Security News > 2023 > April > Chinese Hackers Spotted Using Linux Variant of PingPull in Targeted Cyberattacks

The Chinese nation-state group dubbed Alloy Taurus is using a Linux variant of a backdoor called PingPull as well as a new undocumented tool codenamed Sword2033.

Alloy Taurus is the constellation-themed moniker assigned to a threat actor that's known for its attacks targeting telecom companies since at least 2012.

Interestingly, PingPull's parsing of the C2 instructions mirrors that of the China Chopper, a web shell widely used by Chinese threat actors, suggesting that the threat actor is repurposing existing source code to devise custom tools.

The malware's links to Alloy Taurus stems from the fact that the domain resolved to an IP address that was previously identified as an active indicator of compromise associated with a prior campaign targeting companies operating in Southeast Asia, Europe, and Africa.

"Alloy Taurus remains an active threat to telecommunications, finance and government organizations across Southeast Asia, Europe and Africa," Unit 42 said.

"The identification of a Linux variant of PingPull malware, as well as recent use of the Sword2033 backdoor, suggests that the group continues to evolve their operations in support of their espionage activities."

News URL

https://thehackernews.com/2023/04/chinese-hackers-using-pingpull-linux.html