Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S1031: PingPull

PingPull is a remote access Trojan (RAT) written in Visual C++ that has been used by GALLIUM since at least June 2022. PingPull has been used to target telecommunications companies, financial institutions, and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam.[1]

EnterpriseS1031MalwareObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

PingPull matters because ATT&CK records it as a Windows remote access Trojan associated with GALLIUM and targeting sectors where downtime, data exposure, and trust obligations are high: telecommunications, finance, and government. For leaders, the decision value is not just the malware name; it is whether the organization can prove it would notice a Windows host establishing suspicious command-and-control, creating or masquerading as a service, discovering local/network information, collecting local data, and exfiltrating over the same channel.

Executive priority

Prioritize validation where PingPull-like behavior could affect business continuity and incident decision-making: Windows endpoint visibility, service creation/change monitoring, command shell activity, outbound network control, and evidence retention for investigations. Organizations in telecom, financial, government, or similarly regulated environments should be able to show audit-ready evidence that remote access malware behaviors are monitored and that response teams can quickly scope local data access and possible exfiltration.

Technical view

MITRE provides no official detection text for PingPull, so defenders should validate coverage through the ATT&CK relationships: Windows Command Shell execution, Windows Service persistence, masqueraded tasks/services, discovery of system, network, files, and directories, local data collection, C2 over web protocols or non-application-layer protocols, non-standard ports, encoded/encrypted C2, timestomping, deobfuscation/decoding, and exfiltration over the C2 channel. Because the malware object platform is Windows, prioritize Windows endpoint and network telemetry while using the related techniques to structure detection engineering and IR playbooks.

Likely telemetry

  • Windows process creation telemetry, especially cmd.exe and child processes tied to discovery or file access
  • Windows service creation, modification, service binary path, display name, and registry-backed service configuration changes
  • Task or service naming metadata that can reveal masquerading against legitimate-looking names
  • File system metadata, including creation/modification/access timestamp anomalies relevant to timestomping
  • File and directory enumeration activity and access to sensitive local files

Detection direction

  • Do not rely on a PingPull signature alone; validate behavioral detections mapped to the related techniques because ATT&CK does not supply official detection guidance for this object.
  • Tune Windows service monitoring for new or modified services, suspicious binary paths, and service names/descriptions that closely resemble legitimate services.
  • Correlate command shell execution with discovery behavior, file enumeration, local data access, and subsequent outbound network connections from the same host or account context.
  • Review egress analytics for web-protocol C2, non-standard ports, non-application-layer protocols, and encoded or encrypted payload patterns; account for legitimate admin tools and business applications to reduce false positives.
  • Include timestamp manipulation checks in forensic triage, especially when new binaries or configuration files appear to blend into existing directories.

Mitigation priorities

  • Ensure managed endpoint detection and response coverage exists on Windows systems likely to hold sensitive operational, financial, telecom, or government data.
  • Harden and monitor Windows service creation/modification paths, including administrative permissions and change-control expectations.
  • Restrict unnecessary outbound connectivity and inspect/log egress through controlled proxies, firewalls, and DNS infrastructure where feasible.
  • Apply least privilege for users and service accounts to reduce the value of command shell execution, local discovery, and local data collection.
  • Maintain incident response procedures for rapid host isolation, service persistence review, C2 scoping, data access analysis, and exfiltration assessment.
Analyst notes and limits

The supplied ATT&CK object identifies PingPull as a Visual C++ Windows RAT and links it to GALLIUM use. The strongest defensive value comes from the relationship set: persistence via Windows services, command execution, discovery, local collection, C2, encoding/encryption, timestomping, and exfiltration over C2. Treat these as validation requirements for SOC, IR, and control assurance programs.

MITRE does not provide official detection text, aliases, labels, or object-level tactics for PingPull in the supplied fields. The object platform is Windows, even though several related techniques list broader platforms; local conclusions should therefore be based on actual Windows endpoint and network evidence. Sector and geography references come from the official description and should not be interpreted as current targeting or customer exposure.

Official MITRE ATT&CK definition

PingPull

PingPull is a remote access Trojan (RAT) written in Visual C++ that has been used by GALLIUM since at least June 2022. PingPull has been used to target telecommunications companies, financial institutions, and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam.[1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

15 rows
Domain ID Name Relationship / procedure
Enterprise T1571 Non-Standard Port

PingPull can use HTTPS over port 8080 for C2.CitationUnit 42 PingPull Jun 2022
Enterprise T1083 File and Directory Discovery

PingPull can enumerate storage volumes and folder contents of a compromised host.CitationUnit 42 PingPull Jun 2022
Enterprise T1005 Data from Local System

PingPull can collect data from a compromised host.CitationUnit 42 PingPull Jun 2022
Enterprise T1071.001 Web Protocols Sub-technique

A PingPull variant can communicate with its C2 servers by using HTTPS.CitationUnit 42 PingPull Jun 2022
Enterprise T1082 System Information Discovery

PingPull can retrieve the hostname of a compromised host.CitationUnit 42 PingPull Jun 2022
Enterprise T1036.004 Masquerade Task or Service Sub-technique

PingPull can mimic the names and descriptions of legitimate services such as `iphlpsvc`, `IP Helper`, and `Onedrive` to evade detection.CitationUnit 42 PingPull Jun 2022
Enterprise T1016 System Network Configuration Discovery

PingPull can retrieve the IP address of a compromised host.CitationUnit 42 PingPull Jun 2022
Enterprise T1132.001 Standard Encoding Sub-technique

PingPull can encode C2 traffic with Base64.CitationUnit 42 PingPull Jun 2022
Enterprise T1543.003 Windows Service Sub-technique

PingPull has the ability to install itself as a service.CitationUnit 42 PingPull Jun 2022
Enterprise T1070.006 Timestomp Sub-technique

PingPull has the ability to timestomp a file.CitationUnit 42 PingPull Jun 2022
Enterprise T1095 Non-Application Layer Protocol

PingPull variants have the ability to communicate with C2 servers using ICMP or TCP.CitationUnit 42 PingPull Jun 2022
Enterprise T1059.003 Windows Command Shell Sub-technique

PingPull can use `cmd.exe` to run various commands as a reverse shell.CitationUnit 42 PingPull Jun 2022
Enterprise T1140 Deobfuscate/Decode Files or Information

PingPull can decrypt received data from its C2 server by using AES.CitationUnit 42 PingPull Jun 2022
Enterprise T1041 Exfiltration Over C2 Channel

PingPull has the ability to exfiltrate stolen victim data through its C2 channel.CitationUnit 42 PingPull Jun 2022
Enterprise T1573.001 Symmetric Cryptography Sub-technique

PingPull can use AES, in cipher block chaining (CBC) mode padded with PKCS5, to encrypt C2 server communications.CitationUnit 42 PingPull Jun 2022
Associated objects

Groups, software, and campaigns

Group Enterprise

G0093: GALLIUM

GALLIUM is a cyberespionage group that has been active since at least 2012, primarily targeting telecommunications companies, financial institutions, and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam. This group is particularly known for launching Operation Soft Cell, a long-term campaign targeting telecommunications providers.[1] Security researchers have identified GALLIUM as a likely Chinese state-sponsored group, based in part on tools used and TTPs commonly associated with Chinese threat actors.[1][2][3]

Relationship explorer

All related ATT&CK context

uses · Technique T1571: Non-Standard Port Enterprise uses · Technique T1083: File and Directory Discovery Enterprise uses · Technique T1005: Data from Local System Enterprise uses · Technique T1071.001: Web Protocols Enterprise uses · Technique T1082: System Information Discovery Enterprise uses · Technique T1036.004: Masquerade Task or Service Enterprise uses · Technique T1016: System Network Configuration Discovery Enterprise uses · Group G0093: GALLIUM Enterprise uses · Technique T1132.001: Standard Encoding Enterprise uses · Technique T1543.003: Windows Service Enterprise uses · Technique T1070.006: Timestomp Enterprise uses · Technique T1095: Non-Application Layer Protocol Enterprise uses · Technique T1059.003: Windows Command Shell Enterprise uses · Technique T1140: Deobfuscate/Decode Files or Information Enterprise uses · Technique T1041: Exfiltration Over C2 Channel Enterprise uses · Technique T1573.001: Symmetric Cryptography Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
977b7cc7edbcda3a...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 977b7cc7edbc…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Unit 42 PingPull Jun 2022

    Unit 42. (2022, June 13). GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool. Retrieved August 7, 2022.

    Open source URL
  2. [2]
    mitre-attack S1031
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use