Threat Actor Profile
Gallium
Gallium, also known as Phantom Panda , Alloy Taurus, and Granite Typhoon, is a China-based threat actor that has been on the scene since at least 2012. This group is known for its focus on espionage, particularly targeting telecommunications companies to get their hands on sensitive data. They typically gain access by exploiting unpatched, internet-facing services—a classic move that’s still shockingly effective.
Threat Actor Profile
Gallium
Country of Origin
Gallium is widely believed to be a Chinese state-sponsored group. This assessment is based on their specific targeting of sectors and locations of strategic interest to the Chinese government, plus their use of tools and techniques commonly associated with other known Chinese APT groups.
Members
The exact size and structure of the Gallium group are unknown. Given their sophistication and the scale of their operations, it's likely a well-organized team with distinct roles for reconnaissance, exploit development, intrusion operations, and data exfiltration.
Leadership
There is no publicly available information identifying the specific leaders or aliases of Gallium. Like many state-sponsored groups, they operate with a high degree of anonymity, making it difficult to attribute actions to specific individuals.
Gallium TTPs
Tactics
The primary goal for Gallium is intelligence gathering. They are laser-focused on espionage, aiming to steal sensitive information that aligns with the strategic interests of the Chinese state. This often involves targeting telecommunications providers to access call detail records (CDRs), especially for high-value individuals and organizations. They also go after financial institutions and government entities.
Techniques
To get what they want, Gallium follows a pretty standard playbook:
Initial Access: They scan the internet for unpatched, vulnerable services. They have a known affinity for exploiting bugs in WildFly/JBoss application servers. Once a weakness is found, they use publicly available exploits to get a foothold.
Credential Access: After gaining initial access, they deploy credential-dumping tools like Mimikatz and Windows Credential Editor (WCE) to harvest usernames and passwords.
Lateral Movement: With valid credentials in hand, they use tools like PsExec to move across the network, escalating their privileges and expanding their access.
Persistence: To make sure they can stick around, they install web shells like China Chopper and deploy various Remote Access Trojans (RATs). They've also been known to install SoftEther VPN software to create a persistent and seemingly legitimate tunnel into the network.
Procedures
Gallium uses a mix of well-known and slightly customized tools to carry out their attacks.
Malware: They rely heavily on web shells like China Chopper and its native IIS-based variant, BlackMould. For long-term access, they use modified versions of RATs like Poison Ivy and Gh0st RAT (detected as QuarkBandit). More recently, they've been spotted using a new RAT called PingPull, which can use ICMP, HTTP(S), and raw TCP for C2 communications, making it a pain to detect.
Tools: Their toolkit is filled with the usual suspects:
HTRAN: For proxying connections.
Mimikatz & WCE: For dumping credentials.
NBTScan: For scanning NetBIOS name servers.
PsExec: For executing commands remotely.
WinRAR: For compressing stolen data before exfiltration.
Want to Shut Down Threats Before They Start?
Notable Cyberattacks
Operation Soft Cell (2012-2018): A long-running campaign targeting global telecommunications providers. The primary objective was to steal massive amounts of call detail records, likely to monitor high-value targets. The attack involved exploiting web servers, deploying web shells, and using modified versions of Poison Ivy.
Global Telecom Campaign (2018-2019): Microsoft reported on widespread attacks against telecommunications companies where Gallium used publicly available exploits against WildFly/JBoss servers. They used tools like HTRAN and Mimikatz for lateral movement and data theft.
PingPull RAT Deployment (2021-Present): Unit 42 research revealed Gallium's use of a new RAT, PingPull. This tool was deployed in attacks against financial, government, and telecom targets in nine countries, showing an expansion of their target scope.
Law Enforcement & Arrests
There have been no public reports of law enforcement actions or arrests specifically targeting members of Gallium. As a suspected state-sponsored group, its operators likely enjoy protection from their host government, making arrests and prosecution extremely difficult.
How to Defend Against Gallium
Patch, Patch, Patch: Keep your internet-facing services, especially web and application servers, fully patched and up to date.
Network Segmentation: Limit lateral movement by segmenting your network. This makes it harder for them to jump from a compromised web server to your critical internal systems.
Monitor Outbound Traffic: Keep an eye out for unusual protocols or connections to dynamic DNS domains. Their PingPull RAT can use ICMP tunneling, so make sure you're inspecting more than just HTTP/S traffic.
Credential Protection: Implement multi-factor authentication (MFA) everywhere you can. This will neutralize their credential harvesting efforts.
The Huntress platform is built to catch the very techniques Gallium relies on. Our 24/7 SOC team hunts for signs of persistence, lateral movement, and suspicious processes. If they use a web shell to establish a foothold or Mimikatz to steal credentials, we’ll spot it and help you kick them out before they can do real damage.
References
Detect, Respond, Protect
See how the global Huntress SOC can augment your team
with 24/7 coverage and unmatched human expertise.
Start your free trial today.
