BleepingComputer reports that Chinese state-backed threat operation Gallium, also known as Alloy Taurus, has leveraged an updated PingPull malware variant and the novel Sword2033 in new attacks aimed at Linux systems in South Africa and Nepal. Unit 42 researchers discovered that Gallium's new PingPull malware for Linux is a Windows malware port as evidenced by HTTP communication structure, AES key, command-and-control server command, and POST parameter similarities. Among the commands received by the malware, which is only detected by three of 62 anti-virus solutions, include file or folder deletion, text file reading and writing, directory creation, and command execution. Meanwhile, two other Sword2023 ELF backdoors have also been discovered to be leveraged by Gallium in its attacks, with the first exhibiting simpler functions, including file exfiltration, file uploading, and command execution capabilities. However, attackers were noted by researchers to have used a different C2 address spoofing the South African military for the second Sword2023 sample.