The threat actor known as BackdoorDiplomacy has been linked to a new wave of attacks targeting Iranian government entities between July and late December 2022.
Palo Alto Networks Unit 42, which is tracking the activity under its constellation-themed moniker Playful Taurus, said it observed the government domains attempting to connect to malware infrastructure previously identified as associated with the adversary.
Also known by the names APT15, KeChang, NICKEL, and Vixen Panda, the Chinese APT group has a history of cyber espionage campaigns aimed at government and diplomatic entities across North America, South America, Africa, and the Middle East at least since 2010.
Slovak cybersecurity firm ESET, in June 2021, unpacked the intrusions mounted by hacking crew against diplomatic entities and telecommunication companies in Africa and the Middle East using a custom implant known as Turian.
The new versions of the Turian backdoor sport additional obfuscation as well as an updated decryption algorithm used to extract the C2 servers. However, the malware in itself is generic in that it offers basic functions to update the C2 server to connect to, execute commands, and spawn reverse shells.
BackdoorDiplomacy’s interest in targeting Iran is said to have geopolitical extensions as it comes against the backdrop of a 25-year comprehensive cooperation agreement signed between China and Iran to foster economic, military, and security cooperation.