{ "id": "464b9b5c-954b-4f50-a973-997534a51496", "created_at": "2026-04-06T00:06:30.651757Z", "updated_at": "2026-04-10T03:37:01.069259Z", "deleted_at": null, "sha1_hash": "e2a5ff7e5beea32042a46bdf69cdc96792d1ea6d", "title": "GALLIUM: Targeting global telecom", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 284560, "plain_text": "GALLIUM: Targeting global telecom\r\nBy Microsoft Threat Intelligence\r\nPublished: 2019-12-12 · Archived: 2026-04-02 11:35:25 UTC\r\nMicrosoft Threat Intelligence Center (MSTIC) is raising awareness of the ongoing activity by a group we call\r\nGALLIUM, targeting telecommunication providers. When Microsoft customers have been targeted by this\r\nactivity, we notified them directly with the relevant information they need to protect themselves. By sharing the\r\ndetailed methodology and indicators related to GALLIUM activity, we’re encouraging the security community to\r\nimplement active defenses to secure the broader ecosystem from these attacks.\r\nTo compromise targeted networks, GALLIUM target unpatched internet-facing services using publicly available\r\nexploits and have been known to target vulnerabilities in WildFly/JBoss. Once persistence is established in a\r\nnetwork, GALLIUM uses common techniques and tools like Mimikatz to obtain credentials that allows for lateral\r\nmovement across the target network. Within compromised networks, GALLIUM makes no attempt to obfuscate\r\ntheir intent and are known to use common versions of malware and publicly available toolkits with small\r\nmodifications. The operators rely on low cost and easy to replace infrastructure that consists of dynamic-DNS\r\ndomains and regularly reused hop points.\r\nThis activity from GALLIUM has been identified predominantly through 2018 to mid-2019. GALLIUM is still\r\nactive; however, activity levels have dropped when compared to what was previously observed.\r\nFollowing Microsoft’s internal practices of assigning chemical elements to activity groups, GALLIUM is the code\r\nname for this activity group.\r\nGALLIUM’s profile\r\nReconnaissance methods\r\nAs is often the case with the reconnaissance methods, it’s difficult to be definitive about those employed by\r\nGALLIUM. This is due to the passive nature of reconnaissance activities by the actor including the use of freely\r\navailable data from open sources, such as public websites and social media outlets. However, based on MSTIC\r\nanalyst assessments, GALLIUM’s exploitation of internet-facing services indicates it’s likely they use open source\r\nresearch and network scanning tools to identify likely targets.\r\nDelivery and exploitation\r\nTo gain initial access a target network, GALLIUM locates and exploits internet-facing services such as web\r\nservers. GALLIUM has been observed exploiting unpatched web services, such as WildFly/JBoss, for which\r\nexploits are widely available. Compromising a web server gives GALLIUM a foothold in the victim network that\r\ndoesn’t require user interaction, such as traditional delivery methods like phishing.\r\nhttps://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/\r\nPage 1 of 10\n\nFollowing exploitation of the web servers, GALLIUM actors typically install web shells, and then install\r\nadditional tooling to allow them to explore the target network.\r\nLateral movement\r\nGALLIUM uses a variety of tools to perform reconnaissance and move laterally within a target network. The\r\nmajority of these are off-the-shelf tools or modified versions of known security tools. MSTIC investigations\r\nindicate that GALLIUM modifies its tooling to the extent it evades antimalware detections rather than develop\r\ncustom functionality. This behavior has been observed with GALLIUM actors across several operational areas.\r\nGALLIUM has been observed using several tools. Samples of the most prevalent are noted in Table 1.\r\nTool Purpose\r\nHTRAN Connection bouncer to proxy connections.\r\nMimikatz Credential dumper.\r\nNBTScan\r\nScanner for open NETBIOS nameservers on a local or remote\r\nTCP/IP network.\r\nNetcat\r\nReads from and writes to network connections using TCP or\r\nUDP protocols.\r\nPsExec Executes a command line process on a remote machine.\r\nWindows Credential Editor\r\n(WCE)\r\nCredential dumper.\r\nWinRAR Archiving utility.\r\nTable 1: GALLIUM tooling.\r\nGALLIUM has signed several tools using stolen code signing certificates. For example, they’ve used a credential\r\ndumping tool signed using a stolen certificate from Whizzimo, LLC, as shown in Figure 1. The code signing\r\ncertificate shown in Figure 1 was no longer valid at the time of writing; however, it shows GALLIUM had access\r\nto such certificates.\r\nhttps://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/\r\nPage 2 of 10\n\nFigure 1. Credential dumping tool signed using a stolen Whizzimo, LLC certificate.\r\nGALLIUM primarily relies on compromised domain credentials to move through the target network, and as\r\noutlined above, uses several credential harvesting tools. Once they have acquired credentials, the activity group\r\nuses PsExec extensively to move laterally between hosts in the target network.\r\nInstallation\r\nGALLIUM predominantly uses widely available tools. In certain instances, GALLIUM has modified these tools\r\nto add additional functionality. However, it’s likely these modifications have been made to subvert antimalware\r\nsolutions since much of the malware and tooling employed by GALLIUM is historic and is widely detected by\r\nsecurity products. For example, QuarkBandit is a modified version of the widely used Gh0st RAT, an openly\r\navailable remote access tool (RAT). Similarly, GALLIUM has made use of a modified version of the widely\r\navailable Poison Ivy RAT. These RATs and the China Chopper web shell form the basis of GALLIUM’s toolkit for\r\nmaintaining access to a victim network.\r\nInfrastructure\r\nGALLIUM predominantly uses dynamic DNS subdomains to provide command and control (C2) infrastructure\r\nfor their malware. Typically, the group uses the ddns.net and myftp.biz domains provided by noip.com. MSTIC\r\nanalysis indicates the use of dynamic DNS providers as opposed to registered domains is in line with GALLIUM’s\r\ntrend towards low cost and low effort operations.\r\nGALLIUM domains have been observed hosted on infrastructure in mainland China, Hong Kong SAR, and\r\nTaiwan.\r\nWhen connecting to web shells on a target network GALLIUM has been observed employing Taiwan-based\r\nservers. Observed IP addresses appear to be exclusive to GALLIUM, have little to no legitimate activity, and are\r\nreused in multiple operations. These servers provide high fidelity pivot points during an investigation.\r\nA package of GALLIUM indicators containing GALLIUM command and control domains used during this\r\noperation have been prepared for Azure Sentinel and is available on the Microsoft GitHub.\r\nhttps://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/\r\nPage 3 of 10\n\nFigure 2. Azure Sentinel query of GALLIUM indicators.\r\nGALLIUM use of malware\r\nFirst stage\r\nGALLIUM does not typically use a traditional first stage installer for their malware. Instead, the group relies\r\nheavily on web shells as a first method of persistence in a victim network following successful exploitation.\r\nSubsequent malware is then delivered through existing web shell access.\r\nMicrosoft Defender Advanced Threat Protection (ATP) exposes anomalous behavior that indicate web shell\r\ninstallation and post compromise activity by analysing script file writes and process executions. Microsoft\r\nDefender ATP offers a number of detections for web shell activity protecting customers not just from GALLIUM\r\nactivity but broader web shell activity too. Read the full report in your Microsoft Defender ATP portal.\r\nhttps://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/\r\nPage 4 of 10\n\nFigure 3. Microsoft Defender ATP web shell detection.\r\nWhen alerted of these activities, the security operations team can then use the rich capabilities in Microsoft\r\nDefender ATP to investigate web shell activity and subsequent reconnaissance and enumeration activity to resolve\r\nweb shell attacks.\r\nFigure 4. Microsoft Defender ATP web shell process tree.\r\nIn addition to standard China Chopper, GALLIUM has been observed using a native web shell for servers running\r\nMicrosoft IIS that is based on the China Chopper web shell; Microsoft has called this “BlackMould.”\r\nhttps://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/\r\nPage 5 of 10\n\nBlackMould contains functionality to perform the following tasks on a victim host:\r\nEnumerate local drives.\r\nEmploy basic file operations like find, read, write, delete, and copy.\r\nSet file attributes.\r\nExfiltrate and infiltrate files.\r\nRun cmd.exe with parameters.\r\nCommands are sent in the body of HTTP POST requests.\r\nSecond stage\r\nIn cases where GALLIUM has deployed additional malware on a victim network, they’ve used versions of the\r\nGh0st RAT (modified Ghost RAT detected as QuarkBandit) and Poison Ivy malware. In both cases, GALLIUM\r\nhas modified the communication method used by the malware, likely to prevent detection through existing\r\nantimalware signatures since both malware families have several detections based on their original\r\ncommunication methods. Malware families are noted in Table 2.\r\nMalware\r\nfamily\r\nDescription and primary usage\r\nBlackMould Native IIS web shell based on the China Chopper web shell.\r\nChina Chopper\r\nCommonly used and widely shared web shell used by several threat actors.\r\nNot unique to GALLIUM.\r\nPoison Ivy\r\n(modified)\r\nPoison Ivy is a widely shared remote access tool (RAT) first identified in\r\n2005. While Poison Ivy is widely used, the variant GALLIUM has been\r\nobserved using is a modified version that appears to be unique to\r\nGALLIUM.\r\nQuarkBandit Gh0st RAT variant with modified configuration options and encryption.\r\nTable 2. GALLIUM malware families.\r\nGALLIUM’s malware and tools appear to be highly disposable and low cost. In cases where GALLIUM has\r\ninvested in modifications to their toolset, they appear to focus on evading antimalware detection, likely to make\r\nthe malware and tooling more effective.\r\nThe MSTIC team works closely with Microsoft security products to implement detections and protections for\r\nGALLIUM malware and tooling in a number of Microsoft products. Figure 4 shows one such detection for a\r\nGALLIUM PoisonIvy loader in Microsoft Defender ATP.\r\nhttps://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/\r\nPage 6 of 10\n\nFigure 5. GALLIUM PoisonIvy loader in Microsoft Defender ATP.\r\nAdditionally, MSTIC has authored a number of antimalware signatures for Windows Defender Antivirus covering\r\nthe aforementioned malware families, a list of GALLIUM exclusive signature can be found in the Related\r\nindicators” section.\r\nIn addition to these malware families, GALLIUM has been observed employing SoftEther VPN software to\r\nfacilitate access and maintain persistence to a target network. By installing SoftEther on internal systems,\r\nGALLIUM is able to connect through that system as though they are on the internal network of the target.\r\nSoftEther provides GALLIUM with another means of persistence and flexibility with the added benefit that its\r\ntraffic may appear to be benign on the target network.\r\nRecommended defenses\r\nThe following are recommended defenses security operations teams can take to mitigate the impact of threats like\r\nGALLIUM in your corporate environment:\r\nMaintain web server patching and log audits, run web services with minimum required operating system\r\npermissions\r\nInstall security updates on all applications and operating systems promptly. Check the Security Update\r\nGuide for detailed information about available Microsoft security updates.\r\nFor efficient incident response, maintain a forensics-ready network with centralized event logging, file\r\ndetonation services, and up-to-date asset inventories.\r\nEnable cloud-delivered protection and maintain updated antivirus.\r\nTurn on cloud-delivered protection and automatic sample submission on Windows Defender Antivirus.\r\nThese capabilities use artificial intelligence (AI) and machine learning to quickly identify and stop new and\r\nunknown threats.\r\nUse behavior detection solutions to catch credential dumping or other activity that may indicate a breach.\r\nAdopt Azure ATP—a cloud-based security solution that leverages your on-premises Active Directory\r\nsignals—to identify, detect, and investigate advanced threats, compromised identities, and malicious\r\ninsider actions directed at your organization.\r\nUse Microsoft Defender ATP to help enterprise networks prevent, detect, investigate, and respond to\r\nadvanced threats. Educate users about protecting personal and business information in social media,\r\nhttps://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/\r\nPage 7 of 10\n\nfiltering unsolicited communication, identifying lures in spear-phishing email and watering holes, and\r\nreporting of reconnaissance attempts and other suspicious activity.\r\nEncourage users to use Microsoft Edge and other web browsers that support SmartScreen, which identifies\r\nand blocks malicious websites, including phishing sites, scam sites, and sites that contain exploits and host\r\nmalware.\r\nInstitute Multi-Factor Authentication (MFA) to mitigate against compromised accounts.\r\nNote: Microsoft strongly encourages all customers download and use passwordless solutions like\r\nthe Microsoft Authenticator app or Windows Hello to secure your accounts.\r\nFor Office 365 users, see MFA support.\r\nFor consumer and personal email accounts, see how to use two-step verification.\r\nThe list below provides known GALLIUM tooling and Indicators of Compromise (IOCs) observed during this\r\nactivity. Microsoft encourages customers to implement detections and protections to identify possible prior\r\ncampaigns or prevent future campaigns against their systems.\r\nTooling\r\nTool Purpose\r\nHTRAN Connection bouncer to proxy connections.\r\nMimikatz Credential dumper.\r\nNBTScan\r\nScanner for open NETBIOS nameservers on a local or remote\r\nTCP/IP network.\r\nNetcat\r\nReads from and writes to network connections using TCP or\r\nUDP protocols.\r\nPsExec Executes a command line process on a remote machine.\r\nWindows Credential Editor\r\n(WCE)\r\nCredential dumper.\r\nWinRAR Archiving utility.\r\nMalware\r\nMalware Notes\r\nBlackMould Native IIS version of the China Chopper web shell.\r\nChina Chopper\r\nCommonly used and widely shared web shell used by several threat actors.\r\nNot unique to GALLIUM.\r\nPoison Ivy\r\n(modified)\r\nPoison Ivy is a widely shared remote access tool (RAT) first identified in\r\n2005. While Poison Ivy is widely used, the variant GALLIUM has been\r\nhttps://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/\r\nPage 8 of 10\n\nobserved using is a modified version which appears to be unique to\r\nGALLIUM.\r\nQuarkBandit Gh0st RAT variant with modified configuration options and encryption.\r\nIndicators\r\nIndicator Type\r\nasyspy256[.]ddns[.]net Domain\r\nhotkillmail9sddcc[.]ddns[.]net Domain\r\nrosaf112[.]ddns[.]net Domain\r\ncvdfhjh1231[.]myftp[.]biz Domain\r\nsz2016rose[.]ddns[.]net Domain\r\ndffwescwer4325[.]myftp[.]biz Domain\r\ncvdfhjh1231[.]ddns[.]net Domain\r\n9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd Sha256\r\n7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b Sha256\r\n657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5 Sha256\r\n2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29 Sha256\r\n52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77 Sha256\r\na370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3 Sha256\r\n5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022 Sha256\r\n6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883 Sha256\r\n3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e Sha256\r\n1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7 Sha256\r\nfe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1 Sha256\r\n7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c Sha256\r\n178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945 Sha256\r\n51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9 Sha256\r\n889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79 Sha256\r\nhttps://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/\r\nPage 9 of 10\n\n332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf Sha256\r\n44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08 Sha256\r\n63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef Sha256\r\n056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070 Sha256\r\nTrojanDropper:Win32/BlackMould.A!dha\r\nSignature\r\nName\r\nTrojan:Win32/BlackMould.B!dha\r\nSignature\r\nName\r\nTrojan:Win32/QuarkBandit.A!dha\r\nSignature\r\nName\r\nTrojan:Win32/Sidelod.A!dha\r\nSignature\r\nName\r\nBookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at\r\n@MSFTSecurity for the latest news and updates on cybersecurity.\r\nSource: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/\r\nhttps://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY", "MITRE", "ETDA" ], "references": [ "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/" ], "report_names": [ "gallium-targeting-global-telecom" ], "threat_actors": [ { "id": "7bf3ffe5-09ba-4378-8ea4-a6d748a494fd", "created_at": "2022-10-25T15:50:23.264584Z", "updated_at": "2026-04-10T02:00:05.334294Z", "deleted_at": null, "main_name": "GALLIUM", "aliases": [ "GALLIUM", "Granite Typhoon" ], "source_name": "MITRE:GALLIUM", "tools": [ "ipconfig", "cmd", "China Chopper", "PoisonIvy", "at", "PlugX", "PingPull", "BlackMould", "Mimikatz", "PsExec", "HTRAN", "NBTscan", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "9faf32b7-0221-46ac-a716-c330c1f10c95", "created_at": "2022-10-25T16:07:23.652281Z", "updated_at": "2026-04-10T02:00:04.702108Z", "deleted_at": null, "main_name": "Gallium", "aliases": [ "Alloy Taurus", "G0093", "Granite Typhoon", "Phantom Panda" ], "source_name": "ETDA:Gallium", "tools": [ "Agentemis", "BlackMould", "CHINACHOPPER", "China Chopper", "Chymine", "CinaRAT", "Cobalt Strike", "CobaltStrike", "Darkmoon", "Gen:Trojan.Heur.PT", "Gh0stCringe RAT", "HTran", "HUC Packet Transmit Tool", "LaZagne", "Mimikatz", "NBTscan", "PingPull", "Plink", "Poison Ivy", "PsExec", "PuTTY Link", "QuarkBandit", "Quasar RAT", "QuasarRAT", "Reshell", "SPIVY", "SinoChopper", "SoftEther VPN", "Sword2033", "WCE", "WinRAR", "Windows Credential Editor", "Windows Credentials Editor", "Yggdrasil", "cobeacon", "nbtscan", "netcat", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "c87ee2df-e528-4fa0-bed6-6ed29e390688", "created_at": "2023-01-06T13:46:39.150432Z", "updated_at": "2026-04-10T02:00:03.231072Z", "deleted_at": null, "main_name": "GALLIUM", "aliases": [ "Red Dev 4", "Alloy Taurus", "Granite Typhoon", "PHANTOM PANDA" ], "source_name": "MISPGALAXY:GALLIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775433990, "ts_updated_at": 1775792221, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e2a5ff7e5beea32042a46bdf69cdc96792d1ea6d.pdf", "text": "https://archive.orkl.eu/e2a5ff7e5beea32042a46bdf69cdc96792d1ea6d.txt", "img": "https://archive.orkl.eu/e2a5ff7e5beea32042a46bdf69cdc96792d1ea6d.jpg" } }