Skip to content

G0135 BackdoorDiplomacy

BackdoorDiplomacy is a cyber espionage threat group that has been active since at least 2017. BackdoorDiplomacy has targeted Ministries of Foreign Affairs and telecommunication companies in Africa, Europe, the Middle East, and Asia.1

Item Value
ID G0135
Associated Names
Version 1.0
Created 21 September 2021
Last Modified 18 October 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging BackdoorDiplomacy has copied files of interest to the main drive’s recycle bin.1
enterprise T1190 Exploit Public-Facing Application BackdoorDiplomacy has exploited CVE-2020-5902, an F5 BIP-IP vulnerability, to drop a Linux backdoor. BackdoorDiplomacy has also exploited mis-configured Plesk servers.1
enterprise T1574 Hijack Execution Flow -
enterprise T1574.001 DLL Search Order Hijacking BackdoorDiplomacy has executed DLL search order hijacking.1
enterprise T1105 Ingress Tool Transfer BackdoorDiplomacy has downloaded additional files and tools onto a compromised host.1
enterprise T1036 Masquerading -
enterprise T1036.004 Masquerade Task or Service BackdoorDiplomacy has disguised their backdoor droppers with naming conventions designed to blend into normal operations.1
enterprise T1036.005 Match Legitimate Name or Location BackdoorDiplomacy has dropped implants in folders named for legitimate software.1
enterprise T1046 Network Service Discovery BackdoorDiplomacy has used SMBTouch, a vulnerability scanner, to determine whether a target is vulnerable to EternalBlue malware.1
enterprise T1095 Non-Application Layer Protocol BackdoorDiplomacy has used EarthWorm for network tunneling with a SOCKS5 server and port transfer functionalities.1
enterprise T1027 Obfuscated Files or Information BackdoorDiplomacy has obfuscated tools and malware it uses with VMProtect.1
enterprise T1588 Obtain Capabilities -
enterprise T1588.001 Malware BackdoorDiplomacy has obtained and used leaked malware, including DoublePulsar, EternalBlue, EternalRocks, and EternalSynergy, in its operations.1
enterprise T1588.002 Tool BackdoorDiplomacy has obtained a variety of open-source reconnaissance and red team tools for discovery and lateral movement.1
enterprise T1120 Peripheral Device Discovery BackdoorDiplomacy has used an executable to detect removable media, such as USB flash drives.1
enterprise T1055 Process Injection -
enterprise T1055.001 Dynamic-link Library Injection BackdoorDiplomacy has dropped legitimate software onto a compromised host and used it to execute malicious DLLs.1
enterprise T1505 Server Software Component -
enterprise T1505.003 Web Shell BackdoorDiplomacy has used web shells to establish an initial foothold and for lateral movement within a victim’s system.1
enterprise T1049 System Network Connections Discovery BackdoorDiplomacy has used NetCat and PortQry to enumerate network connections and display the status of related TCP and UDP ports.1


ID Name References Techniques
S0020 China Chopper 1 Web Protocols:Application Layer Protocol Password Guessing:Brute Force Windows Command Shell:Command and Scripting Interpreter Data from Local System File and Directory Discovery Timestomp:Indicator Removal Ingress Tool Transfer Network Service Discovery Software Packing:Obfuscated Files or Information Web Shell:Server Software Component
S0002 Mimikatz 1 SID-History Injection:Access Token Manipulation Account Manipulation Security Support Provider:Boot or Logon Autostart Execution Credentials from Password Stores Windows Credential Manager:Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores LSASS Memory:OS Credential Dumping DCSync:OS Credential Dumping Security Account Manager:OS Credential Dumping LSA Secrets:OS Credential Dumping Rogue Domain Controller Steal or Forge Authentication Certificates Silver Ticket:Steal or Forge Kerberos Tickets Golden Ticket:Steal or Forge Kerberos Tickets Private Keys:Unsecured Credentials Pass the Ticket:Use Alternate Authentication Material Pass the Hash:Use Alternate Authentication Material
S0590 NBTscan 1 Network Service Discovery Network Sniffing Remote System Discovery System Network Configuration Discovery System Owner/User Discovery
S0262 QuasarRAT 1 Bypass User Account Control:Abuse Elevation Control Mechanism Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores Data from Local System Symmetric Cryptography:Encrypted Channel Hidden Files and Directories:Hide Artifacts Hidden Window:Hide Artifacts Ingress Tool Transfer Keylogging:Input Capture Modify Registry Non-Application Layer Protocol Non-Standard Port Proxy Remote Desktop Protocol:Remote Services Scheduled Task:Scheduled Task/Job Code Signing:Subvert Trust Controls System Information Discovery System Location Discovery System Network Configuration Discovery System Owner/User Discovery Credentials In Files:Unsecured Credentials Video Capture
S0647 Turian 1 Web Protocols:Application Layer Protocol Archive via Utility:Archive Collected Data Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Python:Command and Scripting Interpreter Unix Shell:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Junk Data:Data Obfuscation Local Data Staging:Data Staged Deobfuscate/Decode Files or Information File and Directory Discovery Ingress Tool Transfer Masquerade Task or Service:Masquerading Obfuscated Files or Information Peripheral Device Discovery Screen Capture System Information Discovery System Network Configuration Discovery System Owner/User Discovery