• Security researchers at Unit 42 have been monitoring the APT group GALLIUM. This threat actor is assessed to be a Chinese state sponsored group.

• The attacker is an active threat to telecommunications, finance and government organizations across Southeast Asia, Europe and Africa. Over the past year the group has carried out targeted attacks impacting nine nations.

• This group has deployed a remote access trojan, called PingPull in support of its espionage activities. The malware uses multiple channels for communicating with its command and control (C2) infrastructure to receive commands and provide remote access to affected systems.

• PingPull has the capability to leverage three protocols (ICMP, HTTP(S) and raw TCP) for command and control (C2). Most organizations do not monitor ICMP traffic on their networks and hence the use of ICMP makes it difficult to detect the communications between the malware and its C2.