top of page

New Linux Backdoor and Malware Found in Attacks by Chinese Nation-State Group

The cyber espionage group Alloy Taurus has been targeting telecom companies since at least 2012 and has recently broadened their victimology footprint to include financial institutions and government entities. The group uses a Linux variant of a backdoor called PingPull as well as a new undocumented tool codenamed Sword2033, according to findings from Palo Alto Networks Unit 42. PingPull, first documented by Unit 42 in June 2022, is a remote access trojan that employs the Internet Control Message Protocol (ICMP) for command-and-control (C2) communications. The Linux flavor of the malware boasts of similar functionalities as its Windows counterpart, allowing it to carry out file operations and run arbitrary commands by transmitting from the C2 server a single upper case character between A and K, and M. Alloy Taurus is the constellation-themed moniker assigned to the threat actor by Microsoft, who tracks the group as Granite Typhoon (previously Gallium). Last month, the adversary was attributed to a campaign called Tainted Love targeting telecommunication providers in the Middle East as part of a broader operation referred to as Soft Cell. The recent cyber activity by Alloy Taurus demonstrates the group's continued interest in targeting telecom companies as well as their expanding victimology footprint. Organizations in the telecom, financial, and government sectors should be aware of this activity and take steps to protect their networks.


bottom of page