{ "id": "bcfc84ea-4fcd-4287-a89b-9c22e8ae93da", "created_at": "2026-04-06T00:16:09.831366Z", "updated_at": "2026-04-10T13:11:56.346844Z", "deleted_at": null, "sha1_hash": "1d00d3a43d5c520122f5f24258c6b9703fb7e60b", "title": "BackdoorDiplomacy: Upgrading from Quarian to Turian", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1848094, "plain_text": "BackdoorDiplomacy: Upgrading from Quarian to Turian\r\nBy Adam Burgher\r\nArchived: 2026-04-02 10:52:13 UTC\r\nExecutive summary\r\nAn APT group that we are calling BackdoorDiplomacy, due to the main vertical of its victims, has been targeting Ministries\r\nof Foreign Affairs and telecommunication companies in Africa and the Middle East since at least 2017. For initial infection\r\nvectors, the group favors exploiting vulnerable internet-exposed devices such as web servers and management interfaces for\r\nnetworking equipment. Once on a system, its operators make use of open-source tools for scanning the environment and\r\nlateral movement. Interactive access is achieved in two ways: (1) via a custom backdoor we are calling Turian that is derived\r\nfrom the Quarian backdoor; and (2) in fewer instances, when more direct and interactive access is required, certain open-source remote access tools are deployed. In several instances, the group has been observed targeting removable media for\r\ndata collection and exfiltration. Finally, both Windows and Linux operating systems have been targeted.\r\nLinks with known groups\r\nBackdoorDiplomacy shares commonalities with several other Asian groups. Most obvious among them is the connection\r\nbetween the Turian backdoor and the Quarian backdoor. Specific observations regarding the Turian-Quarian connection are\r\nrecorded below in the Turian section. We believe this group is also linked with a group Kaspersky referred to as\r\n“CloudComputating” that was also analyzed by Sophos.\r\nSeveral victims were compromised via mechanisms that closely matched the Rehashed Rat and a MirageFox-APT15\r\ncampaign documented by Fortinet in 2017 and Intezer in 2018, respectively. The BackdoorDiplomacy operators made use of\r\ntheir specific form of DLL Search-Order Hijacking.\r\nFinally, the network encryption method BackdoorDiplomacy uses is quite similar to a backdoor Dr.Web calls\r\nBackdoor.Whitebird.1. Whitebird was used to target government institutions in Kazakhstan and Kyrgyzstan (both neighbors\r\nof a BackdoorDiplomacy victim in Uzbekistan) within the same 2017-to-present timeframe in which BackdoorDiplomacy\r\nhas been active.\r\nVictimology\r\nQuarian was used to target the Syrian Ministry of Foreign Affairs in 2012, as well as the US State Department in 2013. This\r\ntrend of targeting Ministries of Foreign Affairs continues with Turian.\r\nVictims have been discovered in the Ministries of Foreign Affairs of several African countries, as well as in Europe, the\r\nMiddle East, and Asia. Additional targets include telecommunication companies in Africa, and at least one Middle Eastern\r\ncharity. In each case, operators employed similar tactics, techniques, and procedures (TTPs), but modified the tools used,\r\neven within close geographic regions, likely to make tracking the group more difficult. See Figure 1 for a map of victims by\r\ncountry and vertical.\r\nhttps://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/\r\nPage 1 of 16\n\nFigure 1. Victims by country and vertical\r\nAttack vectors\r\nBackdoorDiplomacy targeted servers with internet-exposed ports, likely exploiting unpatched vulnerabilities or poorly\r\nenforced file-upload security. In one specific instance, we observed the operators exploit an F5 BIP-IP vulnerability (CVE-2020-5902) to drop a Linux backdoor. In another, a Microsoft Exchange server was exploited via a PowerShell dropper that\r\ninstalled China Chopper, a well-known webshell in use, by various groups, since 2013. In a third, we observed a Plesk\r\nserver with poorly configured file-upload security execute another webshell similar to China Chopper. See Figure 2 for an\r\noverview of the exploit chain.\r\nFigure 2. Exploit chain from initial compromise to backdoor with C\u0026C communications\r\nReconnaissance and lateral movement\r\nFollowing the initial compromise, in many instances the BackdoorDiplomacy group employed open-source reconnaissance\r\nand red-team tools to evaluate the environment for additional targets of opportunity and lateral movement. Among the tools\r\ndocumented are:\r\nEarthWorm, a simple network tunnel with SOCKS v5 server and port transfer functionalities\r\nhttps://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/\r\nPage 2 of 16\n\nMimikatz, and various versions including SafetyKatz\r\nNbtscan, a command line NetBIOS scanner for Windows\r\nNetCat, a networking utility that reads and writes data across network connections\r\nPortQry, a tool to display the status of TCP and UDP ports on remote systems\r\nSMBTouch, used to determine whether a target is vulnerable to EternalBlue\r\nVarious tools from the ShadowBrokers dump of NSA tools including, but not limited to:\r\nDoublePulsar\r\nEternalBlue\r\nEternalRocks\r\nEternalSynergy\r\nCommonly used directories for staging recon and lateral movement tools include:\r\nC:\\Program Files\\Windows Mail\\en-US\\\r\n%LOCALAPPDATA%\\Microsoft\\InstallAgent\\Checkpoints\\\r\nC:\\ProgramData\\ESET\\ESET Security\\Logs\\eScan\\\r\n%USERPROFILE%\\ESET\\ESET Security\\Logs\\eScan\\\r\nC:\\Program Files\\hp\\hponcfg\\\r\nC:\\Program Files\\hp\\hpssa\\\r\nC:\\hp\\hpsmh\\\r\nC:\\ProgramData\\Mozilla\\updates\\\r\nOf the tools listed above, many were obfuscated with VMProtect (v1.60-2.05), a recurring theme with BackdoorDiplomacy\r\ntools.\r\nWindows\r\nBackdoor droppers\r\nIn some instances, operators were observed uploading backdoor droppers. Operators attempted to disguise their backdoor\r\ndroppers and evade detection in various ways.\r\nNaming conventions designed to blend into normal operations (e.g. amsc.exe, msvsvr.dll, alg.exe)\r\nDropping implants in folders named for legitimate software (e.g., C:\\Program Files\\hp, C:\\ProgramData\\ESET,\r\nC:\\ProgramData\\Mozilla)\r\nDLL search order hijacking\r\nIn one such instance, the operators uploaded, via a webshell, both ScnCfg.exe (SHA-1:\r\n573C35AB1F243D6806DEDBDD7E3265BC5CBD5B9A), a legitimate McAfee executable, and vsodscpl.dll, a malicious\r\nDLL named after a legitimate McAfee DLL that is called by ScnCfg.exe. The version of vsodscpl.dll (SHA-1:\r\nFCD8129EA56C8C406D1461CE9DB3E02E616D2AA9) deployed was called by ScnCfg.exe, at which point vsodscpl.dll\r\nextracted Turian embedded within its code, wrote it to memory, and executed it.\r\nOn a different system, operators dropped a legitimate copy of credwize.exe, the Microsoft Credential Backup and Restore\r\nWizard, on disk and used it to execute the malicious library New.dll, another Turian variant.\r\nTurian\r\nAbout half of the samples we collected were obfuscated with VMProtect. A compilation of observed operator commands is\r\nincluded in the Operator commands section. Unique network encryption schemes are individually discussed below as well.\r\nSimilarities with Quarian\r\nhttps://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/\r\nPage 3 of 16\n\nThe initial reporting by Kaspersky notes that the victims of Quarian were at the Syrian Ministry of Foreign Affairs, a similar\r\ntarget-set of Turian.\r\nIn many of the Turian samples we collected, there are obvious similarities with Quarian. Mutexes are used by both to verify\r\nthat only one instance is running, although the mutexes used are dissimilarly named. We observed the following mutexes\r\nused by Turian:\r\nwinsupdatetw\r\nclientsix\r\nclient\r\nupdatethres\r\nOthers: dynamically generated based on the system’s hostname, limited to eight hex characters, lower-case, and\r\nprefaced with a leading zero\r\nC\u0026C server domains and IP addresses are extracted with similar XOR routines; where Quarian uses a decryption key of\r\n0x44, Turian uses 0xA9.\r\nTurian and Quarian both read the first four bytes from the file cf in the same directory as the malware’s executable, which\r\nare then used as the sleep length as part of the C\u0026C beacon routine.\r\nThe Turian network connection process follows a similar pattern to Quarian, attempting to make a direct connection. If that\r\nfails due to a local proxy with a response of 407 (Authorization Required), both try to use locally cached credentials.\r\nHowever, the request sent to the proxy by Turian does not contain any of the grammatical mistakes that Quarian sent. See\r\nFigure 3 for a comparison of proxy connection attempts.\r\nFigure 3. Comparison of proxy connection attempts, Turian (left) and Quarian (right)\r\nFinally, both Turian and Quarian create a remote shell by copying cmd.exe to alg.exe.\r\nPersistence\r\nAfter initial execution, Turian establishes persistence by creating the file tmp.bat in the current working directory, writing\r\nthe following lines to the file, then running the file:\r\nReG aDd HKEY_CURRENT_USER\\sOFtWArE\\MIcrOsOft\\WindOwS\\CurRentVeRsiOn\\RuN /v Turian_filename\u003e /t\r\nREG_SZ /d “\u003clocation_of_Turian_on_disk\u003e\\\u003cTurian_fiilename\u003e” /f\r\nReG aDd HKEY_LOCAL_MACHINE\\sOFtWArE\\MIcrOsOft\\WindOwS\\CurRentVeRsiOn\\RuN /v \u003cTurian_filename\u003e /t\r\nREG_SZ /d “\u003clocation_of_Turian_on_disk\u003e\\\u003cTurian_fiilename\u003e” /f\r\ndel %0\r\nTurian then checks for the presence of the file Sharedaccess.ini in its working directory. If that file is present, Turian\r\nattempts to load the C\u0026C IP or domain from there, if present. We did not observe Turian pass IPs or domains in this manner\r\nbut testing confirmed Turian looks to load the C\u0026C address from here first. After checking Sharedaccess.ini, Turian attempts\r\nto connect with a hardcoded IP or domain and sets up its network encryption protocol.\r\nNetwork encryption\r\nhttps://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/\r\nPage 4 of 16\n\nQuarian is known to have used both an eight-byte XOR key (see Talos on Quarian: Reversing the C\u0026C Protocol) and an\r\neight-byte nonce to create a session key (see ThreatConnect on Quarian Network Protocol Analysis in Divide and Conquer:\r\nUnmasking China’s ‘Quarian’ Campaigns Through Community). Turian has a distinct method for exchanging network\r\nencryption keys. See Figure 4 for a breakdown of the Turian network encryption setup.\r\nFigure 4. Turian network encryption setup\r\nAfter receiving the last 56-byte packet, Turian calls the network encryption initialization function in Figure 5, and accepts\r\nthe 56 bytes of data in the last C\u0026C packet as the only argument.\r\nhttps://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/\r\nPage 5 of 16\n\nFigure 5. Hex-Rays decompiled view of the encryption key initialization function\r\nA second network encryption setup was also observed, as depicted in Figure 6.\r\nhttps://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/\r\nPage 6 of 16\n\nFigure 6. Second Turian network encryption set up protocol\r\nThe last iteration of the four-iteration loop (QWORD byte[5]) is used as the seed for the key initialization function, as shown\r\nbelow in Figure 7.\r\nhttps://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/\r\nPage 7 of 16\n\nFigure 7. Second key initialization function\r\nOperator commands\r\nThe full list of Turian operator commands is shown in Table 1.\r\nTable 1. Turian C\u0026C commands\r\nhttps://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/\r\nPage 8 of 16\n\nID Description\r\n0x01\r\nGet system information including OS version, memory usage, local hostname, system adapter info,\r\ninternal IP, current username, state of the directory service installation and domain data.\r\n0x02\r\nInteractive shell – copy %WINDIR%\\system32\\cmd.exe to %WINDIR%\\alg.exe and spawn alg.exe in a\r\nnew thread.\r\n0x03 Spawn a new thread, acknowledge the command and wait for one of the three-digit commands below.\r\n0x04 Take screenshot.\r\n0x103/203 Write file.\r\n0x403 List directory.\r\n0x503 Move file.\r\n0x603 Delete file.\r\n0x703 Get startup info.\r\nA subset of victims was targeted with data collection executables that were designed to look for removable media (most\r\nlikely USB flash drives). The implant routinely scans for such drives, specifically targeting removable media (return value\r\nof GetDriveType is 2). If found, the implant uses an embedded version of WinRAR to execute these hardcoded commands:\r\nCMD.exe /C %s a -m5 -hp1qaz@WSX3edc -r %s %s\\\\*.*\r\nCMD.exe /C %s a -m5 -hpMyHost-1 -r %s %s\\\\*.*\r\nCMD.exe /C rd /s /q \\\"%s\"\\\r\nThe parameters in the command break out to:\r\na == add files to archive\r\n-m[0:5] == compression level\r\n-hp\u003cpassword\u003e\r\n-r == recurse subdirectories\r\nrd == remove directory\r\n/s == delete a directory tree\r\n/q == quiet mode\r\n\\\"%s\"\\ == directory to act on\r\nThe implant, upon detecting a removable media being inserted, attempts to copy all the files on the drive to a password-protected archive and puts the archive in the following directory, which is hardcoded and so the same for every victim:\r\nC:\\RECYCLER\\S-1-3-33-854245398-2067806209-0000980848-2003\\\r\nThe implant also has the capability to delete files, based on the third command listed above.\r\nRemote access tools\r\nOccasionally, BackdoorDiplomacy’s operators require a greater degree of access or more interactivity than that  provided by\r\nTurian. On those occasions, they employ open-source remote access tools such as Quasar, which offers a wide variety of\r\ncapabilities and runs on virtually all versions of Windows.\r\nLinux\r\nhttps://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/\r\nPage 9 of 16\n\nWe discovered, via a shared C\u0026C server domain, a Linux backdoor using similar network infrastructure and that was\r\ndeployed after exploiting a known vulnerability in F5 BIG-IP load balancers’ traffic management user interface (TMUI),\r\nwhich permits remote code execution (RCE). The Linux variant attempts to persist by writing itself to /etc/init.d/rc.local\r\nNext, it runs through a loop to extract strings from memory:\r\nbash -version\r\necho $PWD\r\n/bin/sh\r\n/tmp/AntiVirtmp\r\neth0\r\n/proc/%d/exe\r\nThen, it calls its daemon function and forks off a child process which then begins the work of decrypting the C\u0026C IP\r\naddress and/or domain name then initiates a loop that reaches out to the C\u0026C using Mozilla/5.0 (X11; Linux i686; rv:22.0)\r\nFirefox/22.0 as its user-agent. This C\u0026C loop continues until a successful connection is made. Once a connection is\r\nestablished, the Linux agent goes through a similar network encryption setup to what the Windows version of Turian carries\r\nout. See Figure 8 for the network encryption protocol used by the Linux variant of Turian.\r\nFigure 8. Linux Turian variant - network encryption protocol setup routine\r\nAfter receiving the last 56-byte packet, the Linux agent calls the network encryption key initialization function depicted in\r\nFigure 9.\r\nhttps://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/\r\nPage 10 of 16\n\nFigure 9. Hex-Rays decompiled network encryption key initialization function\r\nUpon successful completion of the network protocol setup, it forks off another child process and attempts to spawn a TTY\r\nreverse shell :\r\npython -c 'import pty; pty.spawn(\"/bin/sh\")'\r\nConclusion\r\nBackdoorDiplomacy is a group that primarily targets diplomatic organizations in the Middle East and Africa, and less\r\nfrequently, telecommunication companies. Their initial attack methodology is focused on exploiting vulnerable internet-exposed applications on webservers, in order to drop and execute a webshell. Post compromise, via the webshell,\r\nBackdoorDiplomacy deploys open-source software for reconnaissance and information gathering, and favors the use of DLL\r\nsearch order hijacking to install its backdoor, Turian. Finally, BackdoorDiplomacy employs a separate executable to detect\r\nremovable media, likely USB flash drives, and copy their contents to the main drive’s recycle bin.\r\nBackdoorDiplomacy shares tactics, techniques, and procedures with other Asian groups. Turian likely represents a next stage\r\nevolution of Quarian, the backdoor last observed in use in 2013 against diplomatic targets in Syria and the United States.\r\nTurian’s network encryption protocol is nearly identical to the network encryption protocol used by Whitebird, a backdoor\r\noperated by Calypso, another Asian group. Whitebird was deployed within diplomatic organizations in Kazakhstan and\r\nKyrgyzstan during the same timeframe as BackdoorDiplomacy (2017-2020). Additionally, BackdoorDiplomacy and APT15\r\nuse the same techniques and tactics to drop their backdoors on systems, namely the aforementioned DLL search order\r\nhijacking.\r\nBackdoorDiplomacy is also cross-platform group targeting both Windows and Linux systems. The Linux variant of Turian\r\nshares the same network encryption protocol characteristics and attempts to return a TTY reverse shell to the operator.\r\nIoCs\r\nSamples\r\nhttps://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/\r\nPage 11 of 16\n\nSHA-1 Filename\r\nESET Detection\r\nName\r\nDescription\r\n3C0DB3A5194E1568E8E2164149F30763B7F3043D logout.aspx ASP/Webshell.H\r\nBackdoorDiploma\r\nwebshell – variant\r\nN2\r\n32EF3F67E06C43C18E34FB56E6E62A6534D1D694 current.aspx ASP/Webshell.O\r\nBackdoorDiploma\r\nwebshell – variant\r\nS1\r\n8C4D2ED23958919FE10334CCFBE8D78CD0D991A8 errorEE.aspx ASP/Webshell.J\r\nBackdoorDiploma\r\nwebshell – variant\r\nN1\r\nC0A3F78CF7F0B592EF813B15FC0F1D28D94C9604 App_Web_xcg2dubs.dll MSIL/Webshell.C\r\nBackdoorDiploma\r\nwebshell – variant\r\nN3\r\nCDD583BB6333644472733617B6DCEE2681238A11 N/A Linux/Agent.KD\r\nLinux Turian\r\nbackdoor\r\nFA6C20F00F3C57643F312E84CC7E46A0C7BABE75 N/A Linux/Agent.KD\r\nLinux Turian\r\nbackdoor\r\n5F87FBFE30CA5D6347F4462D02685B6E1E90E464 ScnCfg.exe Win32/Agent.TGO\r\nWindows Turian\r\nbackdoor\r\nB6936BD6F36A48DD1460EEB4AB8473C7626142AC VMSvc.exe Win32/Agent.QKK\r\nWindows Turian\r\nbackdoor\r\nB16393DFFB130304AD627E6872403C67DD4C0AF3 svchost.exe Win32/Agent.TZI\r\nWindows Turian\r\nbackdoor\r\n9DBBEBEBBA20B1014830B9DE4EC9331E66A159DF nvsvc.exe Win32/Agent.UJH\r\nWindows Turian\r\nbackdoor\r\n564F1C32F2A2501C3C7B51A13A08969CDC3B0390 AppleVersions.dll Win64/Agent.HA\r\nWindows Turian\r\nbackdoor\r\n6E1BB476EE964FFF26A86E4966D7B82E7BACBF47 MozillaUpdate.exe Win32/Agent.UJH\r\nWindows Turian\r\nbackdoor\r\nFBB0A4F4C90B513C4E51F0D0903C525360FAF3B7 nvsvc.exe Win32/Agent.QAY\r\nWindows Turian\r\nbackdoor\r\n2183AE45ADEF97500A26DBBF69D910B82BFE721A nvsvcv.exe Win32/Agent.UFX\r\nWindows Turian\r\nbackdoor\r\n849B970652678748CEBF3C4D90F435AE1680601F efsw.exe Win32/Agent.UFX\r\nWindows Turian\r\nbackdoor\r\nC176F36A7FC273C9C98EA74A34B8BAB0F490E19E iexplore32.exe Win32/Agent.QAY\r\nWindows Turian\r\nbackdoor\r\nhttps://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/\r\nPage 12 of 16\n\nSHA-1 Filename\r\nESET Detection\r\nName\r\nDescription\r\n626EFB29B0C58461D831858825765C05E1098786 iexplore32.exe Win32/Agent.UFX\r\nWindows Turian\r\nbackdoor\r\n40E73BF21E31EE99B910809B3B4715AF017DB061 explorer32.exe Win32/Agent.QAY\r\nWindows Turian\r\nbackdoor\r\n255F54DE241A3D12DEBAD2DF47BAC5601895E458 Duser.dll Win32/Agent.URH\r\nWindows Turian\r\nbackdoor\r\nA99CF07FBA62A63A44C6D5EF6B780411CF1B1073 Duser.dll Win64/Agent.HA\r\nWindows Turian\r\nbackdoor\r\n934B3934FDB4CD55DC4EA1577F9A394E9D74D660 Duser.dll Win32/Agent.TQI\r\nWindows Turian\r\nbackdoor\r\nEF4DF176916CE5882F88059011072755E1ECC482 iexplore32.exe Win32/Agent.QAY\r\nWindows Turian\r\nbackdoor\r\nNetwork\r\nC\u0026Cs\r\nAS Hoster IP address Domain\r\nAS20473 AS-CHOOPA 199.247.9[.]67 bill.microsoftbuys[.]com\r\nAS132839\r\nPOWER LINE DATACENTER 43.251.105[.]218 dnsupdate.dns2[.]us\r\n#rowspan# 43.251.105[.]222 #rowspan#\r\nAS40065 Cnservers LLC 162.209.167[.]154 #rowspan#\r\nAS132839 POWER LINE DATACENTER 43.225.126[.]179 www.intelupdate.dns1[.]us\r\nAS46573 LAYER-HOST 23.247.47[.]252 www.intelupdate.dns1[.]us\r\nAS132839 POWER LINE DATACENTER 43.251.105[.]222 winupdate.ns02[.]us\r\nAS40065 Cnservers LLC 162.209.167[.]189 #rowspan#\r\nAS25820\r\nIT7NET 23.83.224[.]178 winupdate.ns02[.]us\r\n#rowspan# 23.106.140[.]207 #rowspan#\r\nAS132839 POWER LINE DATACENTER 43.251.105[.]218 #rowspan#\r\nAS20473 AS-CHOOPA 45.76.120[.]84 icta.worldmessg[.]com\r\nAS20473 AS-CHOOPA 78.141.243[.]45 #rowspan#\r\n#rowspan# 78.141.196[.]159 Infoafrica[.]top\r\n#rowspan# 45.77.215[.]53 szsz.pmdskm[.]top\r\nhttps://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/\r\nPage 13 of 16\n\nAS Hoster IP address Domain\r\n#rowspan# 207.148.8[.]82 pmdskm[.]top\r\nAS132839\r\nPOWER LINE DATACENTER 43.251.105[.]139 www.freedns02.dns2[.]us\r\n#rowspan# 43.251.105[.]139 web.vpnkerio[.]com\r\nAS20473 AS-CHOOPA 45.77.215[.]53\r\nAS135377 UCloud (HK) Holdings Group Limited 152.32.180[.]34\r\nAS132839 POWER LINE DATACENTER 43.251.105[.]218 officeupdates.cleansite[.]us\r\nAS25820\r\nIT7NET 23.106.140[.]207 dynsystem.imbbs[.]in\r\n#rowspan# #rowspan# officeupdate.ns01[.]us\r\n#rowspan# #rowspan# systeminfo.oicp[.]net\r\nAS40676 Psychz Networks 23.228.203[.]130 systeminfo.myftp[.]name\r\n#rowspan# #rowspan# systeminfo.cleansite[.]info\r\n#rowspan# #rowspan# updateip.onmypc[.]net\r\n#rowspan# #rowspan# buffetfactory.oicp[.]io\r\nRegistrars\r\nRegistrar Domain\r\nexpdns[.]net update.officenews365[.]com\r\nezdnscenter[.]com bill.microsoftbuys[.]com\r\nchangeip[.]org\r\ndnsupdate.dns2[.]us\r\ndnsupdate.dns1[.]us\r\nwww.intelupdate.dns1[.]us\r\nwinupdate.ns02[.]us\r\nwww.freedns02.dns2[.]us\r\nofficeupdates.cleansite[.]us\r\nofficeupdate.ns01[.]us\r\nsysteminfo.cleansite[.]info\r\nupdateip.onmypc[.]net\r\nhichina[.]com Infoafrica[.]top\r\ndomaincontrol[.]com web.vpnkerio[.]com\r\nexhera[.]com dynsystem.imbbs[.]in\r\nhttps://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/\r\nPage 14 of 16\n\nRegistrar Domain\r\nsysteminfo.oicp[.]net\r\nMITRE ATT\u0026CK techniques\r\nNote: This table was built using version 9 of the MITRE ATT\u0026CK framework.\r\nTactic ID Name Description\r\nInitial Access T1190\r\nExploit Public-Facing\r\nApplication\r\nBackdoorDiplomacy exploits the\r\nvulnerability CVE-2020-5902.\r\nExecution\r\nT1059.003 Windows Command Shell\r\nTurian relies on a batch script to create\r\npersistence.\r\nT1203 Exploitation for Client Execution\r\nTurian has exploited client software\r\nvulnerabilities for execution, such as\r\nCVE-2020-5902.\r\nPersistence\r\nT1547.001\r\nRegistry Run Keys / Startup\r\nFolder\r\nTurian uses the HKLM and HKCU\r\nCurrentVersion Run keys to persist after\r\nreboot.\r\nT1548.002 Bypass User Account Control Turian uses JuicyPotato to bypass UAC.\r\nPrivilege\r\nEscalation\r\nT1547.001\r\nRegistry Run Keys / Startup\r\nFolder\r\nTurian uses the HKLM and HKCU\r\nCurrentVersion Run keys to persist after\r\nreboot.\r\nT1548.002 Bypass User Account Control Turian uses JuicyPotato to bypass UAC.\r\nDefense\r\nEvasion\r\nT1140\r\nDeobfuscate/Decode Files or\r\nInformation\r\nTurian uses VMProtect to obfuscate its\r\ncode.\r\nT1550\r\nUse Alternate Authentication\r\nMaterial\r\nTurian uses Mimikatz.\r\nT1083 File and Directory Discovery Turian lists drives.\r\nDiscovery T1550\r\nUse Alternate Authentication\r\nMaterial\r\nTurian uses Mimikatz.\r\nLateral\r\nMovement\r\nT1005 Data from Local System\r\nTurian collects files from the victim’s\r\nmachine.\r\nCollection\r\nT1113 Screen Capture Turian captures screenshots.\r\nT1071.001 Web Protocols\r\nTurian uses HTTP to communicate with\r\nthe C\u0026C server.\r\nCommand and\r\nControl\r\nT1573.001 Symmetric Cryptography\r\nTurian uses XOR routine to encrypt\r\ncommunication with the C\u0026C server.\r\nhttps://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/\r\nPage 15 of 16\n\nTactic ID Name Description\r\nT1095\r\nNon-Application\r\nLayer Protocol\r\nTurian uses raw sockets to\r\ncommunicate with the C\u0026C\r\nserver.\r\nSource: https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/\r\nhttps://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/\r\nPage 16 of 16\n\n https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/ \nFigure 5. Hex-Rays decompiled view of the encryption key initialization function\nA second network encryption setup was also observed, as depicted in Figure 6.\n Page 6 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia", "MITRE" ], "origins": [ "web" ], "references": [ "https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/" ], "report_names": [ "backdoordiplomacy-upgrading-quarian-turian" ], "threat_actors": [ { "id": "709ceea7-db99-405e-b5a7-a159e6c307e0", "created_at": "2022-10-25T16:07:23.373699Z", "updated_at": "2026-04-10T02:00:04.571971Z", "deleted_at": null, "main_name": "BackdoorDiplomacy", "aliases": [], "source_name": "ETDA:BackdoorDiplomacy", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "3b56d733-88da-4394-b150-d87680ce67e4", "created_at": "2023-01-06T13:46:39.287189Z", "updated_at": "2026-04-10T02:00:03.274816Z", "deleted_at": null, "main_name": "BackdoorDiplomacy", "aliases": [ "BackDip", "CloudComputating", "Quarian" ], "source_name": "MISPGALAXY:BackdoorDiplomacy", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0a03e7f0-2f75-4153-9c4f-c46d12d3962e", "created_at": "2022-10-25T15:50:23.453824Z", "updated_at": "2026-04-10T02:00:05.28793Z", "deleted_at": null, "main_name": "Ke3chang", "aliases": [ "Ke3chang", "APT15", "Vixen Panda", "GREF", "Playful Dragon", "RoyalAPT", "Nylon Typhoon" ], "source_name": "MITRE:Ke3chang", "tools": [ "Okrum", "Systeminfo", "netstat", "spwebmember", "Mimikatz", "Tasklist", "MirageFox", "Neoichor", "ipconfig" ], "source_id": "MITRE", "reports": null }, { "id": "171b85f2-8f6f-46c0-92e0-c591f61ea167", "created_at": "2023-01-06T13:46:38.830188Z", "updated_at": "2026-04-10T02:00:03.114926Z", "deleted_at": null, "main_name": "The Shadow Brokers", "aliases": [ "Shadow Brokers", "ShadowBrokers", "The ShadowBrokers", "TSB" ], "source_name": "MISPGALAXY:The Shadow Brokers", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "401a2035-ed5a-4795-8e37-8b7465484751", "created_at": "2022-10-25T15:50:23.616232Z", "updated_at": "2026-04-10T02:00:05.304705Z", "deleted_at": null, "main_name": "BackdoorDiplomacy", "aliases": [ "BackdoorDiplomacy" ], "source_name": "MITRE:BackdoorDiplomacy", "tools": [ "Turian", "China Chopper", "Mimikatz", "NBTscan", "QuasarRAT" ], "source_id": "MITRE", "reports": null }, { "id": "3c5b0e7e-2388-4b63-9b97-6b027bec4bf7", "created_at": "2023-01-06T13:46:39.068694Z", "updated_at": "2026-04-10T02:00:03.202867Z", "deleted_at": null, "main_name": "Calypso", "aliases": [ "BRONZE MEDLEY" ], "source_name": "MISPGALAXY:Calypso", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7d5531e2-0ad1-4237-beed-af009035576f", "created_at": "2024-05-01T02:03:07.977868Z", "updated_at": "2026-04-10T02:00:03.817883Z", "deleted_at": null, "main_name": "BRONZE PALACE", "aliases": [ "APT15 ", "BRONZE DAVENPORT ", "BRONZE IDLEWOOD ", "CTG-6119 ", "CTG-6119 ", "CTG-9246 ", "Ke3chang ", "NICKEL ", "Nylon Typhoon ", "Playful Dragon", "Vixen Panda " ], "source_name": "Secureworks:BRONZE PALACE", "tools": [ "BMW", "BS2005", "Enfal", "Mirage", "RoyalCLI", "RoyalDNS" ], "source_id": "Secureworks", "reports": null }, { "id": "7c8cf02c-623a-4793-918b-f908675a1aef", "created_at": "2023-01-06T13:46:38.309165Z", "updated_at": "2026-04-10T02:00:02.921721Z", "deleted_at": null, "main_name": "APT15", "aliases": [ "Metushy", "Lurid", "Social Network Team", "Royal APT", "BRONZE DAVENPORT", "BRONZE IDLEWOOD", "VIXEN PANDA", "Ke3Chang", "Playful Dragon", "BRONZE PALACE", "G0004", "Red Vulture", "Nylon Typhoon" ], "source_name": "MISPGALAXY:APT15", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "13d9c5fc-af82-4474-90dd-188c4e40a399", "created_at": "2022-10-25T16:07:23.435079Z", "updated_at": "2026-04-10T02:00:04.601572Z", "deleted_at": null, "main_name": "Calypso", "aliases": [ "Bronze Medley" ], "source_name": "ETDA:Calypso", "tools": [ "Agent.dhwf", "Byeby", "Calypso RAT", "DCSync", "Destroy RAT", "DestroyRAT", "DoublePulsar", "EternalBlue", "EternalRomance", "FlyingDutchman", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "NBTscan", "OS_Check_445", "PlugX", "Quarks PwDump", "RedDelta", "SAMRID", "Sogu", "SysInternals", "TCP Port Scanner", "TIGERPLUG", "TVT", "Thoper", "Whitebird", "Xamtrav", "ZXPortMap", "nbtscan", "netcat" ], "source_id": "ETDA", "reports": null }, { "id": "17b1b76b-16da-4c4f-8b32-f6fede3eda8c", "created_at": "2022-10-25T16:07:23.750796Z", "updated_at": "2026-04-10T02:00:04.736762Z", "deleted_at": null, "main_name": "Ke3chang", "aliases": [ "APT 15", "BackdoorDiplomacy", "Bronze Davenport", "Bronze Idlewood", "Bronze Palace", "CTG-9246", "G0004", "G0135", "GREF", "Ke3chang", "Metushy", "Nylon Typhoon", "Operation Ke3chang", "Operation MirageFox", "Playful Dragon", "Playful Taurus", "PurpleHaze", "Red Vulture", "Royal APT", "Social Network Team", "Vixen Panda" ], "source_name": "ETDA:Ke3chang", "tools": [ "Agentemis", "Anserin", "BS2005", "BleDoor", "CarbonSteal", "Cobalt Strike", "CobaltStrike", "DarthPusher", "DoubleAgent", "EternalBlue", "GoldenEagle", "Graphican", "HenBox", "HighNoon", "IRAFAU", "Ketrican", "Ketrum", "LOLBAS", "LOLBins", "Living off the Land", "MS Exchange Tool", "Mebroot", "Mimikatz", "MirageFox", "NBTscan", "Okrum", "PluginPhantom", "PortQry", "ProcDump", "PsList", "Quarian", "RbDoor", "RibDoor", "Royal DNS", "RoyalCli", "RoyalDNS", "SAMRID", "SMBTouch", "SilkBean", "Sinowal", "SpyWaller", "Theola", "TidePool", "Torpig", "Turian", "Winnti", "XSLCmd", "cobeacon", "nbtscan", "netcat", "spwebmember" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434569, "ts_updated_at": 1775826716, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1d00d3a43d5c520122f5f24258c6b9703fb7e60b.pdf", "text": "https://archive.orkl.eu/1d00d3a43d5c520122f5f24258c6b9703fb7e60b.txt", "img": "https://archive.orkl.eu/1d00d3a43d5c520122f5f24258c6b9703fb7e60b.jpg" } }