Live Active security incident? Get immediate response
MITRE ATT&CK® Group

G0093: GALLIUM

GALLIUM is a cyberespionage group that has been active since at least 2012, primarily targeting telecommunications companies, financial institutions, and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam. This group is particularly known for launching Operation Soft Cell, a long-term campaign targeting telecommunications providers.[1] Security researchers have identified GALLIUM as a likely Chinese state-sponsored group, based in part on tools used and TTPs commonly associated with Chinese threat actors.[1][2][3]

EnterpriseG0093GroupObject v4.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

GALLIUM, also tracked as Granite Typhoon, matters because MITRE describes it as a long-running cyberespionage group focused on telecommunications, financial institutions, and government entities, with Operation Soft Cell specifically targeting telecom providers. For leaders, the practical issue is not only malware blocking; it is whether identity, Windows administration paths, web server exposure, and internal reconnaissance telemetry are strong enough to detect a patient intrusion before sensitive access or data collection expands.

Executive priority

Prioritize this as an intelligence-driven readiness scenario for organizations in or connected to telecom, finance, and government operations, especially where compromise could affect customer data, lawful-intercept-adjacent infrastructure, national services, or partner trust. Executives should ask whether incident response can rapidly validate credential theft, web shell activity, remote administration misuse, and lateral discovery across critical Windows and server environments, and whether audit evidence proves those controls are monitored rather than merely deployed.

Technical view

ATT&CK does not provide a GALLIUM-specific detection section, so coverage should be validated through the related software and techniques. The relationship set is Windows-heavy and includes credential dumping tools such as Mimikatz and Windows Credential Editor, RATs such as PoisonIvy, PlugX, and PingPull, web shells such as China Chopper and BlackMould for IIS, administrative utilities such as PsExec, Net, Reg, cmd, at, Ping, ipconfig, and NBTscan, plus techniques for LSASS/SAM credential access, local data collection, network and remote system discovery, and obfuscation/packing. SOC teams should test whether these behaviors are visible together as an intrusion pattern, not only as isolated tool signatures.

Likely telemetry

  • Windows endpoint process creation and command-line logs for cmd, net, reg, at, ipconfig, ping, PsExec-like execution, and credential tooling
  • Endpoint security or EDR events for LSASS access, memory dumping behavior, SAM/Registry access, and suspicious credential material handling
  • Windows authentication, service creation, remote execution, and administrative share activity useful for validating lateral movement context
  • Web server and IIS logs, file integrity monitoring, and server-side script creation/modification evidence for China Chopper- or BlackMould-like web shell activity
  • Network telemetry for internal scanning, NBTscan-style discovery, unusual host-to-host connections, proxying behavior, and RAT command-and-control patterns

Detection direction

  • Validate detections against behaviors named in the relationships, especially credential access via LSASS and SAM, web shell persistence on IIS/web servers, internal discovery, and remote administration misuse.
  • Tune carefully for dual-use tools. PsExec, Net, Reg, cmd, at, ping, ipconfig, and NBTscan can be legitimate, so detections should combine user context, host role, command line, parent process, timing, remote source, and sequence of activity.
  • Do not rely only on static malware signatures. The related techniques include obfuscation, software packing, and indicator removal, which make behavior, memory, and execution-context telemetry important.
  • Correlate web server anomalies with downstream Windows activity. A web shell relationship is more material when followed by command execution, credential dumping, discovery, or remote access tooling.
  • Assess blind spots in critical telecom, finance, and government-facing infrastructure: unmanaged servers, weak IIS logging, incomplete command-line capture, limited east-west network visibility, and insufficient retention for long-running investigations.

Mitigation priorities

  • Start with identity hardening: reduce standing administrative privileges, protect privileged sessions, and ensure rapid investigation paths for LSASS/SAM credential access indicators.
  • Harden and monitor exposed web servers, especially IIS where relevant, with file integrity monitoring, least privilege for service accounts, and timely review of unexpected server-side scripts or command execution.
  • Constrain administrative tooling by policy and monitoring rather than assuming it is benign; require justification and alerting for remote execution, service creation, and unusual command-line administration.
  • Improve endpoint and server telemetry collection before incident response is needed, including command line, process ancestry, authentication, registry, memory-access, and web logs with sufficient retention.
  • Use threat intelligence to drive scoped hunting for the named tools and behaviors, but validate findings against local baselines to reduce false positives from legitimate administration.
Analyst notes and limits

This take is based on MITRE ATT&CK G0093 version 4.0 and the supplied relationships. The strongest decision value comes from the combination of target-sector context, long-running espionage framing, and related tooling that emphasizes credential theft, remote access, web shells, discovery, and Windows administration misuse. Researcher attribution is described by MITRE as likely Chinese state-sponsored; it should be treated as intelligence context, not as proof for any local incident.

MITRE provides no official detection text, no platforms or tactics on the group object itself, and the supplied relationship snippets do not include full procedure examples. Local exposure, active targeting, control effectiveness, and detection coverage cannot be inferred from ATT&CK alone and require environment-specific telemetry, baselines, and investigation results.

Official MITRE ATT&CK definition

GALLIUM

GALLIUM is a cyberespionage group that has been active since at least 2012, primarily targeting telecommunications companies, financial institutions, and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam. This group is particularly known for launching Operation Soft Cell, a long-term campaign targeting telecommunications providers.[1] Security researchers have identified GALLIUM as a likely Chinese state-sponsored group, based in part on tools used and TTPs commonly associated with Chinese threat actors.[1][2][3]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

31 rows
Domain ID Name Relationship / procedure
Enterprise T1059.003 Windows Command Shell Sub-technique

GALLIUM used the Windows command shell to execute commands.[1]
Enterprise T1003.002 Security Account Manager Sub-technique

GALLIUM used reg commands to dump specific hives from the Windows Registry, such as the SAM hive, and obtain password hashes.[1]
Enterprise T1078 Valid Accounts

GALLIUM leveraged valid accounts to maintain access to a victim network.[1]
Enterprise T1053.005 Scheduled Task Sub-technique

GALLIUM established persistence for PoisonIvy by created a scheduled task.[1]
Enterprise T1027 Obfuscated Files or Information

GALLIUM used a modified version of HTRAN in which they obfuscated strings such as debug messages in an apparent attempt to evade detection.[1]
Enterprise T1553.002 Code Signing Sub-technique

GALLIUM has used stolen certificates to sign its tools including those from Whizzimo LLC.[2]
Enterprise T1041 Exfiltration Over C2 Channel

GALLIUM used Web shells and HTRAN for C2 and to exfiltrate data.[1]
Enterprise T1005 Data from Local System

GALLIUM collected data from the victim's local system, including password hashes from the SAM hive in the Registry.[1]
Enterprise T1574.001 DLL Sub-technique

GALLIUM used DLL side-loading to covertly load PoisonIvy into memory on the victim machine.[1]
Enterprise T1588.002 Tool Sub-technique

GALLIUM has used a variety of widely-available tools, which in some cases they modified to add functionality and/or subvert antimalware solutions.[2]
Enterprise T1047 Windows Management Instrumentation

GALLIUM used WMI for execution to assist in lateral movement as well as for installing tools across multiple assets.[1]
Enterprise T1136.002 Domain Account Sub-technique

GALLIUM created high-privileged domain user accounts to maintain access to victim networks.[1][2]
Enterprise T1583.004 Server Sub-technique

GALLIUM has used Taiwan-based servers that appear to be exclusive to GALLIUM.[2]
Enterprise T1133 External Remote Services

GALLIUM has used VPN services, including SoftEther VPN, to access and maintain persistence in victim environments.[1][2]
Enterprise T1027.002 Software Packing Sub-technique

GALLIUM packed some payloads using different types of packers, both known and custom.[1]
Enterprise T1505.003 Web Shell Sub-technique

GALLIUM used Web shells to persist in victim environments and assist in execution and exfiltration.[1][2]
Enterprise T1003.001 LSASS Memory Sub-technique

GALLIUM used a modified version of Mimikatz along with a PowerShell-based Mimikatz to dump credentials on the victim machines.[1][2]
Enterprise T1560.001 Archive via Utility Sub-technique

GALLIUM used WinRAR to compress and encrypt stolen data prior to exfiltration.[1][2]
Enterprise T1059.001 PowerShell Sub-technique

GALLIUM used PowerShell for execution to assist in lateral movement as well as for dumping credentials stored on compromised machines.[1]
Enterprise T1570 Lateral Tool Transfer

GALLIUM has used PsExec to move laterally between hosts in the target network.[2]
Enterprise T1027.005 Indicator Removal from Tools Sub-technique

GALLIUM ensured each payload had a unique hash, including by using different types of packers.[1]
Enterprise T1090.002 External Proxy Sub-technique

GALLIUM used a modified version of HTRAN to redirect connections between networks.[1]
Enterprise T1049 System Network Connections Discovery

GALLIUM used netstat -oan to obtain information about the victim network connections.[1]
Enterprise T1074.001 Local Data Staging Sub-technique

GALLIUM compressed and staged files in multi-part archives in the Recycle Bin prior to exfiltration.[1]
Enterprise T1033 System Owner/User Discovery

GALLIUM used whoami and query user to obtain information about the victim user.[1]
Enterprise T1190 Exploit Public-Facing Application

GALLIUM exploited a publicly-facing servers including Wildfly/JBoss servers to gain access to the network.[1][2]
Enterprise T1016 System Network Configuration Discovery

GALLIUM used ipconfig /all to obtain information about the victim network configuration. The group also ran a modified version of NBTscan to identify available NetBIOS name servers.[1]
Enterprise T1105 Ingress Tool Transfer

GALLIUM dropped additional tools to victims during their operation, including portqry.exe, a renamed cmd.exe file, winrar, and HTRAN.[1][2]
Enterprise T1018 Remote System Discovery

GALLIUM used a modified version of NBTscan to identify available NetBIOS name servers over the network as well as ping to identify remote systems.[1]
Enterprise T1550.002 Pass the Hash Sub-technique

GALLIUM used dumped hashes to authenticate to other machines via pass the hash.[1]
Enterprise T1036.003 Rename Legitimate Utilities Sub-technique

GALLIUM used a renamed cmd.exe file to evade detection.[1]
Associated objects

Groups, software, and campaigns

Tool Enterprise

S0100: ipconfig

ipconfig is a Windows utility that can be used to find information about a system's TCP/IP, DNS, DHCP, and adapter configuration. [1]

Tool Enterprise

S0097: Ping

Ping is an operating system utility commonly used to troubleshoot and verify network connections. [1]

Tool Enterprise

S0106: cmd

cmd is the Windows command-line interpreter that can be used to interact with systems and execute other processes and utilities. [1]

Cmd.exe contains native functionality to perform many operations to interact with the system, including listing files in a directory (e.g., dir [2]), deleting files (e.g., del [3]), and copying files (e.g., copy [4]).

Windows
Tool Enterprise

S0110: at

at is used to schedule tasks on a system to run at a specified date or time.[1][2]

LinuxWindowsmacOS
Malware Enterprise

S1031: PingPull

PingPull is a remote access Trojan (RAT) written in Visual C++ that has been used by GALLIUM since at least June 2022. PingPull has been used to target telecommunications companies, financial institutions, and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam.[1]

Windows
Tool Enterprise

S0002: Mimikatz

Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks. [1] [2]

Windows
Tool Enterprise

S0039: Net

The Net utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. [1]

Net has a great deal of functionality, [2] much of which is useful for an adversary, such as gathering system and network information for Discovery, moving laterally through SMB/Windows Admin Shares using net use commands, and interacting with services. The net1.exe utility is executed for certain functionality when net.exe is run and can be used directly in commands such as net1 user.

Windows
Tool Enterprise

S0075: Reg

Reg is a Windows utility used to interact with the Windows Registry. It can be used at the command-line interface to query, add, modify, and remove information. [1]

Utilities such as Reg are known to be used by persistent threats. [2]

Windows
Relationship explorer

All related ATT&CK context

uses · Tool S0100: ipconfig Enterprise uses · Tool S0097: Ping Enterprise uses · Tool S0106: cmd Enterprise uses · Malware S0020: China Chopper Enterprise uses · Technique T1059.003: Windows Command Shell Enterprise uses · Technique T1003.002: Security Account Manager Enterprise uses · Technique T1078: Valid Accounts Enterprise uses · Technique T1053.005: Scheduled Task Enterprise uses · Technique T1027: Obfuscated Files or Information Enterprise uses · Technique T1553.002: Code Signing Enterprise uses · Technique T1041: Exfiltration Over C2 Channel Enterprise uses · Technique T1005: Data from Local System Enterprise uses · Technique T1574.001: DLL Enterprise uses · Malware S0012: PoisonIvy Enterprise uses · Technique T1588.002: Tool Enterprise uses · Technique T1047: Windows Management Instrumentation Enterprise uses · Technique T1136.002: Domain Account Enterprise uses · Technique T1583.004: Server Enterprise uses · Tool S0110: at Enterprise uses · Technique T1133: External Remote Services Enterprise uses · Malware S0013: PlugX Enterprise uses · Technique T1027.002: Software Packing Enterprise uses · Malware S1031: PingPull Enterprise uses · Technique T1505.003: Web Shell Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
4.0
Created
Modified
Raw hash
f7f0b61608b53120...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 4.0 Current bundle f7f0b61608b5…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Cybereason Soft Cell June 2019

    Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.

    Open source URL
  2. [2]
    Microsoft GALLIUM December 2019

    MSTIC. (2019, December 12). GALLIUM: Targeting global telecom. Retrieved January 13, 2021.

    Open source URL
  3. [3]
    Unit 42 PingPull Jun 2022

    Unit 42. (2022, June 13). GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool. Retrieved August 7, 2022.

    Open source URL
  4. [4]
    GALLIUM

    (Citation: Microsoft GALLIUM December 2019)

  5. [5]
    Granite Typhoon

    (Citation: Microsoft Threat Actor Naming July 2023)

  6. [6]
    Microsoft Threat Actor Naming July 2023

    Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.

    Open source URL
  7. [7]
    mitre-attack G0093
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use