The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

PingPull Linux Variant

May 8, 2023 3:05:38 PM / by The Hivemind

pingpullRelated Families: Sword2033

Executive Summary

China nexus threat actor group Gallium was recently observed using a new Linux variant of PingPull in an espionage campaign.

Key Takeaways

  • Gallium was recently observed using a new Linux variant of PingPull.
  • The sample was identified as PingPull due to its similarities to the Windows variant.
  • Gallium is also using Sword2033 backdoor.
  • The threat actors appear to be expanding their operational capabilities in 2023.

What is the PingPull Linux Variant?

Researchers from Palo Alto’s Unit 42 recently reported on a new Linux variant of PingPull. PingPull is a RAT used by the China nexus threat actor group Gallium. The original PingPull variant targeting Windows was first noted in September 2021. PingPull is a RAT that uses ICMP for C2. The Linux variant uses OpenSSL to interact with the C2 over HTTPS.

The Linux variant of PingPull was identified as a PingPull variant due to matching HTTP communication structure, POST parameters, and the AES key and C2 commands used. PingPull for Linux gives the threat actors the ability to list, read, write, copy, rename, and delete files. It also gives them the ability to run commands.

Unit 42 researchers noted several of the HTTP parameters used in the PingPull Linux variant align with commands used in the China Chopper webshell.

What is Sword2033?

Unit 42 researchers also included details on Sword2033, another tool in Gallium’s arsenal. Sword2033 is a backdoor that connects over port 8443 over HTTPS. Sword2033 allows threat actors to upload and download files from the victim machine and execute commands. Sword2033 also targets Linux systems.

Who is Gallium?

Gallium, also known as Alloy Taurus and Operation Soft Cell, is a China nexus threat actor group known to target telecommunications, financial, and government entities. The group has been active since at least 2012, and their primary objective is espionage. Gallium’s TTPs overlap with several other China nexus threat actor groups. TTPs include using actor-controlled servers based in Taiwan, PoisonIvy RAT, HTRAN, China Chopper, BlackMould, PlugX, PingPull, and Sword2033. Unit 42 researchers noted the new PingPull variant and Sword2033 seem to indicate Gallium is expanding its operational capabilities.


PolySwarm has a sample of the PingPull Linux variant.




You can use the following CLI command to search for all PingPull samples in our portal:

$ polyswarm link list -f PingPull


PolySwarm has multiple samples of Sword2033.





You can use the following CLI command to search for all xx samples in our portal:

$ polyswarm link list -f Sword2033


Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at | Check out our blog | Subscribe to our reports


Topics: Threat Bulletin, Espionage, China, PingPull, Gallium, RAT, Sword2033

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts