Introduction
GALLIUM also known as Alloy Taurus, Granite Typhoon, and Red Giant 4 is a tenacious and sophisticated advanced persistent threat (APT) group linked to China. Since at least 2012, GALLIUM continue to be on its transformation from regionally focused telecom intrusions to a globally distributed enterprise espionage organization that performs missions that align with the strategic interests of the People’s Republic of China (PRC). GALLIUM operations have expanded in the telecommunications, government, and critical infrastructure sectors across Asia, Africa, and Europe, reflecting China’s increased ambitions in cyberspace and priorities for intelligence collection.
This post offers an overview of GALLIUM’s evolution over time, operational and strategic motivations, trade craft and recent activities based on 2024–2025 intelligence provided by ESET, CrowdStrike, and Cyble threat landscape reports to investigate how this actor is evolving modern cyber espionage.
Identity and Motivation
Attribution to the People’s Republic of China is widely recognized. GALLIUM campaigns appear to align neatly with state intelligence collection objectives, especially in the areas of communications monitoring, geopolitical intelligence, and technology acquisition. Its victims, including telecom operators and satellite communication vendors, as well as government targeting subject to state decision making, directly contribute to the PRC’s national security agenda and the Belt and Road Initiative (BRI).
The group has exhibited impressive persistence and technical sophistication since the finding of GALLIUM during Operation Soft Cell (2018 – 2020), where GALLIUM operated against multiple telecom carriers located in the Middle East and Southeast Asia. GALLIUM’s strategic motivation is espionage, with little or no intent to monetize the campaigns. GALLIUM operates to exploit (i.e., obtain) communications data, map foreign infrastructure, and establish long-term access to such data for strategic advantage.
Tactics, Techniques, and Procedures (TTPs)
The methods used by GALLIUM reflect the typical characteristics of Chinese APT actors – extensive reconnaissance, exploitation of legitimate trusted systems, and an emphasis on modular malware ecosystems (ShadowPad, PlugX). A summary of its normal attack lifecycle includes:
Initial Access
• Exploiting internet-facing servers and enterprise applications, especially in telecom environments.
• Targeted spear-phishing of administrators and network engineers with lures tailored to their environments.
• Supply-chain compromise through various means, especially with software update compromises.
• Installing SoftEther VPN to obscure origins of intrusions and establish long-lasting remote access tunnels.
Persistence and Privilege Escalation
• Installing ShadowPad backdoors and custom loaders to execute commands.
• Using legitimate VPN and remote administration tools (AnyDesk, Atera) to ensure access.
• Modifying the registry to accomplish persistence options and create incidental scheduled tasks.
Command and Control (C2)
• Multi-layered C2 communications using HTTPS, TCP, and proxies hosted in the cloud.
• Obliterate traffic using SoftEther VPN bridges for a secure obfuscation layer for C2 infrastructure.
Malware Arsenal
• ShadowPad: A modular framework for conduct espionage on an environment with reliable lateral movement, credential theft, and data staging.
• PlugX: Remote Access Trojan (RAT) for privilege escalation and exfiltration.
• QuasarRAT & Poison Ivy: Secondary malware used for data theft and persistence.
• Custom loaders: Tailor-made variants that were detected in Africa and Europe in 2024 campaigns.
Techniques
- “Living off the land” techniques such as: PowerShell, WMI, and PsExec for stealth.
- Credential dumping both the LSASS and registry hives.
- Exfiltration using encrypted exfiltration or a trusted cloud storage provider.
GALLIUM is able to afford low detection rates and operational lifetimes mixing legitimate admin with advanced custom malware a hallmark of Chinese Cyber Espionage Tradecraft.
Notable Operations
Operation Soft Cell (2018–2020)
The campaign that exposed GALLIUM’s reach focused on telecom operators in the Middle East and Southeast Asia. Attackers accessed core network systems to gather subscriber metadata and surveil and landscape the telecommunications infrastructure on a large scale.
Middle East Intrusions (2023)
GALLIUM accessed telecom networks in the Gulf region to potentially intercept call data. The timing of the GALLIUM intrusion coincided with increasing regional cooperation with Western defense partners, suggesting an intelligence collection goal.
Africa Telecom Campaign (2024)
ESET researchers observed GALLIUM utilizing SoftEther VPN servers at African telecoms to establish persistence and exfiltrate data. This campaign expansion reflected China’s increased digital investment in Africa and leanings towards espionage campaigns that supported sovereign economic and infrastructure projects.
European and Diplomatic Targeting (2024–2025)
GALLIUM extended its footprints into Europe, targeting government ministries and international organizations. GALLIUM operations utilized ShadowPad for persistence and PlugX for lateral movement. Targeting European victims indicates that they sought diplomatic and strategic intelligence for these countries and in conjunction with their other investigations, coincident with the interest of other PRC linked groups, namely Mustang Panda and Flax Typhoon.
Recent Developments (2024–2025)
Recent activities have confirmed GALLIUM’s global evolution from telecom-centric espionage to multi-sector operations:
- ESET’s Q2 – Q3 2024 report identified use of SoftEther VPN across telecom operators in Africa, indicating this group has pivoted to cloud- and VPN-based abuse for stealth following its traditional telecom focus.
- ESET’s Q4 2024 – Q1 2025 report identified GALLIUM operating in the same vein as a larger community of “Chinese” attackers engaged including HDMan and PhantomNet.
- CrowdStrike’s 2025 Global Threat Report identified Granite Typhoon (GALLIUM’s second nickname) as a member of China’s “Enterprising Adversaries” given its operational efficiency, and professionalization that aligns with the intelligence community’s objectives of the Chinese government.
GALLIUM’s operational methods are noticeably more modular and resilient. It regularly uses reputable IT tools in conjunction with malware implants, demonstrating an operational difficulty to disrupt GALLIUM’s efforts once the environment has been established, even if malware is detected and removed. GALLIUM’s infrastructure utilization is highly reflective of large enterprises; oftentimes, C2 infrastructure to conduct its nefarious activity includes redundant VPN (layer) nodes, and generic “encryption.’
Strategic Analysis and Evolution
GALLIUM’s advancements mirror the historical transformation of Chinese cyber operations over the past decade — from discrete espionage units to coordinated intelligence ecosystems. The group continues to focus on telecom infrastructure, which corresponds with China’s aspirations to surveillance on a global scale, enabling long-term strategic leverage through access to communications metadata and technical intelligence.
The group’s use of SoftEther VPN and legitimate remote tools signals operational maturity, prioritizing stealth and persistence as a group tactic. These approach allows it to blend into normal network traffic for more difficult detection and attribution. Additionally, GALLIUM’s expansion into geographic regions, especially Africa and Europe, portrays alignment with China’s diplomatic expansion in congruence with digital diplomacy and infrastucture investment.
Defensive Takeaways
Organizations, especially governments and telecom sectors, should implement layered defenses to detect and disrupt GALLIUM’s actions. Recommended actions could include:
1. Watch for VPN and RMM Usage: Investigate unexpected installation or usage of SoftEther VPN, AnyDesk, or Atera in enterprise environments.
2. Quickly Patch Systems Exposed to the Public: GALLIUM typically takes advantage of a newly discovered vulnerability within a few days of disclosure.
3. Behavioral Monitoring: Watch for PowerShell, WMI, and PsExec executed by a non-administrative account.
4. Threat Hunting for ShadowPad/PlugX: Implement YARA or EDR-based rules for GALLIUM malware families.
5. Network Segmentation: Reduce your lateral movement potential by limiting administrative systems and exposing core telecom infrastructure.
6. Improved Logging/C2 Monitoring: Investigation into encrypted outbound C2 traffic for any suspicious certificate evidence typical of a ShadowPad infrastructure.
Conclusion
GALLIUM is a prime example of the modern state-aligned espionage paradigm; it is agile, discreet, and linked to national strategic objectives. Its sustained operations on multiple continents demonstrate technical capability and long-term planning. As the global digital infrastructure becomes rapidly interconnected, groups like GALLIUM will continue to exploit our dependencies strategically.
From a defender’s perspective, it is critical to understand GALLIUM’s operational playbook. It is well-established that GALLIUM operationalizes legitimate software with modular implants, stressing the need for a behavioral detection strategy, strong authentication, and continuous monitoring. In 2025, GALLIUM is not only indicative of China’s cyber capabilities but is also a case study of how state actors evolve and adapt to keep pace and dominate in the increasingly shadowed domain of digital espionage.
You can download and review the sheet for all the details!
