{ "id": "b6b07ae6-0bdd-436f-a1af-85892165af28", "created_at": "2026-04-06T00:10:01.523557Z", "updated_at": "2026-04-10T13:13:08.04136Z", "deleted_at": null, "sha1_hash": "d071a5e6ab69dcaceaf926c100392805250b4aeb", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 58999, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 21:19:05 UTC\n APT group: Gallium\nNames\nGallium (Microsoft)\nPhantom Panda (CrowdStrike)\nGranite Typhoon (Microsoft)\nAlloy Taurus (Palo Alto)\nG0093 (MITRE)\nCountry China\nMotivation Information theft and espionage\nFirst seen 2018\nDescription\n(Microsoft) To compromise targeted networks, GALLIUM target unpatched\ninternet-facing services using publicly available exploits and have been known to\ntarget vulnerabilities in WildFly/JBoss. Once persistence is established in a network,\nGALLIUM uses common techniques and tools like Mimikatz to obtain credentials\nthat allows for lateral movement across the target network. Within compromised\nnetworks, GALLIUM makes no attempt to obfuscate their intent and are known to\nuse common versions of malware and publicly available toolkits with small\nmodifications. The operators rely on low cost and easy to replace infrastructure that\nconsists of dynamic-DNS domains and regularly reused hop points.\nThis activity from GALLIUM has been identified predominantly through 2018 to\nmid-2019. GALLIUM is still active; however, activity levels have dropped when\ncompared to what was previously observed.\nObserved Sectors: Financial, Government, Telecommunications.\nTools used\nBlackMould, China Chopper, Cobalt Strike, Gh0stCringe RAT, HTran, LaZagne,\nMimikatz, nbtscan, netcat, PingPull, Plink, Poison Ivy, PsExec, QuarkBandit,\nQuasarRAT, Reshell, SoftEther VPN, Sword2033, Windows Credentials Editor,\nWinRAR.\nOperations performed\nSep 2021\nChinese Alloy Taurus Updates PingPull Malware\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=8dd3c489-96f1-412f-9eec-60f96a674571\nPage 1 of 2\n\nEarly 2022\nPersistent Attempts at Cyberespionage Against Southeast Asian\nGovernment Target Have Links to Alloy Taurus\nJun 2022\nGALLIUM Expands Targeting Across Telecommunications,\nGovernment and Finance Sectors With New PingPull Tool\nInformation\nMITRE ATT\u0026CK Last change to this card: 16 August 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=8dd3c489-96f1-412f-9eec-60f96a674571\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=8dd3c489-96f1-412f-9eec-60f96a674571\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=8dd3c489-96f1-412f-9eec-60f96a674571" ], "report_names": [ "showcard.cgi?u=8dd3c489-96f1-412f-9eec-60f96a674571" ], "threat_actors": [ { "id": "7bf3ffe5-09ba-4378-8ea4-a6d748a494fd", "created_at": "2022-10-25T15:50:23.264584Z", "updated_at": "2026-04-10T02:00:05.334294Z", "deleted_at": null, "main_name": "GALLIUM", "aliases": [ "GALLIUM", "Granite Typhoon" ], "source_name": "MITRE:GALLIUM", "tools": [ "ipconfig", "cmd", "China Chopper", "PoisonIvy", "at", "PlugX", "PingPull", "BlackMould", "Mimikatz", "PsExec", "HTRAN", "NBTscan", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "04b07437-41bb-4126-bcbb-def16f19d7c6", "created_at": "2022-10-25T16:07:24.232628Z", "updated_at": "2026-04-10T02:00:04.906097Z", "deleted_at": null, "main_name": "Stone Panda", "aliases": [ "APT 10", "ATK 41", "Bronze Riverside", "CTG-5938", "CVNX", "Cuckoo Spear", "Earth Kasha", "G0045", "G0093", "Granite Taurus", "Happyyongzi", "Hogfish", "ITG01", "Operation A41APT", "Operation Cache Panda", "Operation ChessMaster", "Operation Cloud Hopper", "Operation Cuckoo Spear", "Operation New Battle", "Operation Soft Cell", "Operation TradeSecret", "Potassium", "Purple Typhoon", "Red Apollo", "Stone Panda", "TA429", "menuPass", "menuPass Team" ], "source_name": "ETDA:Stone Panda", "tools": [ "Agent.dhwf", "Agentemis", "Anel", "AngryRebel", "BKDR_EVILOGE", "BKDR_HGDER", "BKDR_NVICM", "BUGJUICE", "CHINACHOPPER", "ChChes", "China Chopper", "Chymine", "CinaRAT", "Cobalt Strike", "CobaltStrike", "DARKTOWN", "DESLoader", "DILLJUICE", "DILLWEED", "Darkmoon", "DelfsCake", "Derusbi", "Destroy RAT", "DestroyRAT", "Ecipekac", "Emdivi", "EvilGrab", "EvilGrab RAT", "FYAnti", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "GreetCake", "HAYMAKER", "HEAVYHAND", "HEAVYPOT", "HTran", "HUC Packet Transmit Tool", "Ham Backdoor", "HiddenFace", "Impacket", "Invoke the Hash", "KABOB", "Kaba", "Korplug", "LODEINFO", "LOLBAS", "LOLBins", "Living off the Land", "MiS-Type", "Mimikatz", "Moudour", "Mydoor", "NBTscan", "NOOPDOOR", "Newsripper", "P8RAT", "PCRat", "PlugX", "Poison Ivy", "Poldat", "PowerSploit", "PowerView", "PsExec", "PsList", "Quarks PwDump", "Quasar RAT", "QuasarRAT", "RedDelta", "RedLeaves", "Rubeus", "SNUGRIDE", "SPIVY", "SharpSploit", "SigLoader", "SinoChopper", "SodaMaster", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "UpperCut", "Vidgrab", "WinRAR", "WmiExec", "Wmonder", "Xamtrav", "Yggdrasil", "Zlib", "certutil", "certutil.exe", "cobeacon", "dfls", "lena", "nbtscan", "pivy", "poisonivy", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "9faf32b7-0221-46ac-a716-c330c1f10c95", "created_at": "2022-10-25T16:07:23.652281Z", "updated_at": "2026-04-10T02:00:04.702108Z", "deleted_at": null, "main_name": "Gallium", "aliases": [ "Alloy Taurus", "G0093", "Granite Typhoon", "Phantom Panda" ], "source_name": "ETDA:Gallium", "tools": [ "Agentemis", "BlackMould", "CHINACHOPPER", "China Chopper", "Chymine", "CinaRAT", "Cobalt Strike", "CobaltStrike", "Darkmoon", "Gen:Trojan.Heur.PT", "Gh0stCringe RAT", "HTran", "HUC Packet Transmit Tool", "LaZagne", "Mimikatz", "NBTscan", "PingPull", "Plink", "Poison Ivy", "PsExec", "PuTTY Link", "QuarkBandit", "Quasar RAT", "QuasarRAT", "Reshell", "SPIVY", "SinoChopper", "SoftEther VPN", "Sword2033", "WCE", "WinRAR", "Windows Credential Editor", "Windows Credentials Editor", "Yggdrasil", "cobeacon", "nbtscan", "netcat", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "c87ee2df-e528-4fa0-bed6-6ed29e390688", "created_at": "2023-01-06T13:46:39.150432Z", "updated_at": "2026-04-10T02:00:03.231072Z", "deleted_at": null, "main_name": "GALLIUM", "aliases": [ "Red Dev 4", "Alloy Taurus", "Granite Typhoon", "PHANTOM PANDA" ], "source_name": "MISPGALAXY:GALLIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434201, "ts_updated_at": 1775826788, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d071a5e6ab69dcaceaf926c100392805250b4aeb.pdf", "text": "https://archive.orkl.eu/d071a5e6ab69dcaceaf926c100392805250b4aeb.txt", "img": "https://archive.orkl.eu/d071a5e6ab69dcaceaf926c100392805250b4aeb.jpg" } }