3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Gallium

Gallium

ID: 8014955b9c7b4786655dde7ee3cff60549571
Cybercrime State-Sponsored
Threat types: Intrusion, Espionage, Malware
China AFG, AUS, BEL, KHM, MYS, MOZ, PHL, RUS, VNM
Updated: 2026-01-13
Created: 2025-10-21
Progress: 43% Completeness: 40% Freshness: 50%
Operation zone: Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, Philippines, Russia, Vietnam
Aliases Limited alias preview
No aliases registered.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

GALLIUM is a cyberespionage group that has been active since at least 2012, primarily targeting telecommunications companies, financial institutions, and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam. This group is particularly known for launching Operation Soft Cell, a long-term campaign targeting telecommunications providers. Security researchers have identified GALLIUM as a likely Chinese state-sponsored group, based in part on tools used and TTPs commonly associated with Chinese threat actors. Ref: https://attack.mitre.org/groups/G0093/


Technique Technique name Tactics Evidence
T1003.001 LSASS Memory TA0006
  • OS Credential Dumping: LSASS Memory - GALLIUM used a modified version of Mimikatz along with a PowerShell-based Mimikatz to dump credentials on the victim machines. · ref
T1003.002 Security Account Manager TA0006
  • OS Credential Dumping: Security Account Manager - GALLIUM used reg commands to dump specific hives from the Windows Registry, such as the SAM hive, and obtain password hashes. · ref
T1027.002 Software Packing TA0005
  • Software Packing - GALLIUM packed some payloads using different types of packers, both known and custom. · ref
T1027.005 Indicator Removal from Tools TA0005
  • Indicator Removal from Tools - GALLIUM ensured each payload had a unique hash, including by using different types of packers. · ref
T1036.003 Rename Legitimate Utilities TA0005
  • Masquerading: Rename Legitimate Utilities - GALLIUM used a renamed cmd.exe file to evade detection. · ref
T1053.005 Scheduled Task TA0002 TA0003 TA0004
  • Scheduled Task/Job: Scheduled Task - GALLIUM established persistence for PoisonIvy by created a scheduled task. · ref
T1059.001 PowerShell TA0002
  • Command and Scripting Interpreter: PowerShell - GALLIUM used PowerShell for execution to assist in lateral movement as well as for dumping credentials stored on compromised machines. · ref
T1059.003 Windows Command Shell TA0002
  • Command and Scripting Interpreter: Windows Command Shell - GALLIUM used the Windows command shell to execute commands. · ref
T1074.001 Local Data Staging TA0009
  • Data Staged: Local Data Staging - GALLIUM compressed and staged files in multi-part archives in the Recycle Bin prior to exfiltration. · ref
T1090.002 External Proxy TA0011
  • Proxy: External Proxy - GALLIUM used a modified version of HTRAN to redirect connections between networks. · ref
T1136.002 Domain Account TA0003
  • Create Account: Domain Account - GALLIUM created high-privileged domain user accounts to maintain access to victim networks. · ref
T1505.003 Web Shell TA0003
  • Server Software Component: Web Shell - GALLIUM used Web shells to persist in victim environments and assist in execution and exfiltration. · ref
T1550.002 Pass the Hash TA0005 TA0008
  • Use Alternate Authentication Material: Pass the Hash - GALLIUM used dumped hashes to authenticate to other machines via pass the hash. · ref
T1553.002 Code Signing TA0005
  • Subvert Trust Controls: Code Signing - GALLIUM has used stolen certificates to sign its tools including those from Whizzimo LLC. · ref
T1560.001 Archive via Utility TA0009
  • Archive Collected Data: Archive via Utility - GALLIUM used WinRAR to compress and encrypt stolen data prior to exfiltration. · ref
T1574.001 DLL TA0003 TA0004 TA0005
  • Hijack Execution Flow: DLL - GALLIUM used DLL side-loading to covertly load PoisonIvy into memory on the victim machine. · ref
T1583.004 Server TA0042
  • Acquire Infrastructure: Server - GALLIUM has used Taiwan-based servers that appear to be exclusive to GALLIUM. · ref
T1588.002 Tool TA0042
  • Obtain Capabilities: Tool - GALLIUM has used a variety of widely-available tools, which in some cases they modified to add functionality and/or subvert antimalware solutions. · ref
Strategic Intelligence
Limited preview
No content.
Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Empty Limited preview
No content yet.
IOC Appendix now
Saved successfully.
OSINT Library
Empty Limited preview
No content yet.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.