{ "id": "57a82d22-8ee9-4f5a-9be8-c29b333e7ace", "created_at": "2026-04-06T00:18:20.660907Z", "updated_at": "2026-04-10T03:37:01.101568Z", "deleted_at": null, "sha1_hash": "5f314004906bed305ac40a538eb7c8a76395c700", "title": "Chinese Alloy Taurus Updates PingPull Malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 294574, "plain_text": "Chinese Alloy Taurus Updates PingPull Malware\r\nBy Unit 42\r\nPublished: 2023-04-26 · Archived: 2026-04-05 13:08:26 UTC\r\nExecutive Summary\r\nUnit 42 researchers recently identified a new variant of PingPull malware used by Alloy Taurus actors designed to\r\ntarget Linux systems. While following the infrastructure leveraged by the actor for this PingPull variant, we also\r\nidentified their use of another backdoor we track as Sword2033.\r\nThe first samples of PingPull malware date back to September 2021. Monitoring its use across several campaigns,\r\nin June 2022 Unit 42 published research outlining the functionality of PingPull and attributed the use of the tool to\r\nAlloy Taurus.\r\nOperating since at least 2012, Alloy Taurus (aka GALLIUM, Softcell) is assessed to be a Chinese advanced\r\npersistent threat (APT) group that routinely conducts cyberespionage campaigns. This group has historically\r\ntargeted telecommunications companies operating across Asia, Europe and Africa. In recent years we have also\r\nobserved the group expand their targeting to include financial institutions and government entities.\r\nWe provide a detailed breakdown of the following:\r\nA new variant of PingPull\r\nSword2033 samples linked to the same command and control (C2) infrastructure\r\nRecent activity by Alloy Taurus in South Africa and Nepal\r\nPalo Alto Networks customers receive protections from the threats described in this blog through Cortex XDR and\r\nWildFire malware analysis. The Advanced URL Filtering and DNS Security Cloud-Delivered Security Services\r\ncan help protect against C2 infrastructure.\r\nPingPull Linux Variant\r\nOn March 7, 2023, the following sample was uploaded to VirusTotal.\r\nFilename nztloader\r\nFiletype ELF\r\nSHA256 cb0922d8b130504bf9a3078743294791201789c5a3d7bc0369afd096ea15f0ae\r\nTable 1. PingPull sample file details.\r\nAt the time of writing, three out of 62 vendors found the sample to be malicious. Despite a largely benign verdict,\r\nadditional analysis has determined that this sample is a Linux variant of PingPull malware. This determination\r\nhttps://unit42.paloaltonetworks.com/alloy-taurus/\r\nPage 1 of 7\n\nwas made based on matching HTTP communication structure, POST parameters, AES key, and C2 commands,\r\nwhich are outlined below.\r\nUpon execution, this sample is configured to communicate with the domain yrhsywu2009.zapto[.]org over port\r\n8443 for C2. It uses a statically linked OpenSSL (OpenSSL 0.9.8e) library to interact with the domain over\r\nHTTPS via the following HTTP POST request:\r\nFigure 1. PingPull Linux variant POST request.\r\nThe payload then expects the C2 server to respond with data that is Base64 encoded ciphertext, encrypted with\r\nAES using P29456789A1234sS as the key. This is the same key that we previously observed in the original\r\nWindows PE variant of PingPull.\r\nOnce decoded, the cleartext resembles HTTP parameters and the payload will parse the cleartext for \u0026 and = with\r\nthe following parameters:\r\nFigure 2. PingPull HTTP parameters.\r\nThe value in the P29456789A1234sS parameter will contain a single upper case character between A and K, as\r\nwell as M, which the payload will use as the command value. The values in the z0, z1 and z2 parameters are used\r\nfor the arguments passed to the command.\r\nAfter running the command, the payload will send the results back to the C2 server via an HTTPS request that\r\nresembles the beacon request, but contains Base64 encoded ciphertext. The command handler supports the\r\nfollowing functionality that aligns with both China Chopper capabilities and those observed in the PingPull\r\nWindows PE variant:\r\nhttps://unit42.paloaltonetworks.com/alloy-taurus/\r\nPage 2 of 7\n\nCmd Description\r\nA Get the current directory\r\nB List folder\r\nC Read text file\r\nD Write text file\r\nE Delete file or folder\r\nF Read binary file, convert to hex\r\nG Write binary file, convert to hex\r\nH Copy file or folder\r\nI Rename file\r\nJ Create Directory\r\nK Timestomp file with specified timestamp in \"%04d-%d-%d %d:%d:%d\" format\r\nM Run command\r\nTable 2. PingPull command handler functionality.\r\nOf note, the HTTP parameters z0, z1 and z2 and command handlers A-K, M also align to commands A-K, M\r\nobserved in the web shell China Chopper. This suggests that Alloy Taurus is using code they might be familiar\r\nwith, and they are integrating it into the development of custom tooling.\r\nSword2033 Backdoor\r\nPivoting on the C2 domain, we identified one additional sample that also communicated with\r\nyrhsywu2009.zapto[.]org:\r\nSword2033 Sample 1\r\nFilename zimbra\r\nFiletype ELF\r\nSHA256 5ba043c074818fdd06ae1d3939ddfe7d3d35bab5d53445bc1f2f689859a87507\r\nTable 3. Related Sword2033 sample file details.\r\nSimilar to the PingPull variant above, this sample was designed to connect to port 8443 over HTTPS. However,\r\nanalysis of the sample revealed that it’s a simple backdoor that we track as Sword2033. This backdoor supports\r\nthree basic functions:\r\nhttps://unit42.paloaltonetworks.com/alloy-taurus/\r\nPage 3 of 7\n\nCmd Description\r\n#up Uploads a file to the system\r\n#dn Downloads a file from the system\r\nexc /c: Executes a command, but appends ;echo \u003crandom number\u003e\\n before running it\r\nTable 4. Sword2033 command handler functionality.\r\nThese three commands map to commands in a second command handler that uses A, C, D and M commands,\r\nwhich are identical in value and functionality with the PingPull commands identified in Table 2 above.\r\nSearching for other recent samples of Sword2033, we identified a second sample:\r\nSword2033 Sample 2\r\nFilename Hopke\r\nFiletype ELF\r\nSHA256 e39b5c32ab255ad284ae6d4dae8b4888300d4b5df23157404d9c8be3f95b3253\r\nTable 5. Additional Sword2033 sample file details.\r\nThis sample was seen in July 2022. Analysis of this sample revealed that it’s configured to connect to\r\n196.216.136[.]139, located in South Africa, for C2.\r\nInfrastructure Analysis\r\nAnalysis of the C2 domain yrhsywu2009.zapto[.]org found in the PingPull Linux variant and the first Sword2033\r\nsample shows it was most recently hosted on 5.181.25[.]99 until early February 2023. However, a historical\r\nreview of its hosting revealed that this domain resolved to 45.251.241[.]82 for a single day in April 2022. This IP\r\nwas outlined as an active indicator of compromise (IoC) in our June 2022 report, thereby drawing a clear link to\r\nAlloy Taurus activities.\r\nAnalysis of the C2 for the second Sword2033 sample (Hopke, referenced in Table 5) found that the domain\r\n*.saspecialforces.co[.]za resolved to 196.216.136[.]139. This domain has been hosted on eight other IPs\r\nthroughout its history with various mail-related subdomains.\r\nNone of these IPs appear to have any affiliation with the South African government, but the domain name gives\r\nthe impression of a connection to the South African military. The establishment of a C2 server that appears to\r\nimpersonate the South African military is uniquely notable when analyzed in the context of recent events. In\r\nFebruary 2023, South Africa joined Russia and China to participate in combined naval exercises.\r\nAdditionally, 196.216.136[.]139 resolved to vpn729380678.softether[.]net from late December 2022 through mid-February 2023. Alloy Taurus is known for leveraging the SoftEther VPN service in their operations to facilitate\r\nhttps://unit42.paloaltonetworks.com/alloy-taurus/\r\nPage 4 of 7\n\naccess and maintain persistence to their targeted network.\r\nThreat actors often abuse, take advantage of or subvert legitimate products like SoftEther VPN for malicious\r\npurposes. This does not necessarily imply a flaw or malicious quality to the legitimate product being abused.\r\nFigure 3. PingPull/Sword2033 infrastructure visualization.\r\nReviewing traffic to the Sword2033 C2 server 196.216.136[.]139, we identified sustained connections originating\r\nfrom an IP that hosts several subdomains for an organization that finances long-term urban infrastructure\r\ndevelopment projects in Nepal.\r\nConclusion\r\nAlloy Taurus remains an active threat to telecommunications, finance and government organizations across\r\nSoutheast Asia, Europe and Africa. The identification of a Linux variant of PingPull malware, as well as recent\r\nuse of the Sword2033 backdoor, suggests that the group continues to evolve their operations in support of their\r\nespionage activities. We encourage all organizations to leverage our findings to inform the deployment of\r\nprotective measures to defend against this threat group.\r\nPalo Alto Networks has shared these findings, including file samples and indicators of compromise, with our\r\nfellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to\r\ntheir customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.\r\nProtections and Mitigations\r\nhttps://unit42.paloaltonetworks.com/alloy-taurus/\r\nPage 5 of 7\n\nIn order to defend against the threats described in this blog, Palo Alto Networks recommends organizations\r\nemploy the following capabilities:\r\nNetwork Security: Delivered through a Next-Generation Firewall (NGFW) configured with machine\r\nlearning enabled, and best-in-class, cloud-delivered security services. This includes, for example, threat\r\nprevention, URL filtering, DNS security and a malware prevention engine capable of identifying and\r\nblocking malicious samples and infrastructure.\r\nEndpoint Security: Delivered through an XDR solution that is capable of identifying malicious code\r\nthrough the use of advanced machine learning and behavioral analytics. This solution should be configured\r\nto act on and block threats in real time as they are identified.\r\nSecurity Automation: Delivered through an XSOAR or XSIAM solution capable of providing SOC\r\nanalysts with a comprehensive understanding of the threat derived by stitching together data obtained from\r\nendpoints, network, cloud and identity systems.\r\nSpecific Product Protections and Mitigations\r\nFor Palo Alto Networks customers, our products and services provide the following coverage associated with this\r\ngroup:\r\nWildFire cloud-based threat analysis service accurately identifies the malware described in this blog as\r\nmalicious.\r\nAdvanced URL Filtering and DNS Security identify domains associated with Alloy Taurus as malicious.\r\nCortex XDR prevents the execution of known malware samples as malicious. Behavioral threat protection\r\ncovers this activity starting from content version 930.\r\nIf you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident\r\nResponse team or call:\r\nNorth America Toll-Free: 866.486.4842 (866.4.UNIT42)\r\nEMEA: +31.20.299.3130\r\nAPAC: +65.6983.8730\r\nJapan: +81.50.1790.0200\r\nIndicators of Compromise\r\nPingPull Linux Variant\r\ncb0922d8b130504bf9a3078743294791201789c5a3d7bc0369afd096ea15f0ae\r\nSword2033\r\n5ba043c074818fdd06ae1d3939ddfe7d3d35bab5d53445bc1f2f689859a87507\r\ne39b5c32ab255ad284ae6d4dae8b4888300d4b5df23157404d9c8be3f95b3253\r\nAlloy Taurus Infrastructure\r\nhttps://unit42.paloaltonetworks.com/alloy-taurus/\r\nPage 6 of 7\n\nyrhsywu2009.zapto[.]org\r\n*.saspecialforces.co[.]za\r\nvpn729380678.softether[.]net\r\n5.181.25[.]99\r\n196.216.136[.]139\r\nSource: https://unit42.paloaltonetworks.com/alloy-taurus/\r\nhttps://unit42.paloaltonetworks.com/alloy-taurus/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://unit42.paloaltonetworks.com/alloy-taurus/" ], "report_names": [ "alloy-taurus" ], "threat_actors": [ { "id": "7bf3ffe5-09ba-4378-8ea4-a6d748a494fd", "created_at": "2022-10-25T15:50:23.264584Z", "updated_at": "2026-04-10T02:00:05.334294Z", "deleted_at": null, "main_name": "GALLIUM", "aliases": [ "GALLIUM", "Granite Typhoon" ], "source_name": "MITRE:GALLIUM", "tools": [ "ipconfig", "cmd", "China Chopper", "PoisonIvy", "at", "PlugX", "PingPull", "BlackMould", "Mimikatz", "PsExec", "HTRAN", "NBTscan", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "9faf32b7-0221-46ac-a716-c330c1f10c95", "created_at": "2022-10-25T16:07:23.652281Z", "updated_at": "2026-04-10T02:00:04.702108Z", "deleted_at": null, "main_name": "Gallium", "aliases": [ "Alloy Taurus", "G0093", "Granite Typhoon", "Phantom Panda" ], "source_name": "ETDA:Gallium", "tools": [ "Agentemis", "BlackMould", "CHINACHOPPER", "China Chopper", "Chymine", "CinaRAT", "Cobalt Strike", "CobaltStrike", "Darkmoon", "Gen:Trojan.Heur.PT", "Gh0stCringe RAT", "HTran", "HUC Packet Transmit Tool", "LaZagne", "Mimikatz", "NBTscan", "PingPull", "Plink", "Poison Ivy", "PsExec", "PuTTY Link", "QuarkBandit", "Quasar RAT", "QuasarRAT", "Reshell", "SPIVY", "SinoChopper", "SoftEther VPN", "Sword2033", "WCE", "WinRAR", "Windows Credential Editor", "Windows Credentials Editor", "Yggdrasil", "cobeacon", "nbtscan", "netcat", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "c87ee2df-e528-4fa0-bed6-6ed29e390688", "created_at": "2023-01-06T13:46:39.150432Z", "updated_at": "2026-04-10T02:00:03.231072Z", "deleted_at": null, "main_name": "GALLIUM", "aliases": [ "Red Dev 4", "Alloy Taurus", "Granite Typhoon", "PHANTOM PANDA" ], "source_name": "MISPGALAXY:GALLIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434700, "ts_updated_at": 1775792221, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5f314004906bed305ac40a538eb7c8a76395c700.pdf", "text": "https://archive.orkl.eu/5f314004906bed305ac40a538eb7c8a76395c700.txt", "img": "https://archive.orkl.eu/5f314004906bed305ac40a538eb7c8a76395c700.jpg" } }