A suspected Chinese-linked hacking outfit known to target telecommunications infrastructure is expanding its portfolio to target entities in the financial and government sectors using a new piece of malware, according to researchers from Palo Alto Networks Unit 42.

The threat group known as GALLIUM has been spotted leveraging a new remote access trojan tool — dubbed PingPull — that is written in Visual C++ and utilizes three different internet network protocols to identify compromised systems and communicate with command-and-control infrastructure: Internet Control Message Protocol (ICMP), Transmission Control Protocol (TCP) as well as Hypertext Transfer Protocol (HTTP and HTTPS). It also uses ICMP tunneling techniques to hide those communications from network defenders.

“GALLIUM remains an active threat to telecommunications, finance and government organizations across Southeast Asia, Europe and Africa. Over the past year, we have identified targeted attacks impacting nine nations,” Unit 42 researchers wrote.

The development of custom malware tools marks a shift from the group’s earlier operations in 2018 and 2019, when it mostly relied on publicly available exploits to hack unpatched systems in a worldwide campaign targeting telecommunications firms.

A sample of the malware gleaned from one victim organization in Vietnam in September 2021 found that it called out to a domain that used the same certificates across numerous subdomains. Using that foothold, the researchers found more samples and mapped out their corresponding digital infrastructure to identify at least 170 IP addresses associated with the campaign dating back to late 2020.

According to the company, both the U.S. National Security Agency’s Cybersecurity Collaboration Center and Australian Cyber Security Centre contributed to the findings.

“Over the past year, this group has extended its targeting beyond telecommunication companies to also include financial institutions and government entities,” researchers wrote. “During this period, we have identified several connections between GALLIUM infrastructure and targeted entities across Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia and Vietnam.”