Clankerusecase
Threat-actor profile
 ← Back to main site
Home/ Threat Actors/ GALLIUM

🇨🇳GALLIUM

🇨🇳 GALLIUM is a tracked threat actor in the Clankerusecase corpus. CN-aligned. Primary motivation: State. We map 14 detection use cases to this actor across 31 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G0093) ↗
14Use cases
0Articles
31Techniques
0IOCs

About this actor (MITRE)

[GALLIUM](https://attack.mitre.org/groups/G0093) is a cyberespionage group that has been active since at least 2012, primarily targeting telecommunications companies, financial institutions, and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam. This group is particularly known for launching Operation Soft Cell, a long-term campaign targeting telecommunications providers.(Citation: Cybereason Soft Cell June 2019) Security researchers have identified [GALLIUM](https://attack.mitre.org/groups/G0093) as a likely Chinese st

Known aliases

GALLIUMGranite Typhoon

Top techniques

T1003.001 · LSASS MemoryT1003.002 · Security Account ManagerT1005 · Data from Local System

All other tracked techniques

T1016 · System Network Configuration DiscoveryT1018 · Remote System DiscoveryT1027 · Obfuscated Files or InformationT1027.002 · Software PackingT1027.005 · Indicator Removal from ToolsT1033 · System Owner/User DiscoveryT1036.003 · Rename Legitimate UtilitiesT1041 · Exfiltration Over C2 ChannelT1047 · Windows Management InstrumentationT1049 · System Network Connections DiscoveryT1053.005 · Scheduled TaskT1059.001 · PowerShellT1059.003 · Windows Command ShellT1074.001 · Local Data StagingT1078 · Valid AccountsT1090.002 · External ProxyT1105 · Ingress Tool TransferT1133 · External Remote ServicesT1136.002 · Domain AccountT1190 · Exploit Public-Facing ApplicationT1505.003 · Web ShellT1550.002 · Pass the HashT1553.002 · Code SigningT1560.001 · Archive via UtilityT1570 · Lateral Tool TransferT1574.001 · DLLT1583.004 · ServerT1588.002 · Tool

Detection use cases (14)

GALLIUM (Operation Soft Cell) China Chopper webshell — w3wp.exe spawning cmd/PowerShell recon on telco IIS/Exchange servers AI · profile SΣ GALLIUM credential-store dump (NTDS/SAM) followed by WinRAR password-protected staging AI · profile S 1Password impossible-travel sign-in MITRE match Auth-Bypass on Public-Facing Service → Post-Exploit Action on Same Host (≤10 min) MITRE match Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-category credential-store enumeration with rapid egress to anonymizing tunnel/CDN MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Developer/Data-tooling Daemon Spawns Shell Child Seconds After POST to Runner/Exec Endpoint MITRE match Edge-service post-exploitation chain: internet-facing daemon → child shell or token redemption within 10 min of external request MITRE match Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) MITRE match Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command execution MITRE match Low-Code / AI Workflow Runtime Sandbox-Escape — Server Process Spawns Shell + Public Egress MITRE match Non-Browser Process Reads Browser Credential / Cookie SQLite Then Egresses to Public Destination Within 10 Minutes MITRE match npm/yarn/pnpm Install-Hook Spawn → Credential-Store Read or Worm-Payload Drop in node_modules MITRE match