{ "id": "4c87bc6e-cfd4-47fa-8acf-a5e6004e0576", "created_at": "2026-04-06T00:08:19.91494Z", "updated_at": "2026-04-10T13:12:44.456408Z", "deleted_at": null, "sha1_hash": "474e558a64794edff9672dae12d6ef02928b320f", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 48534, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 21:45:54 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool PingPull\n Tool: PingPull\nNames PingPull\nCategory Malware\nType Backdoor\nDescription\n(Palo Alto) PingPull has the capability to leverage three protocols (ICMP, HTTP(S) and\nraw TCP) for command and control (C2). While the use of ICMP tunneling is not a new\ntechnique, PingPull uses ICMP to make it more difficult to detect its C2\ncommunications, as few organizations implement inspection of ICMP traffic on their\nnetworks. This blog provides a detailed breakdown of this new tool as well as the\nGALLIUM group's recent infrastructure.\nInformation MITRE ATT\u0026CK Malpedia Last change to this tool card: 22 June 2023\nDownload this tool card in JSON format\nAll groups using tool PingPull\nChanged Name Country Observed\nAPT groups\n Gallium 2018-Jun 2022\n1 group listed (1 APT, 0 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=810f83c1-2cc8-44a2-9fee-e24e84dfc349\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=810f83c1-2cc8-44a2-9fee-e24e84dfc349\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=810f83c1-2cc8-44a2-9fee-e24e84dfc349" ], "report_names": [ "listgroups.cgi?u=810f83c1-2cc8-44a2-9fee-e24e84dfc349" ], "threat_actors": [ { "id": "7bf3ffe5-09ba-4378-8ea4-a6d748a494fd", "created_at": "2022-10-25T15:50:23.264584Z", "updated_at": "2026-04-10T02:00:05.334294Z", "deleted_at": null, "main_name": "GALLIUM", "aliases": [ "GALLIUM", "Granite Typhoon" ], "source_name": "MITRE:GALLIUM", "tools": [ "ipconfig", "cmd", "China Chopper", "PoisonIvy", "at", "PlugX", "PingPull", "BlackMould", "Mimikatz", "PsExec", "HTRAN", "NBTscan", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "9faf32b7-0221-46ac-a716-c330c1f10c95", "created_at": "2022-10-25T16:07:23.652281Z", "updated_at": "2026-04-10T02:00:04.702108Z", "deleted_at": null, "main_name": "Gallium", "aliases": [ "Alloy Taurus", "G0093", "Granite Typhoon", "Phantom Panda" ], "source_name": "ETDA:Gallium", "tools": [ "Agentemis", "BlackMould", "CHINACHOPPER", "China Chopper", "Chymine", "CinaRAT", "Cobalt Strike", "CobaltStrike", "Darkmoon", "Gen:Trojan.Heur.PT", "Gh0stCringe RAT", "HTran", "HUC Packet Transmit Tool", "LaZagne", "Mimikatz", "NBTscan", "PingPull", "Plink", "Poison Ivy", "PsExec", "PuTTY Link", "QuarkBandit", "Quasar RAT", "QuasarRAT", "Reshell", "SPIVY", "SinoChopper", "SoftEther VPN", "Sword2033", "WCE", "WinRAR", "Windows Credential Editor", "Windows Credentials Editor", "Yggdrasil", "cobeacon", "nbtscan", "netcat", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "c87ee2df-e528-4fa0-bed6-6ed29e390688", "created_at": "2023-01-06T13:46:39.150432Z", "updated_at": "2026-04-10T02:00:03.231072Z", "deleted_at": null, "main_name": "GALLIUM", "aliases": [ "Red Dev 4", "Alloy Taurus", "Granite Typhoon", "PHANTOM PANDA" ], "source_name": "MISPGALAXY:GALLIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434099, "ts_updated_at": 1775826764, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/474e558a64794edff9672dae12d6ef02928b320f.pdf", "text": "https://archive.orkl.eu/474e558a64794edff9672dae12d6ef02928b320f.txt", "img": "https://archive.orkl.eu/474e558a64794edff9672dae12d6ef02928b320f.jpg" } }