Linux Shift: Chinese APT Alloy Taurus Is Back With Retooling

An old threat actor is making its comeback, sending around its old malware with a new tint.

After a brief hiatus, the Alloy Taurus APT (aka Gallium or Operation Soft Cell) is back on the scene, with a new Linux variant of its PingPull malware.
Alloy Taurus is a
Chinese nation-state-affiliated threat actor
, around since at least 2012 but only in the spotlight since 2019. It focuses on espionage, and is best known for targeting major telecommunications providers.
In a blog post last June, Palo Alto Networks
Unit 42 published details on the original
, Windows version of PingPull. It was a Visual C++-based remote access Trojan (RAT), which enabled its proprietor to run commands and access a reverse shell on a compromised target computer.
Alloy Taurus took a hit in the second half of 2022,
but now its back in full
. They burned the Windows version of PingPull, explains Pete Renals, principal researcher at Unit 42, and theyve spun up a new capability that demonstrates some degree of expertise switching to a different variant.
The Linux variant largely overlaps with its Windows ancestor, allowing the attackers to list, read, write, copy, rename, and delete files, as well as run commands. Interestingly, PingPull also shares some functions, HTTP parameters, and command handlers with
the China Chopper Web shell
infamously deployed in
the 2021 attacks against Microsoft Exchange Servers
.
Alloy Taurus burst onto the scene in 2018–2019, with bold espionage campaigns against major telecommunications providers around the world. As
Cybereason explained
in its then-breaking blog post in June 2019, the threat actor was attempting to steal all data stored in the active directory, compromising every single username and password in the organization, along with other personally identifiable information, billing data, call detail records, credentials, email servers, geolocation of users, and more.
Even when compared with other Chinese state-level APTs, its fairly mature and fairly serious, Renals assesses. The ability to get into an AT&T or Verizon or Deutsche Telekom, lay low, and change router configs, requires a certain degree of expertise. Thats not your junior varsity team in any way, shape, or form.
But Alloy Taurus wasnt invulnerable, as researchers recently discovered.
The group was flying high in late 2021 and early 2022, utilizing its PingPull Windows RAT in multiple campaigns, Unit 42 noted in its June blog post. It targeted telecoms but also military and government organizations, located in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia and Vietnam.
Then, only three to five days after we published in June, we watched them abandon all their infrastructure that was covered in the report, Renals says. They changed everything to point to a specific government and Southeast Asia — so that all the beaconing implants and all the victims got redirected to another country — and they basically wiped their hands of all of it.
Alloy Taurus hadnt disappeared entirely, but it had certainly retreated. They were living off the land, Renals explains. Some of the core upstream infrastructure remained open and running.
The victory was short-lived when, in December, researchers picked up on new signs of life. And in March, they captured a Linux sample of the old PingPull malware. It shows a mature APTs capability to respond and adjust very quickly, Renals says.
That APTs can so effortlessly return in new forms presents a conundrum for cyber defenders. How does one protect against a group like Alloy Taurus today, if it can simply return wearing new makeup tomorrow?
I think the days of tracking specific indicators of compromise (IoCs) are largely behind us, says Renals. Now its more about tracking the techniques and the tactics, and having the behavioral analytics to go detect that kind of activity. Thats where were shifting the endpoint, thats where were shifting network security, as well.
Discovering the new PingPull, he believes, is a case in point for this better way of sussing out sophisticated APTs. With the Linux variant, we initially may have triaged it as benign. And then we looked at it and said: Hey, wait a minute. This has very similar characteristics to something else thats malicious. Lets have a human go look at this. So, having that capability is essential.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Linux Shift: Chinese APT Alloy Taurus Is Back With Retooling