While some reports in late 2019 indicated a decrease in activity levels compared to earlier observations, subsequent intelligence demonstrates persistent and expanding operations.
In 2022, GALLIUM was identified using the new PingPull RAT, expanding its targeting beyond telecommunications to include financial institutions and government entities across Southeast Asia, Europe, and Africa. Further reports in 2023 continued to track their use of PingPull and the Linux backdoor Sword2033, targeting Southeast Asian governments and organizations, with particular activity noted in South Africa and Nepal. Microsoft Threat Intelligence also observed Granite Typhoon (GALLIUM) actively compromising telecommunication entities in Indonesia, Malaysia, the Philippines, Cambodia, and Taiwan during 2023. More broadly, intelligence from 2024-2025 by various security vendors confirms GALLIUM’s global evolution from telecom-centric espionage to multi-sector operations, with continued use of SoftEther VPN. This continued activity confirms GALLIUM’s ongoing threat to critical infrastructure worldwide.
Related content
Worried this actor targets your sector?
Let's map your exposure before they find it themselves.
Book an advisory call