Alloy Taurus, a Chinese nation-state group known for attacking telecom companies since at least 2012, has been found to be using a Linux variant of the PingPull backdoor and a new tool called Sword2033, according to cybersecurity company Palo Alto Networks Unit 42.
The group has recently broadened its victimology to include financial institutions, telecoms, government entities. PingPull is a remote access trojan that uses the Internet Control Message Protocol for command-and-control communications, and Sword2033 supports file uploading and exfiltration as well as command execution.
The discovery suggests that Alloy Taurus is evolving its operations to support its espionage activities.
Indicators of Compromise