Alloy Taurus, a Chinese nation-state group known for attacking telecom companies since at least 2012, has been found to be using a Linux variant of the PingPull backdoor and a new tool called Sword2033, according to cybersecurity company Palo Alto Networks Unit 42.

image

The group has recently broadened its victimology to include financial institutions, telecoms, government entities. PingPull is a remote access trojan that uses the Internet Control Message Protocol for command-and-control communications, and Sword2033 supports file uploading and exfiltration as well as command execution.

The discovery suggests that Alloy Taurus is evolving its operations to support its espionage activities.


Indicators of Compromise

Domain/Hash
cb0922d8b130504bf9a3078743294791201789c5a3d7bc0369afd096ea15f0ae
5ba043c074818fdd06ae1d3939ddfe7d3d35bab5d53445bc1f2f689859a87507
e39b5c32ab255ad284ae6d4dae8b4888300d4b5df23157404d9c8be3f95b3253
yrhsywu2009.zapto[.]org
*.saspecialforces.co[.]za
vpn729380678.softether[.]net
5.181.25[.]99
196.216.136[.]139