A Chinese advanced persistent threat (APT) known as "Gallium" has been observed using a previously undocumented remote access trojan in its espionage attacks targeting companies operating in Southeast Asia, Europe, and Africa. Called PingPull, the "difficult-to-detect" backdoor is notable for its use of the Internet Control Message Protocol (ICMP) for command-and-control (C2) communications. However, PingPull does not only use ICMP, but also HTTPS and TCP for the C2 communications. The malware is a Visual C++-based malware, where it provides a threat actor the ability to access a reverse shell and run arbitrary commands on a compromised host. This encompasses carrying out file operations, enumerating storage volumes, and timestomping files. In all three variants, namely ICMP, HTTPS and TCP, the malware installs itself as a service and has a description simulating a legitimate service, aiming to discourage users from terminating it.