What is BackdoorDiplomacy?

BackdoorDiplomacy is a China-aligned advanced persistent threat group (MITRE ATT&CK G0004) named for its singular focus on Ministries of Foreign Affairs. It is also tracked as Playful Taurus and APT15 (Palo Alto Unit 42), NICKEL and Nylon Typhoon (Microsoft), Vixen Panda (CrowdStrike), Flea (Symantec), and ke3chang / KeChang across various vendors. Active since at least 2010, the group targets foreign ministries across Africa, the Middle East, Europe, Asia, and the Americas, entering victim environments through vulnerable internet-facing infrastructure rather than phishing.

What is the Turian backdoor and how does it relate to Quarian?

Turian is BackdoorDiplomacy's primary custom implant, assessed to be used exclusively by Playful Taurus actors — making it a strong attribution anchor. It is the direct descendant of Quarian, a backdoor used against the Syrian Ministry of Foreign Affairs in 2012 and the U.S. State Department in 2013. ESET's 2021 technical analysis confirmed Turian as an evolved version of Quarian, establishing over a decade of continuous backdoor development. Turian provides system information collection, screenshot capture, file operations, and reverse shell capability. Both Windows and Linux variants exist. Updated Turian variants with modified C2 decryption algorithms were documented in 2022 Iranian government targeting.

What is the Graphican backdoor?

Graphican is a third-generation APT15 backdoor documented by Symantec in June 2023, deployed in a campaign targeting foreign affairs ministries in the Americas in late 2022 through early 2023. It is derived from the earlier Ketrican backdoor but has a critical design difference: rather than using a hardcoded C2 server, Graphican uses Microsoft's Graph API and OneDrive to obtain its C2 infrastructure dynamically. This makes Graphican-generated C2 traffic indistinguishable from normal Microsoft 365 cloud communications at the network level, defeating standard network monitoring controls.

How does BackdoorDiplomacy typically gain initial access?

BackdoorDiplomacy's preferred initial access method is exploitation of vulnerable internet-facing infrastructure — not spear-phishing. Documented initial access vectors include CVE-2020-5902 (F5 BIG-IP TMUI pre-authenticated RCE), ProxyShell vulnerabilities in Microsoft Exchange Server, and Plesk hosting control panels with misconfigured file-upload settings. After exploitation, the group typically deploys China Chopper webshell for initial persistence, then conducts network reconnaissance before installing the Turian backdoor via DLL sideloading through legitimate signed executables.

Why does BackdoorDiplomacy have a USB drive collection module?

BackdoorDiplomacy deploys a custom executable that scans for inserted USB drives, copies all contents to a password-protected archive staged in the system recycle bin, and prepares it for exfiltration. This reflects a specific intelligence tradecraft understanding: foreign ministry staff routinely carry classified documents and sensitive briefing materials on physical media. Material on USB drives may never traverse the network in plaintext and would not be captured by standard network-based collection. A group that custom-develops USB collection software is conducting targeted diplomatic espionage with specific tasking requirements about what information diplomats carry on physical media — not conducting opportunistic intrusions.

backdoordiplomacy

BackdoorDiplomacy

also known as: Playful Taurus APT15 NICKEL Vixen Panda KeChang ke3chang Nylon Typhoon Flea Playful Dragon G0004

Named for its singular focus: Ministries of Foreign Affairs. Active since at least 2017, this China-aligned group systematically targets diplomatic organizations across Africa, the Middle East, Europe, and Asia using a custom backdoor lineage — Quarian transitioning to Turian — that has been under continuous development for over a decade. The group enters victim environments through vulnerable internet-facing infrastructure rather than phishing, deploys the Turian backdoor via DLL sideloading, and maintains a distinct capability to collect data from removable USB drives — intelligence tradecraft consistent with an operator that believes diplomatic staff carry classified material on physical media.

attributed origin China — state-aligned

umbrella designation APT15 / Playful Taurus (Palo Alto Unit 42)

active since 2010 (APT15); 2017 (BackdoorDiplomacy campaign)

primary focus Ministries of Foreign Affairs — Africa, Middle East, Europe, Asia

signature tool Turian backdoor (evolved from Quarian, 2012)

2022 activity Iranian Ministry of Foreign Affairs — July–Dec 2022

mitre att&ck group G0004

platform Windows + Linux (cross-platform Turian)

threat level Critical — active, diplomatic targets globally

Overview

BackdoorDiplomacy — named by ESET Research in June 2021 for its primary victim category — is a China-aligned advanced persistent threat group that has been conducting targeted espionage against Ministries of Foreign Affairs and, secondarily, telecommunications companies since at least 2017. The name reflects a deliberate analytical choice: unlike other Chinese APT groups with broad economic or technology sector mandates, BackdoorDiplomacy's targeting is so concentrated on diplomatic institutions that the victim category itself serves as the most precise descriptor of the group's mission.

BackdoorDiplomacy is assessed by Palo Alto Networks Unit 42 as the same operational cluster tracked under the wider APT15 umbrella designation — also known as Playful Taurus, Vixen Panda, KeChang, NICKEL, and Nylon Typhoon. APT15 has been active since at least 2010, with a history of government and diplomatic targeting across North and South America, Africa, and the Middle East. The BackdoorDiplomacy label captures the post-2017 operational period, characterized by the evolved Turian backdoor and a consistent geographic focus on African and Middle Eastern foreign ministries that distinguishes it from earlier APT15 activity.

Two technical features define BackdoorDiplomacy's approach. First, the group's preferred initial access method is exploitation of vulnerable internet-facing infrastructure — web servers, exchange servers, F5 BIG-IP load balancers, Plesk servers — rather than the spear-phishing and watering-hole approaches used by most peer Chinese APT groups. This server-focused entry strategy reflects an operational philosophy that avoids the need for victim interaction and targets organizations that fail to patch or properly configure their internet-exposed systems. Second, the group's deployment of a USB drive collection module — an executable that scans for removable media and copies all contents to a password-protected archive — is a specific intelligence tradecraft choice: foreign ministry staff carry classified and sensitive material on physical media, and collecting USB drive contents gives access to documents that may never traverse the network.

The Turian backdoor that BackdoorDiplomacy uses exclusively is a direct lineage descendant of Quarian — a backdoor used in documented attacks against the Syrian Ministry of Foreign Affairs in 2012 and the U.S. State Department in 2013. This lineage, confirmed by ESET's technical analysis, extends the group's documented operational history back over a decade. Turian has been continuously developed through multiple generations, with Palo Alto Unit 42 identifying updated variants with modified C2 decryption algorithms and obfuscation as recently as 2022. The backdoor is assessed to be used exclusively by Playful Taurus actors — a significant attribution signal.

attribution note

BackdoorDiplomacy attribution to China-aligned state interests is assessed with high confidence based on: Turian's lineage to Quarian (Chinese state-linked campaign against the US State Department); TTP overlap with APT15 / Ke3chang documented Chinese espionage campaigns; Whitebird encryption protocol similarity linking to the Asian Calypso group; and targeting alignment exclusively with Chinese foreign policy interests. ESET described the group as sharing "commonalities with several other Asian groups" rather than directly naming China in the 2021 report. Unit 42 explicitly attributes activity to APT15 / Playful Taurus, assessed as a Chinese APT group active since 2010.

Target Profile

BackdoorDiplomacy's target profile is among the narrowest of any documented Chinese APT group. The singular focus on foreign ministries — the institutions that manage diplomatic communications, negotiate bilateral and multilateral agreements, and coordinate foreign policy — reflects a specific intelligence tasking requirement: China wants to know what other governments' foreign policy establishments think, plan, and communicate privately.

Ministries of Foreign Affairs — Africa: The primary documented target region. Multiple African government foreign ministries were identified as BackdoorDiplomacy victims in ESET's 2021 report. Africa's growing strategic importance to China — through the Belt and Road Initiative, infrastructure investment, resource extraction, and diplomatic bloc-building in multilateral forums — makes African foreign ministries high-value intelligence targets. Understanding African governments' diplomatic positions, their private communications with Western counterparts, and their negotiating priorities on issues affecting Chinese interests is directly valuable to Chinese state intelligence.
Ministries of Foreign Affairs — Middle East: A consistent secondary focus alongside Africa. The Middle East's energy resources, its complex relationship with both China and the United States, and China's growing economic and diplomatic presence in the region make Middle Eastern foreign ministries priority targets. The Iranian Ministry of Foreign Affairs was specifically identified as a likely compromise victim between July and December 2022 — active during the backdrop of the 2021 China-Iran 25-year cooperation accord.
Ministries of Foreign Affairs — Europe and Asia: Victims were discovered in European and Asian foreign ministries as well, extending BackdoorDiplomacy's geographic reach beyond its primary African and Middle Eastern focus. This broader distribution is consistent with a group tasked with monitoring China's diplomatic relationships across all regions.
Syrian Ministry of Foreign Affairs (Quarian, 2012): The oldest confirmed operation in the BackdoorDiplomacy lineage — the Quarian backdoor's use against the Syrian MFA during the critical 2012 period of the Syrian civil war. China's position on the Syria conflict — blocking UN Security Council resolutions — reflected specific diplomatic interests that would be served by intelligence from Syria's foreign ministry.
U.S. State Department (Quarian, 2013): The Quarian backdoor's documented use against the U.S. State Department — the world's most significant foreign policy establishment — confirms that this backdoor lineage has been used against the highest-value diplomatic targets from its inception.
Telecommunications Companies in Africa: A secondary targeting category. African telecom providers are targeted both for subscriber intelligence and for the network access they provide to government clients — consistent with the group's diplomatic intelligence mandate.
Middle Eastern Charities: At least one Middle Eastern charity was documented as a BackdoorDiplomacy victim — likely targeted due to its connections to political actors or civil society organizations of intelligence interest to China.
Iranian Government Ministries (2022): Unit 42's 2023 report identified the Iranian Ministry of Foreign Affairs, the Agricultural and Natural Resources Engineering Organization, and other Iranian government entities as likely compromises between July and late December 2022 — suggesting a broader mandate to monitor Iran's government as part of China-Iran diplomatic engagement.

Tactics, Techniques & Procedures

BackdoorDiplomacy's TTP footprint is consistent and distinctive: server exploitation for initial access, China Chopper or webshell for initial foothold, open-source reconnaissance tools, DLL sideloading for Turian deployment, and a USB collection module as an intelligence tradecraft bonus. The group deliberately modifies specific tools between campaigns in closely neighboring geographic regions — a counter-tracking measure designed to make clustering intrusions across the region more difficult for threat intelligence analysts.

mitre id	technique	description
T1190	Exploit Public-Facing Application	BackdoorDiplomacy's preferred initial access method — targeting internet-exposed web servers, exchange servers, load balancers, and hosting control panels rather than targeting individuals via phishing. Three documented initial access patterns: (1) CVE-2020-5902 in the F5 BIG-IP traffic management UI (TMUI) — a critical pre-authenticated RCE vulnerability allowing full device takeover — used to drop a Linux backdoor; (2) Microsoft Exchange Server exploitation via a PowerShell dropper installing China Chopper webshell; (3) a Plesk hosting control server with poorly configured file-upload security, exploited to execute a webshell. The group's preference for server exploitation means it specifically targets organizations with unpatched or poorly maintained internet-facing infrastructure.
T1505.003	Web Shell — China Chopper	China Chopper is the post-exploitation persistence mechanism deployed on compromised web and exchange servers. A minimal server-side webshell that receives commands via HTTP POST requests, China Chopper is widely used across Chinese APT groups and provides the interactive foothold from which BackdoorDiplomacy deploys reconnaissance tools and eventually installs Turian. The webshell persists independently of other implants, providing a recovery path if later-stage tools are removed.
T1574.001	DLL Search Order Hijacking — Turian Delivery	BackdoorDiplomacy's characteristic Turian installation mechanism. The group uploads a legitimate signed executable (in one documented case, a legitimate McAfee executable — ScnCfg.exe) alongside a malicious DLL named after the legitimate DLL that the executable calls (vsodscpl.dll). When the legitimate executable runs, it loads the malicious DLL instead of the legitimate one. The malicious DLL then extracts Turian embedded within its code, writes it to memory, and executes it. This technique abuses Windows' DLL search order to load attacker code through a trusted, signed process — making the resulting process appear legitimate in process monitoring.
T1091	Replication Through Removable Media — USB Collection	A dedicated executable routinely scans victim systems for insertions of removable media — specifically USB flash drives. When a USB drive is detected, the tool copies all contents to a password-protected archive on the main drive's recycle bin, staging the data for subsequent exfiltration via Turian or other C2 channels. This capability reflects an intelligence tradecraft understanding that foreign ministry staff carry classified and sensitive documents on physical media, and that material on USB drives may not be accessible through network-based collection alone. The recycle bin staging location minimizes conspicuous network activity at the moment of USB insertion.
T1027.002	Software Packing — VMProtect	Many BackdoorDiplomacy tools — including backdoor droppers and utilities — are obfuscated using VMProtect (versions 1.60 through 2.05). VMProtect is a commercial protection framework that converts executable code to a custom virtual machine bytecode, making static analysis and signature extraction significantly more difficult. The consistent use of a specific VMProtect version range across BackdoorDiplomacy tools provides an attribution indicator — the same obfuscation technology version across intrusions links them to the same operational cluster.
T1036	Masquerading — Filename and Path Mimicry	BackdoorDiplomacy operators disguise backdoor droppers using names designed to blend into normal Windows operations: amsc.exe, msvsvr.dll, alg.exe. Implants are dropped in folders named after legitimate software: C:\Program Files\hp, C:\ProgramData\ESET, C:\ProgramData\Mozilla. The use of a folder named "ESET" — a well-known security vendor — is a particularly notable choice: in some target environments, ESET products are installed and trusted by local security controls, making a folder under the ESET ProgramData path appear legitimate.
T1071.001	Web Protocols — Turian C2	The Linux variant of Turian uses Mozilla/5.0 (X11; Linux i686; rv:22.0) Firefox/22.0 as its User-Agent string for C2 communications — blending outbound connections with normal browser traffic. The Windows variant of Turian uses encrypted communications including EncryptMessage() / DecryptMessage() API calls with additional XOR encoding (key 0x56 in documented variants). C2 server addresses are encrypted within the binary and decrypted at runtime using algorithms that have been updated across Turian generations — earlier versions used XOR against a hardcoded byte; later versions use modified algorithms to evade published detection signatures.
T1016	System Network Configuration Discovery	After initial compromise via webshell, BackdoorDiplomacy deploys open-source reconnaissance and red-team tools to evaluate the environment for additional targets of opportunity and lateral movement. Documented open-source tools used post-compromise include network scanners and proxy/tunneling tools. The NPS proxy tool and IRAFAU backdoor were documented in a 2021 campaign against a Middle Eastern telecommunications company that began with ProxyShell Exchange exploitation.

The Quarian → Turian Backdoor Lineage

The Quarian-to-Turian backdoor lineage is the most technically significant thread in BackdoorDiplomacy's documented history — a continuous toolchain development program spanning over a decade that connects the earliest documented operations to present-day campaigns.

Quarian (2012–2013): The progenitor. Used against the Syrian Ministry of Foreign Affairs in 2012 and the U.S. State Department in 2013 — establishing the group's diplomatic targeting pattern from the very beginning of the backdoor lineage. Quarian was last observed in 2013, after which it apparently went underground for several years of internal development.
Turian (2017–present): The evolved successor, first documented by ESET in 2021 but assessed as active since at least 2017. Turian shares architectural DNA with Quarian — ESET's analysis identified Turian as a next-stage evolution of Quarian. Critically, Turian is assessed by Palo Alto Unit 42 to be used exclusively by Playful Taurus actors — a strong attribution anchor. Turian provides system information collection, screenshot capture, file write/move/delete operations, and reverse shell capability. Both Windows and Linux variants exist; the Linux variant uses a TTY reverse shell and persists via /etc/init.d/rc.local.
Turian Updated Variants (2022+): Unit 42 identified updated Turian variants in 2022 Iranian campaign infrastructure with modified C2 decryption algorithms and additional obfuscation. Earlier Quarian/Turian versions decrypted C2 addresses using XOR against a hardcoded byte (e.g., 0xA9); updated variants use a clearly modified algorithm, suggesting active countermeasures against published detection signatures. Command IDs in updated variants appear randomized rather than following sequential order — another anti-analysis modification.
Whitebird Encryption Protocol Overlap: Turian's network encryption protocol is nearly identical to that used by Whitebird — a backdoor operated by the Calypso APT group, which targeted government institutions in Kazakhstan and Kyrgyzstan during the same 2017–2020 timeframe. This cryptographic implementation overlap, noted by ESET, suggests either shared code lineage, a common development source, or tool sharing between BackdoorDiplomacy and the Calypso cluster.

Known Campaigns

Quarian — Syrian MFA and U.S. State Department 2012 – 2013

The earliest documented operations in the BackdoorDiplomacy/Playful Taurus backdoor lineage, predating the group's formal designation. In 2012 the Quarian backdoor was used against the Syrian Ministry of Foreign Affairs — during the height of the Syrian civil war when China was actively blocking UN Security Council resolutions on Syria. In 2013 Quarian was used against the U.S. State Department — the first documented use of this backdoor lineage against a Western diplomatic target. Both operations established what would become the group's defining pattern: persistent, targeted intrusions against Ministries of Foreign Affairs using a continuously developed custom backdoor.

Africa and Middle East Foreign Ministry Campaign 2017 – 2021

The campaign documented by ESET in June 2021 that established the BackdoorDiplomacy designation. The group targeted Ministries of Foreign Affairs across multiple African nations, diplomatic organizations in the Middle East, telecommunications companies in Africa, and at least one Middle Eastern charity. Initial access was achieved through exploitation of vulnerable internet-facing infrastructure — F5 BIG-IP (CVE-2020-5902), Microsoft Exchange, and Plesk servers with misconfigured file upload settings. Post-compromise, Turian was installed via DLL sideloading through legitimate signed executables including a McAfee binary. A USB collection module was deployed on a subset of victims. The group modified tools between closely neighboring geographic targets — a counter-tracking measure to complicate analyst clustering. ESET discovered a Linux Turian variant via shared C2 infrastructure, deployed after F5 BIG-IP exploitation and persisting via /etc/init.d/rc.local.

Middle East Telecom — Extended Campaign with New Tools August 2021 – 2022

In August 2021, BackdoorDiplomacy exploited ProxyShell vulnerabilities in Microsoft Exchange against a telecommunications firm in the Middle East, deploying the NPS proxy tool and the IRAFAU backdoor. The compromise continued and evolved through 2022, as documented by Bitdefender in their full "Cyber-Espionage in the Middle East" research paper (December 2022). Starting in February 2022, the group deployed Quarian again alongside a substantially expanded toolkit including Pinkman Agent (a Go-based backdoor named for a "pinkmanHeisenberg" string used for C2 key derivation) and Impersoni-fake-ator (a tool embedded into legitimate DbgView and PuTTY binaries to masquerade as legitimate utilities). Open-source tools deployed in this extended campaign included ToRat, AsyncRAT, and Merlin. Bitdefender attributed the campaign to BackdoorDiplomacy based on shared C2 infrastructure overlapping with prior documented BackdoorDiplomacy domains. This campaign confirmed that the group maintains persistence in compromised environments for extended periods and actively develops new custom tools during sustained operations.

Microsoft NICKEL Domain Seizure — Infrastructure Disruption December 2021

On December 6, 2021, Microsoft's Digital Crimes Unit obtained a court order from the U.S. District Court for the Eastern District of Virginia seizing 42 web domains used by APT15/NICKEL/BackdoorDiplomacy in attacks targeting organizations in the United States and 28 other countries. Microsoft redirected traffic from the seized domains to its own secure servers. The domains had been used for intelligence gathering from government agencies, think tanks, and human rights organizations. Microsoft's Tom Burt stated "there is often a correlation between Nickel's targets and China's geopolitical interests." The seizure caused a period of relative operational inactivity for the group, though subsequent campaigns — including the 2022–2023 Graphican Americas campaign documented by Symantec — confirmed the group recovered and adapted by developing new backdoor infrastructure not reliant on the compromised domain set.

Iran Ministry of Foreign Affairs — Playful Taurus Campaign July – December 2022

Palo Alto Networks Unit 42 identified sustained connections from four Iranian government entities — including the Ministry of Foreign Affairs and the Agricultural and Natural Resources Engineering Organization — to known Playful Taurus C2 infrastructure between July and late December 2022. The sustained daily nature of these connections suggested an active, ongoing compromise rather than a one-time probe. New Turian variants with updated C2 decryption algorithms and additional obfuscation were identified in the associated infrastructure. Unit 42 noted that the Iran targeting was occurring during the backdrop of the 2021 China-Iran 25-year cooperation accord — suggesting that China was actively monitoring its strategic partner's government communications and policy positions even as publicly cooperating. The group misused active and expired certificates belonging to several government agencies, including the Ministry of Foreign Affairs of Senegal, to evade detection.

Graphican Campaign — Foreign Affairs Ministries in the Americas Late 2022 – Early 2023

Symantec's Threat Hunter Team (Broadcom) documented APT15/Flea conducting a targeted campaign against foreign affairs ministries in the Americas, running from late 2022 into early 2023 — demonstrating rapid recovery following Microsoft's December 2021 infrastructure seizure. The campaign deployed a previously undocumented backdoor: Graphican, assessed as a third-generation evolution from the earlier Ketrican backdoor. Graphican's defining characteristic is its use of Microsoft's Graph API and OneDrive to obtain its C2 infrastructure dynamically — eliminating hardcoded C2 servers and making network-level detection significantly more difficult, as C2 traffic blends with normal Microsoft 365 cloud communications. Government entities including financial subdivisions of foreign ministries were targeted across multiple Americas countries. Symantec noted the consistent victimology: "Flea has a track record of honing in on government targets, diplomatic missions, and embassies, likely for intelligence-gathering purposes."

Tools & Malware

Turian (Windows and Linux): BackdoorDiplomacy's primary custom implant, used exclusively by Playful Taurus actors. Capabilities include system information collection, screenshot capture, file write/move/delete operations, and reverse shell generation. C2 addresses are encrypted within the binary and decrypted at runtime. The Windows variant uses EncryptMessage()/DecryptMessage() APIs with additional XOR encoding; the Linux variant uses a TTY reverse shell and the Mozilla/5.0 (X11; Linux i686) User-Agent. Multiple generations documented: original (2017–2021), updated variants (2022+) with modified decryption algorithms and randomized command IDs. Assessed as exclusive to Playful Taurus.
Quarian: Turian's documented predecessor, last observed in 2013. Used against the Syrian MFA (2012) and U.S. State Department (2013). Architectural analysis confirmed by ESET as the progenitor of Turian — establishing the continuous decade-plus development lineage of this backdoor family.
China Chopper: A minimal server-side webshell deployed on compromised web and exchange servers. Used as the initial post-exploitation persistence mechanism, providing the interactive foothold from which BackdoorDiplomacy deploys reconnaissance tools and installs Turian. Widely used across Chinese APT groups; provides limited narrow attribution value on its own.
USB Collection Module: A dedicated executable that scans for inserted removable media, copies all files from detected USB drives to a password-protected archive in the system recycle bin, and stages the archive for exfiltration. Not a well-known commodity tool — this module reflects custom development for the specific intelligence requirement of collecting physical media contents from foreign ministry staff.
Quasar RAT: An open-source remote access tool deployed by BackdoorDiplomacy when operators require greater interactivity than Turian provides. Quasar runs on virtually all Windows versions and provides comprehensive remote management including file operations, remote desktop, process management, and keylogging. Its use alongside Turian provides operational flexibility without developing additional custom tooling for interactive sessions.
NPS Proxy: An open-source network proxy tool deployed post-compromise for traffic tunneling and obfuscation. Used in the 2021 Middle Eastern telecom campaign to facilitate internal network access through the compromised Exchange server.
IRAFAU Backdoor: A backdoor deployed in the August 2021 Middle Eastern telecom campaign alongside NPS proxy, providing an additional persistent access channel beyond Turian in that specific operation. Used for information discovery and lateral movement — copying itself to C$ shares and executing via schtasks and WMI.
Graphican: A third-generation APT15 backdoor documented by Symantec in the late 2022–early 2023 Americas foreign ministry campaign. Assessed as an evolution of the earlier Ketrican backdoor, Graphican uses Microsoft's Graph API and OneDrive to acquire its C2 infrastructure dynamically — meaning no hardcoded C2 server is present in the binary. C2 traffic is indistinguishable from normal Microsoft 365 cloud communications, making network-level detection significantly more difficult. Capabilities include hostname collection, IP enumeration, Windows version reporting, and execution of further commands received via the OneDrive-hosted C2 channel.
Pinkman Agent: A Go-based backdoor documented by Bitdefender in the 2022 Middle East telecom campaign. Named for a "pinkmanHeisenberg" string present in all samples, which is used to derive the C2 server decryption key. The Go language choice provides cross-platform compilation capability and complicates static analysis relative to traditional C/C++ malware.
Impersoni-fake-ator: A malware component documented by Bitdefender in the 2022 Middle East telecom campaign, embedded inside legitimate copies of DbgView (Sysinternals debugger) and PuTTY (SSH client). By masquerading as trusted debugging and remote access utilities already present in enterprise environments, it provides a persistent foothold that may not trigger application whitelisting controls or user suspicion.
fscan / Open-Source Reconnaissance Tools: Network scanners deployed via webshell post-compromise to evaluate the victim environment for additional targets and lateral movement opportunities. The group uses publicly available tools for the reconnaissance and lateral movement phases, reserving custom tooling for the persistence and collection phases.

Indicators of Compromise

IOCs drawn from ESET's June 2021 "BackdoorDiplomacy: Upgrading from Quarian to Turian" analysis, Palo Alto Unit 42's January 2023 Playful Taurus Iran report, Bitdefender's December 2022 "Cyber-Espionage in the Middle East" whitepaper, and Symantec's June 2023 Graphican / Flea report. Full indicator sets are published in ESET's GitHub repository and Unit 42's threat intelligence disclosure.

warning

BackdoorDiplomacy deliberately modifies tools between geographically neighboring campaigns to complicate analyst clustering. C2 decryption algorithms in Turian have been updated across generations, rendering earlier hash-based and signature-based detection ineffective against newer variants. Behavioral indicators — DLL sideloading patterns, USB collection activity, Mozilla/5.0 X11 User-Agent from non-browser processes — are more durable detection anchors than specific hashes.

behavioral and technical indicators

cve CVE-2020-5902 — F5 BIG-IP TMUI RCE (critical; pre-authenticated; BackdoorDiplomacy Linux Turian delivery)

technique DLL sideloading via legitimate signed executables — malicious DLL named after legitimate DLL called by McAfee ScnCfg.exe (vsodscpl.dll); check for unexpected DLLs adjacent to legitimate executables

path Implants in C:\Program Files\hp, C:\ProgramData\ESET, C:\ProgramData\Mozilla — legitimate-named folders used for backdoor staging

behavior Password-protected archive creation in system recycle bin on USB insertion — USB collection module; monitor for archive creation events in recycle bin correlated with USB insertion events

user-agent Mozilla/5.0 (X11; Linux i686; rv:22.0) Firefox/22.0 from non-browser Linux processes — Linux Turian C2 communication pattern

filename amsc.exe, msvsvr.dll, alg.exe — Windows masquerading names used by BackdoorDiplomacy droppers

domain portal-Share.mfa[.]new (historical — 2022 C2 certificate reference suggesting MFA targeting); www[.]delldrivers[.]in (2022 Turian C2 — Unit 42 Iran campaign)

ip 152.32.181.16 (2022 — Playful Taurus C2 IP; Iranian government orgs observed connecting July–Dec 2022)

obfuscation VMProtect v1.60–2.05 on multiple BackdoorDiplomacy tools — specific version range is an attribution indicator across intrusions

behavior (2023) Non-browser/non-Office processes invoking Microsoft Graph API or accessing OneDrive paths — Graphican backdoor C2 pattern; blends with normal Microsoft 365 traffic; requires behavioral process-level monitoring to detect

c2 string "pinkmanHeisenberg" — key derivation string present in all Pinkman Agent samples (Bitdefender 2022 Middle East campaign); pivot on this string for sample hunting

domain (2022) 43.251.105[.]139 — IP used as C2 by Quarian variant built 2022-04-11 (Bitdefender); uc.ejalase[.]org and mci.ejalase[.]org — 2022 campaign domains linked to prior BackdoorDiplomacy infrastructure

Mitigation & Defense

BackdoorDiplomacy is active, with confirmed operations extending through early 2023 (Symantec Graphican Americas campaign) and continued Turian development suggesting ongoing campaigns. The group demonstrated resilience following Microsoft's December 2021 seizure of 42 domains — recovering within months and deploying new backdoor infrastructure. Diplomatic organizations — particularly Ministries of Foreign Affairs, foreign affairs agencies, and embassies — are the primary at-risk sector globally. The group's server-exploitation entry strategy means organizations with unpatched internet-facing infrastructure are specifically vulnerable regardless of phishing awareness training.

Priority Patching for Internet-Facing Infrastructure: BackdoorDiplomacy enters almost exclusively through vulnerable servers — not through end-user phishing. CVE-2020-5902 (F5 BIG-IP), ProxyShell (Microsoft Exchange), and file-upload vulnerabilities in Plesk are documented BackdoorDiplomacy initial access vectors. Deploy automated vulnerability scanning of all internet-facing systems with priority patching for CVSS 9+ vulnerabilities. The F5 BIG-IP vulnerability was known when BackdoorDiplomacy used it — the intrusions were preventable through timely patching. Diplomatic organizations should audit their full internet-exposed service inventory — including network management interfaces, load balancers, and hosting control panels — all categories in BackdoorDiplomacy's documented exploit portfolio.
Microsoft Exchange Hardening: Exchange server exploitation is a documented BackdoorDiplomacy initial access vector. Maintain current Exchange cumulative updates and security patches. If using on-premises Exchange, implement network-level filtering to restrict access to EWS and OWA to expected source IP ranges where operationally feasible. Deploy endpoint detection on Exchange servers monitoring for webshell drops, PowerShell execution from the Exchange application pool worker process, and suspicious DLL loads by Exchange binaries.
DLL Sideloading Detection: BackdoorDiplomacy's Turian installation relies on DLL sideloading through legitimate signed executables. Implement application control policies (AppLocker, WDAC) that restrict DLL loading from unexpected directories — particularly preventing legitimate signed executables from loading DLLs from their own directory rather than the Windows system directory. EDR behavioral rules detecting known-legitimate executables loading unexpected DLLs should be deployed and tuned for the specific executables documented in BackdoorDiplomacy campaigns (McAfee ScnCfg.exe is one documented example).
USB Drive Monitoring and Policy: BackdoorDiplomacy specifically collects USB drive contents from foreign ministry environments. Implement removable media policy: restrict USB drive insertion on workstations handling classified or sensitive diplomatic communications. For environments where USB use is necessary, deploy endpoint monitoring that alerts on archive creation events in recycle bin directories correlated with removable media insertion events — the specific staging pattern of BackdoorDiplomacy's USB collection module. Consider hardware-based USB port controls for the highest-sensitivity terminals.
Webshell Detection on Web and Exchange Servers: China Chopper and similar webshells are deployed on compromised servers as the initial persistence mechanism. Implement file integrity monitoring on web and Exchange server directories — alert on any new file creation in web root directories, application directories, and Exchange virtual directory paths. Webshell detection tools (Microsoft's IIS logs analysis, AV scanning of web directories) should be deployed and regularly run. Treat any unexplained file creation on internet-facing servers as a potential webshell drop requiring investigation.
Microsoft Graph API Abuse Detection: The Graphican backdoor (2022–2023 Americas campaign) uses Microsoft Graph API and OneDrive for C2 — generating traffic indistinguishable from normal Microsoft 365 operations at the network level. Standard network monitoring focused on known-malicious domains or IPs will not detect this C2 channel. Implement behavioral monitoring for unusual process-level Microsoft 365 API activity: non-browser, non-Office processes making Graph API calls, particularly for file enumeration or download from OneDrive paths not associated with legitimate user accounts, should trigger investigation. Enterprise DLP and CASB tools that monitor OneDrive access patterns can provide visibility into anomalous cloud storage usage that network-level controls will miss.
Diplomatic Organization Security Baseline: Foreign affairs ministries, embassies, and diplomatic missions face a dedicated, persistent adversary with a track record of successful, multi-year intrusions. The baseline security posture should include network segmentation separating internet-facing servers from internal diplomat workstations, TLS inspection for outbound traffic to detect Turian C2 communications, and off-network communication channels for the most sensitive diplomatic communications that should never traverse standard enterprise infrastructure.

analyst note

BackdoorDiplomacy's USB drive collection module deserves particular attention as an intelligence tradecraft choice. Every other technique in the group's toolkit is about network access — exploiting servers, deploying webshells, installing backdoors, tunneling traffic. The USB module is something different: it reflects a specific operational intelligence assessment that foreign ministry staff carry sensitive material on physical media, and that the most valuable documents may never traverse the network in plaintext. A group that builds and deploys custom USB collection software is not conducting opportunistic intrusions — it is conducting targeted espionage by an organization with specific tasking requirements about what information resides on the physical media carried by diplomats. This level of operational specificity, combined with the decade-plus continuous development of the Quarian-Turian backdoor lineage, describes an actor that has maintained a consistent diplomatic intelligence mandate through multiple generations of tooling, multiple exposures, and multiple attribution events — and has not been deterred by any of them.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile