{
	"id": "ee5d1b45-b378-4ce2-afed-d49bbc4cdc25",
	"created_at": "2026-04-06T00:10:56.728277Z",
	"updated_at": "2026-04-10T03:37:54.456768Z",
	"deleted_at": null,
	"sha1_hash": "e05668a8d30ddabeaeb01b628765547b2d1d2411",
	"title": "BackdoorDiplomacy Wields New Tools in Fresh Middle East Campaign",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 109372,
	"plain_text": "BackdoorDiplomacy Wields New Tools in Fresh Middle East\r\nCampaign\r\nBy Adrian SCHIPOR\r\nArchived: 2026-04-05 14:10:06 UTC\r\nBitdefender researchers have uncovered a new cyber-espionage campaign targeting a telecommunications firm in\r\nthe Middle East. While investigating a set of binaries vulnerable to sideloading attacks, we identified a cyber-espionage operation most likely carried out by Chinese threat actor BackdoorDiplomacy.\r\nWho is BackdoorDiplomacy?\r\nAPT group BackdoorDiplomacy, which has been operating at least since 2017, is known for its attacks against\r\ninstitutions in the Middle East and Africa as well as in the United States.\r\nThis report covers another campaign against a telecom company in the Middle East. It also documents a set of\r\nnew tools the group adopted in 2022.\r\nAttack at a glance\r\nThe infection vector pointed to a vulnerable Exchange server, exploiting ProxyShell. Forensic evidence\r\nshows the attack started in August 2021, when the group deployed the NPS proxy tool and IRAFAU\r\nbackdoor into the organization.\r\nStarting in February 2022, the threat actors used another tool - Quarian backdoor, along with several other\r\nscanners and proxy/tunneling tools.\r\nArtifacts reveal the use of keyloggers and exfiltration tools that link this campaign to a cyber-espionage\r\noperation.\r\nIndicators of Compromise\r\nAn up-to-date, complete list of indicators of compromise is available to Bitdefender Advanced Threat Intelligence\r\nusers. Currently known indicators of compromise can be found in the whitepaper below.\r\nDownload the whitepaper\r\nSource: https://www.bitdefender.com/blog/labs/backdoor-diplomacy-wields-new-tools-in-fresh-middle-east-campaign/\r\nhttps://www.bitdefender.com/blog/labs/backdoor-diplomacy-wields-new-tools-in-fresh-middle-east-campaign/\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bitdefender.com/blog/labs/backdoor-diplomacy-wields-new-tools-in-fresh-middle-east-campaign/"
	],
	"report_names": [
		"backdoor-diplomacy-wields-new-tools-in-fresh-middle-east-campaign"
	],
	"threat_actors": [
		{
			"id": "709ceea7-db99-405e-b5a7-a159e6c307e0",
			"created_at": "2022-10-25T16:07:23.373699Z",
			"updated_at": "2026-04-10T02:00:04.571971Z",
			"deleted_at": null,
			"main_name": "BackdoorDiplomacy",
			"aliases": [],
			"source_name": "ETDA:BackdoorDiplomacy",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "3b56d733-88da-4394-b150-d87680ce67e4",
			"created_at": "2023-01-06T13:46:39.287189Z",
			"updated_at": "2026-04-10T02:00:03.274816Z",
			"deleted_at": null,
			"main_name": "BackdoorDiplomacy",
			"aliases": [
				"BackDip",
				"CloudComputating",
				"Quarian"
			],
			"source_name": "MISPGALAXY:BackdoorDiplomacy",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "401a2035-ed5a-4795-8e37-8b7465484751",
			"created_at": "2022-10-25T15:50:23.616232Z",
			"updated_at": "2026-04-10T02:00:05.304705Z",
			"deleted_at": null,
			"main_name": "BackdoorDiplomacy",
			"aliases": [
				"BackdoorDiplomacy"
			],
			"source_name": "MITRE:BackdoorDiplomacy",
			"tools": [
				"Turian",
				"China Chopper",
				"Mimikatz",
				"NBTscan",
				"QuasarRAT"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "17b1b76b-16da-4c4f-8b32-f6fede3eda8c",
			"created_at": "2022-10-25T16:07:23.750796Z",
			"updated_at": "2026-04-10T02:00:04.736762Z",
			"deleted_at": null,
			"main_name": "Ke3chang",
			"aliases": [
				"APT 15",
				"BackdoorDiplomacy",
				"Bronze Davenport",
				"Bronze Idlewood",
				"Bronze Palace",
				"CTG-9246",
				"G0004",
				"G0135",
				"GREF",
				"Ke3chang",
				"Metushy",
				"Nylon Typhoon",
				"Operation Ke3chang",
				"Operation MirageFox",
				"Playful Dragon",
				"Playful Taurus",
				"PurpleHaze",
				"Red Vulture",
				"Royal APT",
				"Social Network Team",
				"Vixen Panda"
			],
			"source_name": "ETDA:Ke3chang",
			"tools": [
				"Agentemis",
				"Anserin",
				"BS2005",
				"BleDoor",
				"CarbonSteal",
				"Cobalt Strike",
				"CobaltStrike",
				"DarthPusher",
				"DoubleAgent",
				"EternalBlue",
				"GoldenEagle",
				"Graphican",
				"HenBox",
				"HighNoon",
				"IRAFAU",
				"Ketrican",
				"Ketrum",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"MS Exchange Tool",
				"Mebroot",
				"Mimikatz",
				"MirageFox",
				"NBTscan",
				"Okrum",
				"PluginPhantom",
				"PortQry",
				"ProcDump",
				"PsList",
				"Quarian",
				"RbDoor",
				"RibDoor",
				"Royal DNS",
				"RoyalCli",
				"RoyalDNS",
				"SAMRID",
				"SMBTouch",
				"SilkBean",
				"Sinowal",
				"SpyWaller",
				"Theola",
				"TidePool",
				"Torpig",
				"Turian",
				"Winnti",
				"XSLCmd",
				"cobeacon",
				"nbtscan",
				"netcat",
				"spwebmember"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434256,
	"ts_updated_at": 1775792274,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e05668a8d30ddabeaeb01b628765547b2d1d2411.pdf",
		"text": "https://archive.orkl.eu/e05668a8d30ddabeaeb01b628765547b2d1d2411.txt",
		"img": "https://archive.orkl.eu/e05668a8d30ddabeaeb01b628765547b2d1d2411.jpg"
	}
}