Skip to main content
Radar
DashboardThreatsMapFeedsAPI
reconnecting

OSINT - GALLIUM: Targeting global telecom

High
Malwaremisp-galaxy:malpedia="htran"misp-galaxy:mitre-enterprise-attack-tool="htran"misp-galaxy:mitre-enterprise-attack-tool="htran - s0040"misp-galaxy:mitre-tool="htran"misp-galaxy:mitre-tool="htran - s0040"misp-galaxy:tool="htran"misp-galaxy:malpedia="mimikatz"misp-galaxy:mitre-enterprise-attack-tool="mimikatz"misp-galaxy:mitre-enterprise-attack-tool="mimikatz - s0002"misp-galaxy:mitre-tool="mimikatz"misp-galaxy:mitre-tool="mimikatz - s0002"misp-galaxy:tool="mimikatz"misp-galaxy:mitre-enterprise-attack-tool="psexec"misp-galaxy:mitre-enterprise-attack-tool="psexec - s0029"misp-galaxy:mitre-tool="psexec"misp-galaxy:mitre-tool="psexec - s0029"misp-galaxy:tool="psexec"misp-galaxy:mitre-enterprise-attack-tool="windows credential editor"misp-galaxy:mitre-enterprise-attack-tool="windows credential editor - s0005"misp-galaxy:mitre-tool="windows credential editor"misp-galaxy:mitre-tool="windows credential editor - s0005"misp-galaxy:tool="windows credential editor"type:osintosint:lifetime="perpetual"tlp:whiteosint:source-type="blog-post"misp-galaxy:mitre-enterprise-attack-malware="china chopper"misp-galaxy:mitre-enterprise-attack-malware="china chopper - s0020"misp-galaxy:mitre-malware="china chopper"misp-galaxy:mitre-malware="china chopper - s0020"misp-galaxy:tool="china chopper"misp-galaxy:malpedia="poison ivy"misp-galaxy:mitre-enterprise-attack-malware="poisonivy"misp-galaxy:mitre-enterprise-attack-malware="poisonivy - s0012"misp-galaxy:mitre-malware="poisonivy"misp-galaxy:mitre-malware="poisonivy - s0012"misp-galaxy:rat="poisonivy"misp-galaxy:tool="poison ivy"misp-galaxy:tool="poisonivy"misp-galaxy:microsoft-activity-group="gallium"misp-galaxy:tool="netcat"misp-galaxy:tool="nbtscan"
Published: Thu Dec 12 2019 (12/12/2019, 00:00:00 UTC)
Source: CIRCL
Vendor/Project: misp-galaxy
Product: malpedia

Description

TrojanDropper:Win32/BlackMould.A!dha Trojan:Win32/BlackMould.B!dha Trojan:Win32/QuarkBandit.A!dha Trojan:Win32/Sidelod.A!dha

AI-Powered Analysis

AILast updated: 06/25/2025, 19:11:44 UTC

Technical Analysis

The threat identified as 'GALLIUM: Targeting global telecom' involves a suite of malware tools and trojans primarily targeting telecommunications organizations worldwide. The malware family includes TrojanDropper:Win32/BlackMould variants (A and B), Trojan:Win32/QuarkBandit.A, and Trojan:Win32/Sidelod.A, which are known for their capability to deliver and execute payloads stealthily within compromised systems. The campaign is attributed to the threat actor group known as GALLIUM, which is recognized for sophisticated cyber espionage operations. The tools and malware associated with this threat include well-known post-exploitation and lateral movement utilities such as HTRAN (a proxy tool used to tunnel traffic and obfuscate command and control communications), Mimikatz (credential dumping tool), PsExec (remote execution tool), Windows Credential Editor (for credential manipulation), China Chopper (a lightweight web shell), Poison Ivy (a remote access trojan), Netcat (network utility), and NBTSCan (network scanner). These tools collectively enable attackers to gain initial access, escalate privileges, move laterally within networks, maintain persistence, and exfiltrate sensitive data. The attack methodology likely involves initial compromise via spear-phishing or exploiting vulnerabilities, followed by deployment of these tools to establish control over telecom infrastructure. The campaign's focus on global telecom operators suggests targeting of critical communication infrastructure to conduct espionage, data theft, or potentially disrupt services. Microsoft has acknowledged this threat and released patches addressing vulnerabilities exploited by GALLIUM, emphasizing the importance of timely patching. Although no known exploits are currently active in the wild, the presence of these tools and malware in the wild indicates a high-risk environment for telecom entities. The threat leverages multiple sophisticated tools to compromise confidentiality, integrity, and availability of targeted systems, with a high potential impact on critical infrastructure.

Potential Impact

For European organizations, particularly telecom operators and associated infrastructure providers, the GALLIUM threat poses significant risks. Compromise could lead to unauthorized access to sensitive communications data, interception or manipulation of telecom traffic, and disruption of essential services. The use of credential dumping and lateral movement tools increases the likelihood of widespread network compromise, potentially affecting not only telecom systems but also connected enterprise networks. The espionage nature of the campaign could result in theft of intellectual property, customer data, and strategic communications, undermining privacy and national security. Additionally, disruption or degradation of telecom services could have cascading effects on emergency services, financial transactions, and government communications. Given the critical role of telecom infrastructure in the digital economy and societal functions, successful attacks could erode trust, cause financial losses, and trigger regulatory penalties under frameworks such as GDPR and NIS Directive. The high severity rating underscores the need for vigilance and proactive defense measures within European telecom sectors.

Mitigation Recommendations

1. Immediate application of all relevant security patches provided by Microsoft and other vendors, especially those addressing vulnerabilities exploited by GALLIUM, is critical. 2. Implement network segmentation to isolate critical telecom infrastructure from general enterprise networks, limiting lateral movement opportunities for attackers. 3. Deploy advanced endpoint detection and response (EDR) solutions capable of identifying behaviors associated with tools like Mimikatz, PsExec, and China Chopper. 4. Enforce strict credential hygiene policies, including regular password changes, use of multi-factor authentication (MFA), and monitoring for unusual authentication patterns. 5. Conduct regular threat hunting exercises focusing on indicators of compromise related to the identified malware and tools, including network traffic analysis for proxy tunneling (HTRAN) and web shell activity. 6. Restrict use of administrative tools such as PsExec and Windows Credential Editor to authorized personnel only, with comprehensive logging and alerting. 7. Enhance email security to detect and block spear-phishing attempts that may serve as initial infection vectors. 8. Establish incident response plans tailored to telecom environments, incorporating scenarios involving espionage and infrastructure disruption. 9. Collaborate with national cybersecurity agencies and industry groups to share threat intelligence and coordinate defense efforts. 10. Regularly audit and update firewall and intrusion detection/prevention system (IDS/IPS) rules to detect and block known malicious signatures and anomalous behaviors associated with this threat.

Affected Countries

GermanyGermany
FranceFrance
United KingdomUnited Kingdom
ItalyItaly
SpainSpain
NetherlandsNetherlands
SwedenSweden
PolandPoland
BelgiumBelgium
FinlandFinland
Need more detailed analysis?Get Pro

Technical Details

Threat Level
1
Analysis
0
Uuid
5df37253-ecc0-40ff-9ab9-4c44950d210f
Original Timestamp
1576484865

Patch Information

Indicators of Compromise

Link

ValueDescriptionCopy
linkhttps://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/
linkhttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml
linkhttps://www.virustotal.com/file/6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883/analysis/1576214262/
linkhttps://www.virustotal.com/file/a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3/analysis/1576226800/
linkhttps://www.virustotal.com/file/9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd/analysis/1576234931/
linkhttps://www.virustotal.com/file/657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5/analysis/1576213653/
linkhttps://www.virustotal.com/file/52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77/analysis/1576213983/
linkhttps://www.virustotal.com/file/3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e/analysis/1576214165/
linkhttps://www.virustotal.com/file/7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b/analysis/1576213571/
linkhttps://www.virustotal.com/file/fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1/analysis/1576214460/
linkhttps://www.virustotal.com/file/178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945/analysis/1576214405/
linkhttps://www.virustotal.com/file/7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c/analysis/1576214365/
linkhttps://www.virustotal.com/file/5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022/analysis/1576214030/
linkhttps://www.virustotal.com/file/2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29/analysis/1542730441/

Domain

ValueDescriptionCopy
domainasyspy256.ddns.net
domainhotkillmail9sddcc.ddns.net
domainrosaf112.ddns.net
domaincvdfhjh1231.myftp.biz
domainsz2016rose.ddns.net
domaindffwescwer4325.myftp.biz
domaincvdfhjh1231.ddns.net

Text

ValueDescriptionCopy
textTrojanDropper:Win32/BlackMould.A!dha Trojan:Win32/BlackMould.B!dha Trojan:Win32/QuarkBandit.A!dha Trojan:Win32/Sidelod.A!dha
text34/70
text20/70
text18/70
text28/69
text19/70
text27/70
text27/69
text34/70
text37/70
text31/70
text48/69
text33/65

Hash

ValueDescriptionCopy
hash9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd
hash7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b
hash657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5
hash2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29
hash52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77
hasha370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3
hash5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022
hash6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883
hash3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e
hash1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7
hashfe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1
hash7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c
hash178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945
hash51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9
hash889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79
hash332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf
hash44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08
hash63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef
hash056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070
hash53a44c2396d15c3a03723fa5e5db54cafd527635
hash9c5e496921e3bc882dc40694f1dcc3746a75db19
hashaeb573accfd95758550cf30bf04f389a92922844
hash79ef78a797403a4ed1a616c68e07fff868a8650a
hash4f6f38b4cec35e895d91c052b1f5a83d665c2196
hash1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d
hashe841a63e47361a572db9a7334af459ddca11347a
hashc28f606df28a9bc8df75a4d5e5837fc5522dd34d
hash2e94b305d6812a9f96e6781c888e48c7fb157b6b
hashdd44133716b8a241957b912fa6a02efde3ce3025
hash8793bf166cb89eb55f0593404e4e933ab605e803
hasha39b57032dbb2335499a51e13470a7cd5d86b138
hash41cc2b15c662bc001c0eb92f6cc222934f0beeea
hashd209430d6af54792371174e70e27dd11d3def7a7
hash1c6452026c56efd2c94cea7e0f671eb55515edb0
hashc6b41d3afdcdcaf9f442bbe772f5da871801fd5a
hash4923d460e22fbbf165bbbaba168e5a46b8157d9f
hashf201504bd96e81d0d350c3a8332593ee1c9e09de
hashddd2db1127632a2a52943a2fe516a2e7d05d70d2
hash96f56b9aff235a11ed946b50344edabd
hashc28f606df28a9bc8df75a4d5e5837fc5522dd34d
hash6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883
hashc990e02f274127e7be060f40c9c79e8b
hash1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d
hasha370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3
hash3586f78ad5596f68536dfd75df54db1e
hash53a44c2396d15c3a03723fa5e5db54cafd527635
hash9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd
hash723a98a3b0f9db7e15533848abe1fdfb
hashaeb573accfd95758550cf30bf04f389a92922844
hash657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5
hash55053850260a402fba7661a0c7920457
hash4f6f38b4cec35e895d91c052b1f5a83d665c2196
hash52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77
hash7824babea1ebfc326648659cb69544f3
hash2e94b305d6812a9f96e6781c888e48c7fb157b6b
hash3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e
hash2e834d8dde313e992997cbda050a15f1
hash9c5e496921e3bc882dc40694f1dcc3746a75db19
hash7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b
hash07de7a95efb47958b6f61e91e396f8e1
hash8793bf166cb89eb55f0593404e4e933ab605e803
hashfe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1
hasha2d9b9d9e2207168206ea47644325cfc
hash41cc2b15c662bc001c0eb92f6cc222934f0beeea
hash178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945
hashc1836091070bf23af23e9eaf62d45380
hasha39b57032dbb2335499a51e13470a7cd5d86b138
hash7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c
hash9a97ddbb141d01ce0b1b994399cfb7dc
hashe841a63e47361a572db9a7334af459ddca11347a
hash5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022
hashfee9bc26f55c2049e1b64616a442dc7b
hash79ef78a797403a4ed1a616c68e07fff868a8650a
hash2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29

Datetime

ValueDescriptionCopy
datetime2019-12-13T05:17:42
datetime2019-12-13T08:46:40
datetime2019-12-13T11:02:11
datetime2019-12-13T05:07:33
datetime2019-12-13T05:13:03
datetime2019-12-13T05:16:05
datetime2019-12-13T05:06:11
datetime2019-12-13T05:21:00
datetime2019-12-13T05:20:05
datetime2019-12-13T05:19:25
datetime2019-12-13T05:13:50
datetime2018-11-20T16:14:01

Threat ID: 6834b3f6290ffd83a4eb4b58

Added to database: 5/26/2025, 6:33:26 PM

Last enriched: 6/25/2025, 7:11:44 PM

Last updated: 7/27/2025, 3:50:55 AM

Views: 7

Related Threats

ThreatFox IOCs for 2025-08-11

Medium
MalwareTue Aug 12 2025

MuddyWater’s DarkBit ransomware cracked for free data recovery

High
MalwareMon Aug 11 2025

ThreatFox IOCs for 2025-08-10

Medium
MalwareMon Aug 11 2025

ThreatFox IOCs for 2025-08-09

Medium
MalwareSun Aug 10 2025

ThreatFox IOCs for 2025-08-08

Medium
MalwareSat Aug 09 2025

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

External Links

Search on Google

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats