What is the Gallium APT Group?

The Gallium APT Group is a threat actor known for using sophisticated malware such as PingPull to gain unauthorized access to systems, execute arbitrary commands, and maintain persistent control over compromised hosts. Their operations often involve advanced techniques for command and control (C2) communications and evasion.

What is the PingPull Trojan and how does it operate?

PingPull is a Trojan written in Visual C++ that provides attackers with a reverse shell and the ability to run arbitrary commands on compromised systems. It features three variants that use different protocols for C2 communications: ICMP, HTTPS, and raw TCP. Each variant sends uniquely structured messages to the C2 server, allowing attackers to identify and control infected machines.

How does PingPull mimic legitimate Windows services?

PingPull installs itself as a service with a description identical to the legitimate iphlpsvc service, but uses slightly altered names like Iph1psvc for the service name and IP He1per for the display name. This tactic helps the malware evade detection by blending in with legitimate system services.

What communication protocols does PingPull use for C2 traffic?

PingPull uses three main protocols for command and control (C2) communications: ICMP (ping packets), HTTPS (POST requests), and raw TCP. Each variant structures its messages to include unique identifiers and encrypted data, enabling flexible and covert communication with the C2 server.

How does PingPull handle command execution and data exfiltration?

PingPull decrypts received data to parse commands and arguments, executes the commands on the compromised host, and sends the results back to the C2 server in base64-encoded and AES-encrypted form. This process is consistent across all communication variants.

How does the ICMP variant of PingPull structure its packets?

The ICMP variant sends Echo Request packets to the C2 server, including a sequence number, unique identifier string, and base64-encoded, AES-encrypted data. The C2 server replies with Echo Reply packets containing commands for execution. Packet structure includes fields for total and current message length, supporting chunked data transmission.

How does the HTTPS variant of PingPull communicate with its C2 server?

The HTTPS variant uses POST requests to communicate with the C2 server. The initial beacon is a POST request with no data, and subsequent requests use the same URL structure with base64-encoded and AES-encrypted results in the data section.

What is the structure of TCP communications in PingPull?

The TCP variant begins communications with a 4-byte value indicating the length of the data that follows, then sends the unique identifier string. The C2 server responds with a data length and a base64-encoded, AES-encrypted command, and PingPull replies with the results in a similar format.

How does Cymulate help organizations defend against threats like Gallium APT and PingPull?

Cymulate enables organizations to simulate advanced persistent threats (APTs) and malware like PingPull, validating their defenses across the full attack kill chain. The platform provides continuous threat validation, actionable insights, and automated testing to ensure security controls can detect and respond to sophisticated threats. Learn more .

What features does Cymulate offer for threat validation?

Cymulate offers continuous threat validation with 24/7 automated attack simulations, unified Breach and Attack Simulation (BAS), Continuous Automated Red Teaming (CART), and Exposure Analytics. The platform covers the full attack lifecycle, provides actionable insights, and supports cloud, hybrid, and on-premises environments. Learn more .

Does Cymulate support exposure prioritization and remediation?

Yes, Cymulate provides automated exposure prioritization and remediation by ranking vulnerabilities based on exploitability, business context, and threat intelligence. This enables security teams to focus on the most critical exposures and streamline remediation efforts. Learn more .

What types of threats can Cymulate validate?

Cymulate validates threats across the full kill chain, including phishing, malware, lateral movement, data exfiltration, and zero-day exploits, using daily updated threat templates and AI-generated attack plans. Learn more .

How does Cymulate's 'Threat (IoC) updates' feature improve threat resilience?

The 'Threat (IoC) updates' feature provides recommended Indicators of Compromise (IoCs) that can be directly applied to security controls. These can be exported via the UI or API in plain text or STIX format, enabling rapid defense updates against new threats. Learn more .

What is threat exposure prioritization in cybersecurity?

Threat exposure prioritization is the process of identifying and ranking vulnerabilities based on their actual exploitability and impact on business-critical assets. Cymulate automates this process, helping teams focus on exposures not protected by security controls. Learn more .

What are Cymulate's key integrations?

Cymulate integrates with leading security technologies such as Akamai Guardicore, AWS GuardDuty, BlackBerry Cylance OPTICS, Carbon Black EDR, Check Point CloudGuard, CrowdStrike Falcon, CrowdStrike Falcon LogScale, and Cybereason. For a full list, visit the Partnerships and Integrations page .

How does Cymulate support cloud and hybrid environments?

Cymulate provides dedicated validation features for hybrid and cloud environments, enabling organizations to assess and strengthen their security posture across complex infrastructures. Learn more .

Who can benefit from using Cymulate?

Cymulate is designed for CISOs, security leaders, SecOps teams, red teams, and vulnerability management teams across industries such as financial services, healthcare, retail, media, and transportation. Organizations of all sizes, from small businesses to enterprises, can benefit from its unified exposure management platform. Learn more .

What business impact can customers expect from using Cymulate?

Customers typically see a 30% improvement in threat prevention, a 52% reduction in critical exposures, a 60% increase in team efficiency, and an 81% reduction in cyber risk within four months. These outcomes are supported by case studies such as Hertz Israel and Nemours Children's Health. See case studies .

What are some real-world use cases for Cymulate?

Use cases include reducing cyber risk (Hertz Israel), increasing visibility and detection (Nemours Children's Health), automating risk measurement (financial services), optimizing SecOps (credit unions), and validating cloud security (civil engineering organizations). Read more case studies .

How does Cymulate address the pain points of security teams?

Cymulate addresses overwhelming threats, lack of visibility, unclear prioritization, operational inefficiencies, fragmented tools, cloud complexity, and communication barriers by providing continuous threat validation, unified analytics, automated processes, and quantifiable metrics. Learn more .

How does Cymulate tailor its solutions for different security roles?

Cymulate provides validated exposure scoring and actionable insights for CISOs, automates processes for SecOps teams, offers scalable attack simulations for red teams, and prioritizes vulnerabilities for vulnerability management teams. Learn more .

What security and compliance certifications does Cymulate hold?

Cymulate is SOC2 Type II certified and complies with ISO 27001:2013, ISO 27701, ISO 27017, and CSA STAR Level 1. These certifications demonstrate robust security practices, privacy management, and cloud security controls. Learn more .

How does Cymulate ensure data security and privacy?

Cymulate hosts services in secure AWS data centers, uses strong encryption (TLS 1.2+ for data in transit, AES-256 for data at rest), and follows a strict Secure Development Lifecycle (SDLC). The company also complies with GDPR and has a dedicated privacy and security team. Learn more .

How easy is it to implement Cymulate?

Cymulate is designed for rapid deployment, with many customers reporting implementation in just a few clicks. The platform supports agentless mode, requires minimal resources, and offers comprehensive support and documentation for a smooth onboarding experience.

What technical documentation is available for Cymulate?

Cymulate provides whitepapers, guides, solution briefs, data sheets, and e-books covering topics like exposure management, CTEM, threat detection, and vulnerability management. Access the full resource library at the Resource Hub .

What feedback have customers given about Cymulate's ease of use?

Customers consistently praise Cymulate for its intuitive interface, rapid deployment, and actionable insights. Testimonials highlight the platform's user-friendly dashboard, excellent support, and ease of implementation. Read customer quotes .

What industry recognition has Cymulate received?

Cymulate was named a Customers' Choice in the 2025 Gartner Peer Insights and is recognized as a market leader by Frost & Sullivan for automated security validation. Read more .

What was the feedback from a Penetration Tester on Cymulate's immediate threats module?

A Penetration Tester stated: “I am particularly enamored with the immediate threats module and how quickly this gets updated. In short if an attack is new, you can quickly assess your IT estate for how much of a risk is posed to you and implement remedial action quickly.”

What is Cymulate's pricing model?

Cymulate uses a subscription-based pricing model tailored to each organization's needs. Pricing depends on the chosen package, number of assets, and scenarios selected. For a custom quote, schedule a demo .

How does Cymulate compare to AttackIQ?

Cymulate offers a larger threat scenario library, AI-powered capabilities, and streamlined workflows. AttackIQ focuses on automated security validation but lacks Cymulate's innovation, threat coverage, and ease of use. Read more .

How does Cymulate compare to Mandiant Security Validation?

Mandiant is an original BAS platform but has seen less innovation in recent years. Cymulate continually innovates with AI and automation, expanding into exposure management and recognized as a grid leader. Read more .

How does Cymulate compare to Pentera?

Pentera focuses on attack path validation but lacks the depth Cymulate provides for comprehensive defense assessment. Cymulate optimizes defense, scales offensive testing, and increases exposure awareness. Read more .

How does Cymulate compare to Picus Security?

Picus may suit organizations seeking an on-prem BAS vendor. Cymulate offers a more complete exposure validation platform, covering the full kill chain and cloud control validation. Read more .

How does Cymulate compare to SafeBreach?

Cymulate outpaces SafeBreach with unmatched innovation, the industry's largest attack library, and a full CTEM solution for comprehensive exposure validation. Read more .

How does Cymulate compare to Scythe?

Scythe is suitable for advanced red teams building custom attack campaigns. Cymulate provides a more comprehensive exposure validation platform with actionable remediation and automated mitigation. Read more .

How does Cymulate compare to NetSPI?

NetSPI excels in penetration testing as a service (PTaaS). Cymulate is designed for continuous, independent assessment and strengthening of defenses, and is recognized as a leader in exposure validation by Gartner and G2. Read more .

When was Cymulate founded and what is its global reach?

Cymulate was founded in 2016 and has a presence in 8 global locations, serving customers in 50 countries. Over 1,000 organizations trust Cymulate to enhance their cybersecurity posture. Learn more .

What is Cymulate's mission and vision?

Cymulate's mission is to revolutionize cybersecurity by fostering a proactive approach to managing threats. The company empowers organizations to manage their security posture effectively and improve resilience against threats. Learn more .

Gallium APT Group

June 27, 2022

The PingPull Trojan is written in Visual C++, it was used by threat actors to access a reverse shell and run arbitrary commands on compromised systems. PingPull samples that use ICMP for C2 communications issue ICMP Echo Request (ping) packets to the C2 server. The C2 server will reply to these Echo requests with an Echo-Reply packet to issue commands to the system." PingPull Malware PingPull was written in Visual C++ and provides a threat actor the ability to run commands and access a reverse shell on a compromised host. There are three variants of PingPull that are all functionally the same but use different protocols for communications with their C2: ICMP, HTTP(S) and raw TCP. In each of the variants, PingPull will create a custom string with the following structure that it will send to the C2 in all interactions, which analysts believe the C2 server will use to uniquely identify the compromised system: PROJECT_[uppercase executable name]_[uppercase computer name]_[uppercase hexadecimal IP address] Regardless of the variant, PingPull is capable of installing itself as a service with the following description: Provides tunnel connectivity using IPv6 transition technologies (6to4, ISATAP, Port Proxy, and Teredo), and IP-HTTPS. If this service is stopped, the computer will not have the enhanced connectivity benefits that these technologies offer. The description is the exact same as the legitimate iphlpsvc service, which PingPull purposefully attempts to mimic using Iph1psvc for the service name and IP He1per instead of IP Helper for the display name. Analysts have also seen a PingPull sample use this same service description but with a service name of Onedrive. The three variants of PingPull have the same commands available within their command handlers. PingPull would decrypt the received data and would parse the cleartext for the command and additional arguments in the following structure: &[AES Key]=[command]&z0=[unknown]&z1=[argument 1]&z2=[argument 2] Analysts are not sure of the purpose of the z0 parameter in the command string, as analysts observed PingPull parsing for this parameter but do not see the value being used. To confirm the structure of the command string, analysts used the following string when issuing commands in analysis environment, which would instruct PingPull to read the contents of a file at C:test.txt: &P29456789A1234sS=C&z0=2&z1=c:\test.txt&z2=none During analysis, PingPull would respond to the command string above with ya1JF03nUKLg9TkhDgwvx5MSFIoMPllw1zLMC0h4IwM=, which decodes to and decrypts (AES key P29456789A1234sS) to some text in a test file.x07x07x07x07x07x07x07, which is the content (PKCS5_PADDING-padded) of the file C:test.txt on analysis system. ICMP Variant PingPull samples that use ICMP for C2 communications issue ICMP Echo Request (ping) packets to the C2 server. The C2 server will reply to these Echo requests with an Echo Reply packet to issue commands to the system. Both the Echo Request and Echo Reply packets used by PingPull and its C2 server will have the same structure as follows: [8-byte value]R[sequence number].[unique identifier string beginning with "PROJECT"]rntotal=[length of total message]rncurrent=[length of current message]rn[base64 encoded and AES encrypted data] When issuing a beacon to its C2, PingPull will send an Echo Request packet to the C2 server with total and current set to 0 and will include no encoded and encrypted data. After the R is a sequence number that increments when sending or receiving data that exceeds the maximum size of the ICMP data section. The sequence number is immediately followed by a period "." and then the unique identifier string generated by PingPull that begins with PROJECT. The ICMP data section then includes total=[integer] and current=[integer], which are used by both PingPull and its C2 to determine the total length of the data transmitted and the length of the chunk of data transmitted in the current packet. The data transmitted in each ICMP packet comes in the form of a base64-encoded string of ciphertext generated using AES and the key specific to the sample. This encoded and encrypted data comes after the new line that immediately follows the "current" value. For instance, when responding to test command, PingPull sent the ICMP Echo Request packet to the C2 server, which has the expected base64-encoded string of ya1JF03nUKLg9TkhDgwvx5MSFIoMPllw1zLMC0h4IwM= for the results of the command. HTTPS Variant Another variant of PingPull uses HTTPS requests to communicate with its C2 server instead of ICMP. The initial beacon uses a POST request over this HTTPS channel, using the unique identifier string generated by PingPull as the URL. The initial beacon is a POST request that did not have any data, which resulted in the Content-Length of 0 within the HTTP headers. When responding with the results to commands, PingPull will issue a second POST request using the same URL structure with the results in the data section in base64-encoded and encrypted form using the AES key. TCP Variant This variant of PingPull does not use ICMP or HTTPS for C2 communication, rather it uses raw TCP for its C2 communication. Much like the other C2 channels, the data sent in this beacon includes the unique identifier string generated by PingPull that begins with PROJECT. However, the TCP C2 channel begins with a 4-byte value for the length of data that follows, as seen in the following beacon structure: [DWORD length of data that follows]PROJECT_[uppercase executable name]_[uppercase computer name]_[uppercase hexadecimal IP address]. The C2 response to the beacon begins with the data length of 64 bytes (0x40) followed by the base64-encoded string that represents the ciphertext of the command. PingPull ran the command supplied by the C2 and sent the results in a packet that begins with a data length of 44 bytes (0x2c), followed by the expected base64-encoded string of ya1JF03nUKLg9TkhDgwvx5MSFIoMPllw1zLMC0h4IwM= for the results of the command.

Featured Resources

View More Resources

blog

When a Web Search Becomes a Backdoor: Remote Code Execution in Codex CLI via Prompt Injection and Binary Hijacking on Windows

Ilan Kalendarov, Security Research Team LeadBen Zamir, Security ResearcherElad Beber, Security Researcher As AI coding agents gain deeper access to

Data Sheet

Cymulate Vero AI

Cymulate Vero AI delivers secure, domain-specific cybersecurity AI with private infrastructure and zero customer data training.

Data Sheet

Cymulate Threat Studio

Cymulate Threat Studio enables teams to build and customize attack simulations to validate defenses.

Frequently Asked Questions