PingPull

PingPull is a remote access Trojan (RAT) written in Visual C++ that has been used by GALLIUM since at least June 2022. PingPull has been used to target telecommunications companies, financial institutions, and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam.^[1]

ID: S1031

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Contributors: Yoshihiro Kori, NEC Corporation; Pooja Natarajan, NEC Corporation India; Manikantan Srinivasan, NEC Corporation India

Version: 1.0

Created: 09 August 2022

Last Modified: 16 April 2025

Version Permalink

Live Version

Techniques Used

Domain	ID		Name	Use
Enterprise	T1071	.001	Application Layer Protocol: Web Protocols	A PingPull variant can communicate with its C2 servers by using HTTPS.^[1]
Enterprise	T1059	.003	Command and Scripting Interpreter: Windows Command Shell	PingPull can use `cmd.exe` to run various commands as a reverse shell.^[1]
Enterprise	T1543	.003	Create or Modify System Process: Windows Service	PingPull has the ability to install itself as a service.^[1]
Enterprise	T1132	.001	Data Encoding: Standard Encoding

PingPull

Enterprise Layer

Techniques Used