🇨🇳

BackdoorDiplomacy

APT Group Information theft and espionage 5 zero-day CVEs ETDA ✓

Also Known As 3 names

BackDip CloudComputating Quarian

Target Countries 55

Countries highlighted in red

Afghanistan Albania Argentina Bosnia and Herzegovina Barbados Belgium Bulgaria Brazil Bhutan Switzerland Chile China Colombia Germany Dominican Republic Ecuador Egypt France Georgia Ghana Guatemala Honduras Croatia Hungary Indonesia India Iraq Islamic Republic of Iran Italy Jamaica Kuwait Kazakhstan Sri Lanka Libya Montenegro Mali Mexico Malaysia Namibia Nigeria Panama Peru Pakistan Poland Portugal Saudi Arabia Slovenia Slovakia El Salvador Turkey Trinidad and Tobago United States Uzbekistan Bolivarian Republic of Venezuela South Africa

Sectors Targeted

Mining Food Services and Drinking Places 722 Manufacturing Oil and gas Uyghur communities Data Processing, Hosting, and Related Services 51821 Computer Systems Design Services 541512 Embassies High-Tech Industrial Telecommunications Energy Defense Human Resources Consulting Services 541612 Computer Systems Design and Related Services 54151 Chemical Aerospace Aviation Government Utilities

Details

Origin 🇨🇳 CN
Last Updated 01 Jun 2022

Malware Families 10

dilljuice
zhmimikatz
ketrican
ketrum
royal_dns
exchange_tool
royalcli
whitebird
tidepool
bs2005

MITRE ATT&CK 112

T1001 - Data Obfuscation T1003 - OS Credential Dumping T1003.001 T1003.002 T1003.003 - NTDS T1003.004 T1004 - Winlogon Helper DLL T1005 - Data from Local System T1007 T1012 - Query Registry T1016 - System Network Configuration Discovery T1018 - Remote System Discovery T1020 T1021 T1021.001 - Remote Desktop Protocol T1021.002 - SMB/Windows Admin Shares T1021.006 - Windows Remote Management T1027 - Obfuscated Files or Information T1033 - System Owner/User Discovery T1036 T1036.002 T1036.004 T1036.005 T1038 - DLL Search Order Hijacking T1041 T1046 T1049 T1053 - Scheduled Task/Job T1053.001 - At (Linux) T1053.002 - At (Windows) T1053.003 - Cron T1053.006 - Systemd Timers T1053.007 - Container Orchestration Job T1055 - Process Injection T1055.001 - Dynamic-link Library Injection T1055.002 - Portable Executable Injection T1055.003 - Thread Execution Hijacking T1055.004 - Asynchronous Procedure Call T1055.008 - Ptrace System Calls T1056 T1056.001 - Keylogging T1057 - Process Discovery T1059 T1059.003 T1069 T1069.002 - Domain Groups T1071 T1071.001 - Web Protocols T1071.004 - DNS T1074 - Data Staged T1074.001 - Local Data Staging T1078 - Valid Accounts T1078.002 - Domain Accounts T1078.003 T1078.004 T1082 - System Information Discovery T1083 - File and Directory Discovery T1087 T1087.001 T1087.002 - Domain Account T1090 T1090.003 T1095 T1102 T1105 T1106 T1112 - Modify Registry T1114 T1114.002 T1119 T1120 T1133 T1134 - Access Token Manipulation T1140 - Deobfuscate/Decode Files or Information T1156 - Malicious Shell Modification T1190 T1210 T1211 - Exploitation for Defense Evasion T1213 T1213.002 T1454 - Malicious SMS Message T1476 - Deliver Malicious App via Other Means T1505 T1505.003 T1543 T1543.003 - Windows Service T1547 T1547.001 T1548.002 - Bypass User Account Control T1553 T1558 T1558.001 T1560 T1560.001 - Archive via Utility T1569 T1569.002 T1574 T1574.001 T1574.002 - DLL Side-Loading T1583 - Acquire Infrastructure T1583.003 T1583.005 T1587 T1587.001 T1588 T1588.001 T1588.002 T1592.004 - Client Configurations T1596.001 - DNS/Passive DNS T1596.004 - CDNs T1614 T1614.001

Related Zero-Days 5

CVE-2024-50302 CVE-2025-1316 CVE-2025-22224 CVE-2025-22225 CVE-2025-22226