analyst@nohacky:~/threat-actors$
cat/threat-actors/gallium
analyst@nohacky:~/gallium.html
active threatprofile
typeNation-State
threat_levelCritical
statusActive
originChina — state-sponsored
mitreG0093
last_updated2026-03-27
GA
gallium

Gallium / Softcell

also known as: Alloy Taurus Granite Typhoon Red Giant 4 campaign: Operation Soft Cell mitre: G0093

A Chinese state-linked group that built its reputation specifically on telecom sector intrusion — penetrating carrier networks not to steal data from the carriers themselves, but to access the call detail records (CDRs) of high-value targets transiting those networks. Operation Soft Cell (Cybereason's name for Gallium activity) demonstrated a total network takeover of multiple global carriers lasting years, with CDR collection providing Chinese intelligence with granular visibility into the communications of government officials, military personnel, and executives across targeted regions. Active since at least 2012 and continuously expanding, Gallium has since broadened its targeting to financial institutions and government entities across Southeast Asia, Europe, Africa, and the Middle East.

attributed originChina — PRC state-sponsored espionage
mitre group idG0093 (GALLIUM)
active sinceAt least 2012 (confirmed operations)
primary motivationIntelligence collection — CDR surveillance, state espionage
defining operationOperation Soft Cell — global telecom CDR mass collection
Primary sectors: Telecom, Finance, Government
target regionsSE Asia, Europe, Africa, Middle East, Australia
key malwarePingPull RAT, China Chopper, Sword2033, PhantomNet
current statusACTIVE — expanding globally (2024–2025)

Overview

Gallium has been active since at least 2012, building a sustained operational profile centered on one of the most strategically valuable forms of intelligence collection available through cyber means: call detail record (CDR) harvesting from telecommunications providers. A CDR reveals who called whom, when, from where, and for how long — metadata that, assembled at scale across a carrier's entire subscriber base, provides a map of communications patterns for intelligence targets without requiring decryption of the calls themselves. By penetrating carrier networks rather than targeting individuals directly, Gallium achieved access to communications intelligence covering entire government ministries, diplomatic missions, military units, and corporate targets transiting affected networks — a scope no targeted phishing campaign could match.

The group's defining public exposure came through Cybereason's 2019 disclosure of Operation Soft Cell, a long-running campaign targeting at least five major telecommunications companies in Southeast Asia. Cybereason's investigation revealed a multi-year intrusion in which attackers had achieved what the researchers described as a total takeover of the affected carrier networks — with the ability to access virtually any data stored or passing through those networks. The CDR collection was the strategic objective: the attackers extracted the communications metadata of specific high-value individuals the Chinese intelligence services were interested in monitoring, using the telecom provider as a passive collection platform rather than as a target in itself.

Microsoft identified Gallium publicly in December 2019, confirming the group had been targeting global telecommunications providers for years and noting that the group primarily leveraged publicly available tools and exploits rather than custom zero-days — a cost-effective approach that complicates attribution while maintaining operational effectiveness. The group is tracked under multiple names across vendors: Gallium (Microsoft, Palo Alto Unit 42), Softcell (Cybereason), Alloy Taurus (Palo Alto Unit 42), and Granite Typhoon (CrowdStrike). MITRE ATT&CK tracks the group under G0093.

From 2021 onward, Gallium expanded its targeting footprint beyond telecommunications into financial institutions and government entities. Unit 42 identified the group's use of a new custom RAT — PingPull — in June 2022, documenting active connections to targeted entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam. A Linux variant of PingPull and a new backdoor called Sword2033 were identified in 2023, confirming continued active development. CrowdStrike's 2025 Global Threat Report identified Granite Typhoon (Gallium) as a member of China's "Enterprising Adversaries" category, reflecting its operational efficiency and alignment with PRC intelligence priorities. ESET's Q4 2024–Q1 2025 report documented Gallium operating in campaigns alongside other Chinese APT actors, using increasingly modular and resilient infrastructure with redundant VPN nodes.

Target Profile

Gallium's targeting is intelligence-driven rather than financially motivated. Sector selection reflects PRC strategic intelligence requirements: telecom for CDR surveillance, government for diplomatic and policy intelligence, and finance for economic and sanctions-related intelligence.

  • Telecommunications Providers (foundational, 2012–present): The group's defining target category. Gallium penetrates carrier networks specifically to harvest call detail records of high-value individuals — government officials, military personnel, diplomats, executives — who use those networks. The carrier itself is a collection platform, not the intelligence objective. Telecom targets have been identified across Southeast Asia, Europe, Africa, and the Middle East. Operation Soft Cell targeted at least five major carriers in Southeast Asia alone.
  • Government Entities (expanded, 2020–present): Government ministry networks, diplomatic missions, and defense-related agencies across Gallium's operational geographies have been identified as targets in the post-2020 expansion phase. Government targeting provides direct access to diplomatic communications and policy planning intelligence that CDR metadata alone cannot supply.
  • Financial Institutions (expanded, 2020–present): Banks and financial services organizations across Southeast Asia and beyond were identified by Unit 42 as part of Gallium's expanded targeting scope. Financial institution access provides intelligence on capital flows, sanctions evasion activity, and corporate transactions of interest to PRC economic intelligence objectives.
  • Geographic Footprint: Confirmed targeting connections have been identified across Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam (Unit 42, 2022). Additional telecom-sector targeting has been documented in the Gulf region and broader Middle East. European targets including Belgium have appeared in the confirmed connection list, reflecting the group's global operational scope. Gallium's 2024–2025 campaigns in Africa and Europe represent the most recent geographic expansion documented by ESET and Brandefense research.

Tactics, Techniques & Procedures

Gallium favors publicly available exploits and legitimate system tools over custom zero-days for initial access and post-exploitation, reducing development costs and complicating attribution. Custom malware is reserved for persistence and C2 where stealth and resilience are the priority.

mitre idtechniquedescription
T1190 Exploit Public-Facing Application Gallium's primary initial access method. The group exploits unpatched vulnerabilities in internet-facing applications — notably Microsoft Exchange, SharePoint, and VPN appliances — using publicly available exploits. Operation Soft Cell initial access was achieved via exploitation of exposed web applications. SentinelOne's Operation Tainted Love investigation documented Exchange server exploitation as the consistent first-stage entry point in Middle East telecom campaigns.
T1505.003 Server Software Component — Web Shell China Chopper and BlackMould (a native IIS variant of China Chopper) are deployed on compromised Exchange and web servers immediately after initial access to establish persistent command execution. The China Chopper webshell is embedded in IIS or Exchange services to survive server restarts and evade detection. Gallium's PingPull command handler structure shares parameter naming conventions with China Chopper (z0, z1, z2 parameters; A–K, M command handlers), suggesting code reuse across tooling.
T1078 Valid Accounts — Credential Theft After initial access via exploitation, Gallium uses Mimikatz and Windows Credential Editor (WCE) to dump credentials from LSASS memory and registry hives. Stolen credentials are used to authenticate to additional systems across the target network. Password spraying (T1110) has also been documented as an alternative initial access method. SentinelLabs identified a versioned, actively maintained credential theft capability (mim221) in Operation Tainted Love, with PDB path overlap with earlier Soft Cell Mimikatz executables — establishing tool continuity across campaigns spanning years.
T1021 Remote Services — Lateral Movement PsExec, WMI, and RDP are used for lateral movement across target networks after credential theft. NBTScan maps the NetBIOS network to identify additional hosts for lateral spread. The group follows standard file naming conventions across campaigns — SentinelOne identified consistent LG tool usage and net/query/tasklist Windows built-in commands across Soft Cell and Operation Tainted Love, establishing TTP continuity.
T1095 Non-Application Layer Protocol — ICMP C2 PingPull's ICMP variant issues ICMP Echo Request packets to the C2 server and receives commands in ICMP Echo Reply packets — traffic that few organizations inspect or log. This makes PingPull's C2 communications significantly harder to detect than HTTP or DNS-based C2. Three PingPull variants exist using ICMP, HTTPS, and raw TCP respectively — the same functionality across all three, providing operational flexibility based on the defensive posture of the target environment.
T1090 Proxy — HTRAN Connection Proxying HTRAN (HUC Packet Transmit Tool) is used to proxy attacker connections through compromised intermediate hosts, obfuscating the origin of C2 traffic. Gallium's infrastructure uses redundant VPN layer nodes — documented in 2024–2025 campaigns — providing resilient, multi-hop routing for C2 communications that survives takedown of individual relay nodes.
T1114 Email Collection — CDR and Subscriber Data Harvesting The strategic objective in telecom intrusions is collection of call detail records — subscriber metadata revealing communications patterns of targeted individuals. In Operation Soft Cell, CDR collection provided intelligence on the communications of specific high-value targets across the carrier's entire subscriber base. WinRAR is used to compress and archive collected data before exfiltration to attacker-controlled infrastructure.
T1027 Obfuscated Files / Living off the Land Gallium blends custom malware with legitimate administrative tools to reduce detection probability. PowerShell, WMI, and PsExec for post-exploitation; custom loaders with anti-analysis features for implant delivery; encrypted exfiltration channels or trusted cloud storage providers for data transfer. Custom loaders tailored for African and European targets were documented in 2024 campaigns. The group's ability to maintain low detection rates while mixing legitimate admin tools with advanced custom malware is identified as a hallmark of Chinese cyber espionage tradecraft.
the carrier as a collection platform

Gallium's telecom intrusion model is strategically distinct from conventional data theft. The carrier network itself is not the target — its subscribers are. By penetrating a single carrier, Gallium gained passive surveillance capability over every high-value individual who placed calls through that network: government ministries, diplomatic missions, military units, and corporate executives. CDRs reveal communications patterns, contact networks, travel schedules inferred from cell tower data, and meeting frequency — intelligence that does not require decrypting call content and that a targeted phishing campaign against any individual target could never achieve at comparable scale.

Known Campaigns

Gallium's documented operational history spans three distinct phases: foundational telecom CDR collection (2012–2018), public exposure and tool evolution (2019–2022), and global expansion with new tooling (2022–present).

Operation Soft Cell — Global Telecom CDR Collection 2012–2018 (disclosed 2019)

Cybereason disclosed Operation Soft Cell in June 2019 after a years-long investigation into intrusions at telecommunications providers across Southeast Asia and beyond. The campaign involved at least five major telecom companies and achieved what Cybereason characterized as a total network takeover — persistent access to core carrier infrastructure with the ability to collect CDRs of any subscriber on the affected networks. The attackers used a combination of China Chopper webshells, modified versions of Poison Ivy and Gh0st RAT (tracked as QuarkBandit), Mimikatz, HTRAN, and PsExec. CDR collection was the confirmed strategic objective, targeting specific high-value individuals identified by PRC intelligence requirements. Microsoft publicly confirmed the campaign and the group's identity in December 2019, noting Gallium's reliance on publicly available exploits and tools rather than custom zero-days.

Operation Tainted Love — Middle East Telecom Targeting 2023

SentinelLabs, in collaboration with QGroup GmbH, documented initial attack phases against telecommunications providers in the Middle East in Q1 2023. The tooling showed direct lineage to Operation Soft Cell — Exchange server exploitation for initial access, China Chopper webshells, the LG tool, standard Windows built-in commands for reconnaissance, and PsExec for lateral movement. SentinelLabs identified a new versioned credential theft tool (mim221) with a PDB path that partially overlapped with earlier Soft Cell Mimikatz executables, establishing code continuity. A dropper mechanism not previously observed in public Gallium reporting was also identified, indicating ongoing active development. Attribution was assessed with medium confidence to Gallium, with the possibility of APT41 code-sharing or a shared Chinese state digital quartermaster also considered.

PingPull RAT Deployment — Multi-Sector Global Expansion 2021–present

Unit 42 identified PingPull — a new custom RAT written in Visual C++ — in June 2022 and documented its use against targets in nine countries: Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam. PingPull's three variants (ICMP, HTTPS, TCP) provide flexible C2 communication resistant to network-layer detection. A Linux variant of PingPull was identified in April 2023 alongside a new backdoor called Sword2033, demonstrating active cross-platform capability development. The Windows variant of PingPull had been "burned" (detected across vendors) and the Linux variant appeared at a time when only three of 62 antivirus vendors on VirusTotal flagged it as malicious — confirming Gallium's practice of retiring compromised tools and introducing fresh variants to maintain stealth.

Africa and Europe Expansion — Custom Loaders 2024

ESET and Brandefense documented Gallium campaigns in Africa and Europe in 2024, with custom loaders tailor-made for targets in those regions appearing in threat intelligence reporting. ESET's Q4 2024–Q1 2025 report identified Gallium operating alongside HDMan and PhantomNet — tools associated with other Chinese APT clusters — suggesting either operational overlap or a shared Chinese state infrastructure and tooling ecosystem. CrowdStrike's 2025 Global Threat Report designated Granite Typhoon (Gallium) as part of China's "Enterprising Adversaries" tier, reflecting the group's operational efficiency, professionalization, and alignment with PRC intelligence objectives.

Tools & Malware

Gallium's toolkit combines commodity Chinese threat actor tooling with custom-developed implants. The group's strategy of retiring detected tools and introducing fresh replacements has maintained operational longevity across more than a decade.

  • PingPull RAT (Windows and Linux): A custom Visual C++ remote access trojan first identified in 2021 and documented publicly by Unit 42 in June 2022. Three variants exist — ICMP, HTTPS, and raw TCP — all functionally identical but using different C2 protocols. The ICMP variant disguises C2 communications as ping traffic, exploiting the fact that few organizations inspect ICMP. Commands are AES-CBC encrypted with base64 encoding. PingPull installs itself as a Windows service using the description and name of the legitimate iphlpsvc (IP Helper) service. A Linux variant using HTTPS/8443 was identified in April 2023 using the same AES key and command handler structure as the Windows version.
  • China Chopper Webshell (and BlackMould): The primary persistence mechanism after initial exploitation. China Chopper is a widely used Chinese threat actor webshell that provides command execution on compromised web servers. BlackMould is a native IIS variant used when China Chopper itself may attract detection. Both are embedded in Exchange or IIS services to survive server restarts. PingPull's command handler structure reuses China Chopper's z0/z1/z2 parameter naming and A–K/M command codes, suggesting code familiarity across Gallium's toolchain.
  • Sword2033: A backdoor identified alongside the PingPull Linux variant in April 2023. Supports file upload (#up), file download (#dn), and command execution (exc/c:). Considered a complementary tool to PingPull for environments where PingPull itself has been detected.
  • Poison Ivy / Gh0st RAT (QuarkBandit): Modified versions of these widely available Chinese threat actor RATs were used in Operation Soft Cell campaigns for long-term persistence. Both tools are commodity malware within Chinese espionage operations but were modified sufficiently to complicate detection by signature-based tools.
  • PhantomNet: A backdoor associated with Gallium activity identified in more recent reporting (ESET 2024–2025). Part of the modular implant ecosystem the group has developed as operational scope expanded beyond telecom.
  • HTRAN (HUC Packet Transmit Tool): A connection proxy tool used to route attacker traffic through intermediate compromised hosts, obfuscating the origin of C2 communications. Combined with Gallium's redundant VPN node infrastructure (documented in 2024–2025 campaigns), HTRAN provides multi-hop routing resilience.
  • Mimikatz / WCE (mim221): Standard credential dumping from LSASS and registry hives. The mim221 variant identified in Operation Tainted Love showed PDB path continuity with earlier Soft Cell Mimikatz samples, establishing code lineage across campaigns spanning years and providing attribution anchor points for researchers.
  • NBTScan / PsExec / WinRAR: NetBIOS scanning for host discovery, PsExec for remote command execution and lateral movement, WinRAR for compressing collected data before exfiltration. All are legitimate tools repurposed for malicious use — a living-off-the-land approach that reduces the malware footprint detectable by endpoint security tools.

Indicators of Compromise

Gallium regularly rotates infrastructure and retires detected tools. Static IOCs have a short effective shelf life. Behavioral patterns and tool signatures provide more durable detection value.

pingpull — key technical indicators
service nameIph1psvc — PingPull disguises as legitimate iphlpsvc service (note: character substitution)
service dispIP He1per — display name mimics legitimate IP Helper (note: character substitution)
aes keysP29456789A1234sS — hardcoded AES key in Windows and Linux PingPull variants
aes keysdC@133321Ikd!D^i — second unique AES key observed across PingPull samples
c2 domainyrhsywu2009.zapto[.]org:8443 — Linux PingPull variant C2 (historical)
beacon idC2 beacon format: PROJECT_[EXE NAME]_[COMPUTER NAME]_[HEX IP ADDRESS]
trafficICMP Echo Request/Reply traffic to external IPs with non-standard payload sizes
webshellChina Chopper / BlackMould in Exchange or IIS webroot directories
behavioral detection patterns
behaviorWebshell deployed to Exchange or IIS immediately after exploitation of internet-facing application
behaviorLSASS memory dump via Mimikatz or mim221 within hours of webshell deployment
behaviorNBTScan execution for internal network host enumeration following credential theft
behaviorPsExec or WMI lateral movement using newly harvested domain admin credentials
behaviorHTRAN proxy installation on compromised systems for C2 traffic routing
behaviorWinRAR archiving of large data volumes (CDRs, subscriber data) before exfiltration
behaviorOutbound ICMP traffic to external IPs with non-standard payload — PingPull ICMP C2 indicator
behaviorNew Windows service with iphlpsvc-mimicking name/description on non-IIS systems

Mitigation & Defense

Gallium's initial access via unpatched public-facing applications is its most consistent and preventable entry point. Post-exploitation detection requires behavioral monitoring beyond signature-based controls.

  • Patch Exchange, SharePoint, and VPN appliances on an emergency cadence: Every documented Gallium initial access vector is exploitation of unpatched internet-facing services. Exchange and VPN appliances — frequent targets — must be patched within days of critical vulnerability disclosure, not on standard monthly cycles. CISA's KEV (Known Exploited Vulnerabilities) catalog provides priority guidance; treat KEV entries affecting Exchange, SharePoint, and VPN products as emergency patches.
  • Implement ICMP egress inspection and monitoring: PingPull's ICMP C2 variant exploits the near-universal absence of ICMP traffic inspection on enterprise networks. Network security monitoring should include ICMP traffic analysis, particularly outbound ICMP Echo Request traffic to external IPs from servers — an anomalous pattern that warrants investigation. Egress filtering that restricts ICMP to known-good destinations eliminates this C2 channel entirely.
  • Deploy EDR with LSASS protection on all Windows servers: Mimikatz credential dumping from LSASS is Gallium's consistent post-exploitation step. EDR solutions with LSASS protection — and Windows Credential Guard where applicable — detect or prevent LSASS memory access by unauthorized processes. Alerts on LSASS access from unexpected processes should be treated as high-priority incidents requiring immediate investigation.
  • Monitor for China Chopper and webshell indicators in IIS and Exchange: China Chopper and BlackMould webshells are planted immediately after initial exploitation. File integrity monitoring on Exchange and IIS webroot directories detects unexpected file creation. Web application firewalls configured to flag China Chopper's characteristic request patterns provide an additional detection layer.
  • Implement CDR access logging and anomaly detection (telecom organizations): For telecommunications providers specifically, access to CDR databases and subscriber data stores should be logged with user-level granularity and monitored for anomalous query patterns — bulk extractions, queries outside normal business hours, or access by accounts that do not normally query CDR systems. This is the specific data Gallium seeks and the point where detection provides the highest impact.
  • Segment core telecom infrastructure from enterprise IT networks: Operation Soft Cell succeeded by traversing from compromised enterprise IT systems into core carrier network infrastructure. Network segmentation that isolates CDR databases, billing systems, and network management platforms from the enterprise IT network requires attackers to explicitly breach the segment boundary — a detectable event — rather than moving laterally through a flat network.
  • Monitor for HTRAN and connection proxy tools: HTRAN is a documented Gallium persistence tool. Detection rules for HTRAN's characteristic network behavior — including TCP port forwarding through compromised hosts to attacker-controlled infrastructure — and for its process behavior on Windows systems provide early warning of Gallium's presence on a compromised network.
analyst note — overlap with APT41 and shared tooling

Multiple researchers have noted code-level and TTP-level overlaps between Gallium and APT41 — particularly a shared code signing certificate and tooling similarities documented in connection with Operation Soft Cell. SentinelOne's Operation Tainted Love analysis explicitly raised the possibility of closed-source tool-sharing between Chinese state APT clusters, or the existence of a "digital quartermaster" supplying tools to multiple groups. The PRC's cyber espionage ecosystem includes elements that do not cleanly map to individual, isolated threat actor groups — some tooling, infrastructure, and possibly operational resources appear to be shared across clusters in ways that complicate precise attribution. For defenders, the distinction between Gallium and APT41 matters less than the shared TTP pattern: Exchange exploitation, China Chopper webshells, Mimikatz credential theft, and network-wide lateral movement targeting sensitive data stores.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile