BackdoorDiplomacy

Threat Actor Profile Updated 2 months ago

Download STIX

Preview STIX

BackdoorDiplomacy, also known as Playful Taurus, APT15, Vixen Panda, KeChang, and NICKEL, is a threat actor group associated with Chinese cyber espionage campaigns. This group has been particularly active in Africa, targeting high-priority organizations in telecommunications, finance, and government sectors, especially in South Africa, Kenya, Senegal, and Ethiopia. Their activities have been linked to China's strategic ambitions in shaping policies and narratives that align with its geopolitical objectives, thus playing a significant role in Africa's digital evolution. The group's activities have been tracked under various names, including BackdoorDiplomacy, Cluster Alpha, and TA428, reflecting the complex and evolving nature of their operations. They have demonstrated a capacity for upgrading their tools, as evidenced by their shift from Quarian to Turian. They are also known for conducting new attacks against telecommunication, finance, and government entities, which have been attributed to both the BackdoorDiplomacy APT and the group behind Operation Tainted Love. These groups' activities have been detailed in multiple reports, including those by ESET, Bitdefender, and SentinelOne, highlighting their sustained strategic intrusions in Africa. The disclosure of these activities coincided with a parallel report detailing similar tactics used by other China-linked APT groups, including Earth Estries and Operation Tainted Love. These findings underscore the persistent and pervasive threat posed by these actors to global cybersecurity.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
NICKEL	1	Nickel is a notable threat actor, or malicious entity, that has been involved in significant cyber operations. Notably, Nickel targeted government organizations across Latin America and Europe, alongside other nation-state affiliated threat actors such as FIN6 and Emissary Panda. These groups focuse
Playful Taurus	1	Playful Taurus is a notable threat actor in the cybersecurity landscape, known for its malicious activities against government and diplomatic entities across North and South America, Africa, and the Middle East. The group continually adapts its tactics and tools, showcasing an evolving strategy that
Ta428	1	TA428 is a sophisticated malware toolkit associated with several cyber threat groups, including Bronze Union (also known as LuckyMouse or APT27) and BackdoorDiplomacy. The TA428 toolkit includes various malicious software like Albaniiutas (RemShell), which is specifically mentioned in an ESET report

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Apt

Espionage

Africa

China

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Turian	Unspecified	1	Turian is a sophisticated malware, known for its backdoor capabilities, that has been used in numerous cyber espionage campaigns. It infects systems through dubious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data hostage. The Turian backdoor has be
Taurus	Unspecified	1	Taurus is a malicious software (malware) that has been associated with multiple cyber threat actors, notably Stately Taurus, Iron Taurus, and Starchy Taurus, all of which have connections to Chinese Advanced Persistent Threats (APTs). The malware is designed to infiltrate systems and steal personal

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Earth Estries	Unspecified	1	Earth Estries is a cyberespionage group, or threat actor, that has targeted government entities and tech firms across the globe, including in the US, Germany, South Africa, Asia, Malaysia, the Philippines, and Taiwan. While the exact origin of Earth Estries remains unclear, there are indications sug

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Source Document References

Information about the BackdoorDiplomacy Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
BankInfoSecurity	2 months ago	Chinese South China Sea Cyberespionage Campaign Unearthed
CERT-EU	10 months ago	Cyber Soft Power : China's Continental Takeover – Global Security Mag Online
CERT-EU	10 months ago	Mysterious 'Sandman' Threat Actor Targets Telecom Providers Across Three Continents
DARKReading	10 months ago	Growing Chinese Tech Influence in Africa Spurs 'Soft Power' Concerns
Unit42	a year ago	Chinese Playful Taurus Activity in Iran
Bitdefender	a year ago	BackdoorDiplomacy Wields New Tools in Fresh Middle East Campaign
CERT-EU	a year ago	Operation Soft Cell: Chinese Hackers Breach Middle East Telecom Providers