>samit_hota
Back to adversary profiles
G0135HighActive

BackdoorDiplomacy (G0135) Threat Profile: Persistent Chinese Cyber Espionage

Samit Hota·
Suspected Origin
China (suspected)
Motivation
Espionage
Aliases
None documented
Target Sectors
Government, Telecommunications, Non-profit
Associated Malware
Turian, Quarian, IRAFAU, China Chopper, ReGeorg, NPS proxy
#threat-actor#g0135

Overview

BackdoorDiplomacy, tracked by MITRE ATT&CK as G0135, is a sophisticated cyber espionage threat group that has been actively operating since at least 2017. This adversary is strongly linked to China, sharing tactics, techniques, and procedures (TTPs) with other Asia-based groups, and has been associated with activity previously tracked under aliases such as APT15, KeChang, NICKEL, Vixen Panda, and Kaspersky’s “CloudComputating” group. The primary motivation behind BackdoorDiplomacy’s operations is cyber espionage, specifically the theft of sensitive information to serve Chinese strategic interests, often with a clear intent to maintain long-term access within compromised networks.

Their targeting predominantly focuses on high-level government and diplomatic networks, particularly Ministries of Foreign Affairs across Africa, Europe, the Middle East, and Asia. Telecommunication companies in these same regions are also frequent targets, and at least one Middle Eastern charity has fallen victim to their activities. Notably, the group has been observed targeting specific countries within these regions, including those in Kazakhstan, Kyrgyzstan, and Uzbekistan, indicating a calculated and geographically diverse approach to intelligence gathering. More recently, between July and December 2022, BackdoorDiplomacy was linked to a new wave of attacks specifically against Iranian government entities, suggesting their targeting scope remains dynamic and responsive to geopolitical developments.

Tactics & Techniques

BackdoorDiplomacy’s operational methodology is characterized by a blend of exploiting known vulnerabilities, leveraging legitimate tools, and deploying custom malware. Their initial access often exploits public-facing applications on internet-exposed servers and networking equipment. Common targets include unpatched Microsoft Exchange servers, where they have capitalized on vulnerabilities like ProxyShell (CVE-2021-31207, CVE-2021-34523, and CVE-2021-34473) to gain initial footholds and deploy web shells. They have also exploited F5 BIG-IP networking devices (CVE-2020-5902) and misconfigured Plesk servers, sometimes dropping Linux backdoors in the process. Poorly enforced file-upload security on web servers serves as another vector for initial compromise.

Once inside a network, the group establishes persistence and facilitates further compromise through the deployment of web shells such as China Chopper and ReGeorg. They frequently employ DLL search order hijacking, and have been seen dropping legitimate software that is then used to execute malicious DLLs. For defense evasion, BackdoorDiplomacy operators are known to disguise their backdoor droppers with naming conventions designed to blend into normal operations, and they often obfuscate their tools and malware using packers like VMProtect. A notable tactic is their tendency to modify the specific tools used, even within closely related geographic regions, likely to complicate tracking and attribution efforts.

For discovery and reconnaissance, BackdoorDiplomacy heavily utilizes a combination of open-source tools and built-in system utilities. They conduct network scanning with tools like Nbtscan, NimScan, SoftPerfect Network Scanner, SMBTouch, NetCat, and PortQry to map environments, identify open ports, and discover vulnerabilities. System information gathering is performed using native commands such as hostname.exe, systeminfo.exe, ipconfig.exe, netstat.exe, ping.exe, and net.exe. They also perform Active Directory discovery using ldifde.exe and csvde.exe.

Lateral movement is a key aspect of their operations, often achieved through custom tools that leverage stolen credentials. They have been observed using a custom tool, sometimes named taskmgr.exe to execute remote commands via PsExec, WMI (wmic.exe), or remote Scheduled Tasks (at.exe). The IRAFAU backdoor has also been used for lateral movement, copying itself to C$ shares and executing via schtasks and wmi. Credential access is facilitated by tools like Mimikatz, and they have been observed extracting credentials directly from the Windows Registry, even enabling the WDigest option to facilitate this.

Command and Control (C2) typically relies on custom backdoors, with Turian being a prominent example. They also employ network tunneling tools like EarthWorm to establish SOCKS5 servers, ensuring a resilient and covert C2 infrastructure. Data collection and exfiltration are among their top priorities. A distinctive technique is their focus on removable media, specifically USB flash drives. They deploy executables designed to detect these drives, then automatically scan and copy their contents into password-protected archives or the system’s recycle bin for later exfiltration. Additionally, they gather system information, take screenshots, and compress collected data using utilities like rar.exe before exfiltration.

Notable Campaigns

BackdoorDiplomacy’s campaigns have been ongoing since at least 2017, consistently targeting diplomatic and telecommunication entities across a wide geographical span. Early reports by ESET in June 2021 highlighted their extensive targeting of Ministries of Foreign Affairs and telecommunication companies in Africa, the Middle East, Europe, and Asia. These campaigns frequently leveraged vulnerabilities in internet-exposed services, including the F5 BIG-IP CVE-2020-5902 and various Microsoft Exchange server flaws.

A significant campaign was detailed by Bitdefender, which identified an operation starting in August 2021 targeting a telecommunications firm in the Middle East. This incident notably involved the exploitation of ProxyShell vulnerabilities, leading to the deployment of the NPS proxy tool and the IRAFAU backdoor. By February 2022, the group was observed utilizing the older Quarian backdoor again, alongside various scanning and tunneling tools, underscoring their adaptive approach to tooling.

Further demonstrating their sustained activity, between July and late December 2022, BackdoorDiplomacy was linked to a new series of attacks targeting Iranian government entities. This specific campaign was tracked by Palo Alto Networks Unit 42 under the designation “Playful Taurus”. These incidents showcased continuous evolution in their tactics and tooling, including upgrades to their custom Turian backdoor and new C2 infrastructure, indicating ongoing success in their cyberespionage objectives. In December 2021, a coordinated effort led to the seizure of 42 domains associated with BackdoorDiplomacy’s operations, impacting targets in 29 countries.

Associated Malware & Tools

BackdoorDiplomacy relies on a diverse arsenal comprising custom-developed malware and a wide array of open-source and commodity tools:

  • Turian: This is their primary custom backdoor, notably derived from the older Quarian backdoor. Turian facilitates persistent access, command execution, and file management on compromised systems. Recent versions of Turian feature obfuscation and a new decryption algorithm for C2 servers.
  • Quarian: An older backdoor from which Turian is derived. It has been observed in use again as recently as February 2022.
  • IRAFAU: Another custom backdoor deployed after initial access, used for information discovery and lateral movement by copying itself to C$ shares and executing via schtasks and wmi.
  • Webshells: They employ commodity web shells such as China Chopper and ReGeorg, as well as other generic open-source web shells, for initial compromise and lateral movement.
  • NPS Proxy: A proxy tool used in campaigns, particularly after exploiting Exchange servers.
  • Open-Source and Commodity Tools: The group extensively uses legitimate tools for various stages of their operations. These include:
    • Scanning/Discovery: Nbtscan, Mimikatz, NetCat, PortQry, NimScan, SoftPerfect Network Scanner, SMBTouch for network and system reconnaissance.
    • System Utilities: hostname.exe, systeminfo.exe, ipconfig.exe, netstat.exe, ping.exe, net.exe, ldifde.exe, csvde.exe for host-based discovery.
    • Tunneling: EarthWorm, providing SOCKS5 server and port transfer functionalities for C2.
    • Lateral Movement/Execution: PsExec, WMI (wmic.exe), Scheduled Tasks (at.exe), schtasks.exe, smbexec.py, sharp-wmiexec.exe.
    • Data Handling: Embedded WinRAR or rar.exe for compressing exfiltrated data.
  • Leaked Exploits/Malware: BackdoorDiplomacy has been observed incorporating leaked exploits and malware, including DoublePulsar, EternalBlue, EternalRocks, and EternalSynergy, into their toolkit, demonstrating their willingness to leverage readily available powerful capabilities.
  • Obfuscation: VMProtect is commonly used to obfuscate their tools and malware, hindering analysis and detection.

Current Status

BackdoorDiplomacy remains an active and evolving threat, consistently engaging in cyber espionage campaigns. While their initial discovery and extensive reporting date back to mid-2021, subsequent analyses from Bitdefender and Heimdal Security confirm ongoing operations through 2022 and into early 2023. The targeting of Iranian government entities in late 2022, coupled with reports of continued evolution in their tactics and tooling, including upgrades to their Turian backdoor and new C2 infrastructure, indicates persistent activity and adaptation. The latest modification date for their MITRE ATT&CK profile (G0135) is April 25, 2025, further supporting the assessment of an active status and continued monitoring by the threat intelligence community. Organizations in the diplomatic and telecommunications sectors, particularly across Africa, the Middle East, Europe, and Asia, should maintain vigilance against this persistent and well-resourced adversary.

Worried this actor targets your sector?

Let's map your exposure before they find it themselves.

Book an advisory call