BackdoorDiplomacy

BackdoorDiplomacy is a Chinese threat actor associated with cyberespionage activity. Reporting in the provided content describes it as a Chinese state-sponsored or Chinese-aligned actor, with overlap or a close relationship noted with APT15 and additional overlap reported with Playful Taurus, Vixen Panda, NICKEL, and Ke3chang. Sophos also identified overlap between activity in its Crimson Palace Cluster Alpha and prior reporting on BackdoorDiplomacy. The group has targeted government entities as well as high-priority telecommunications and finance organizations. The content specifically notes operations across Africa for several years, including targeting linked to South Africa, Kenya, Senegal, and Ethiopia, as well as activity in the Middle East. Recent reporting cited in the content describes a sustained three-year campaign against governmental organizations in Kenya. Tradecraft described in the content includes exploitation of public-facing applications and misconfigurations for initial access, including CVE-2020-5902 in F5 BIG-IP to drop a Linux backdoor and exploitation of misconfigured Plesk servers. The content also associates BackdoorDiplomacy with web shell and IIS-component-related persistence, command and scripting interpreter use, and malware/tool upload activity in ATT&CK annotations. Operational behaviors mentioned include obtaining and using leaked malware such as DoublePulsar, EternalBlue, EternalRocks, and EternalSynergy; using SMBTouch to determine whether targets were vulnerable to EternalBlue; obtaining open-source reconnaissance and red-team tools for discovery and lateral movement; obfuscating tools and malware with VMProtect; dropping implants in folders named for legitimate software; copying files of interest to the main drive's Recycle Bin for staging; and using an executable to detect removable media such as USB flash drives. The content also notes a sideloading chain resembling one used to deploy a Merlin Agent by BackdoorDiplomacy.