G0135: BackdoorDiplomacy
BackdoorDiplomacy is a cyber espionage threat group that has been active since at least 2017. BackdoorDiplomacy has targeted Ministries of Foreign Affairs and telecommunication companies in Africa, Europe, the Middle East, and Asia.[1]
Analyst context for executives and security teams
BackdoorDiplomacy matters because ATT&CK describes it as a cyber espionage group targeting Ministries of Foreign Affairs and telecommunications companies across multiple regions. For leaders, the practical concern is not a single malware family but a pattern of access, persistence, credential theft, discovery, staging, and command-and-control behaviors that can affect sensitive communications, diplomatic or regulated data, and network trust. The relationship set highlights public-facing application exploitation, web shells, Windows credential dumping tooling, remote access tools, and internal reconnaissance, which makes this relevant to both perimeter exposure management and post-compromise visibility.
Executive priority
Prioritize this as an intelligence-informed validation case for organizations with diplomatic, telecom, government-adjacent, or sensitive communications exposure. Executives should ask whether internet-facing systems are patched and monitored, whether web shell response procedures are tested, whether credential theft controls are evidenced, and whether SOC teams can reconstruct internal discovery and tool transfer after an initial server compromise. The business value is continuity and confidentiality: if these behaviors are missed, defenders may discover the intrusion only after credentials, data staging, or persistent web access are established.
Technical view
ATT&CK provides no official detection text for this group, so coverage should be derived from the related software and techniques. Validate detections for public-facing application exploitation leading to web shell activity, especially China Chopper-like access patterns; credential dumping consistent with Mimikatz on Windows; ingress tool transfer; network and connection discovery including NBTscan-like behavior; local data staging; DLL injection or DLL abuse; masqueraded tasks/services or resource names; and non-application-layer command-and-control. Because the group object itself has no specified platforms or tactics, detection engineering should map each relationship to local assets and ATT&CK techniques rather than assume universal coverage.
Likely telemetry
- Web server access logs, application logs, upload/write events, and web root file integrity monitoring for possible web shell placement or execution
- Endpoint process creation, command-line, module load, service/task creation, and DLL load telemetry on Windows systems
- Credential access telemetry such as LSASS access attempts, security event logs, and EDR alerts relevant to Mimikatz-like behavior
- Network flow, DNS, proxy, firewall, and packet metadata to identify unusual tool transfer, C2-like traffic, or non-application-layer protocol use
- Internal network scanning and service discovery evidence, including NetBIOS/NBT-related activity where applicable
Detection direction
- Start with externally exposed applications: correlate exploit indicators, abnormal web requests, unexpected server-side scripts, and child processes spawned by web services.
- Tune web shell detection for both known tooling such as China Chopper and generic web shell behaviors; avoid relying only on static filenames or signatures.
- Validate credential theft detections against Windows hosts because related software includes Mimikatz, but account for legitimate administrative and security testing activity as a false-positive source.
- Hunt for post-compromise discovery chains: new tool arrival, NBTscan-like reconnaissance, network connection enumeration, and follow-on staging or transfer activity.
- Review masquerading and DLL-related detections for context: suspicious names or locations are more meaningful when combined with new persistence, unusual parent processes, or network callbacks.
Mitigation priorities
- Reduce initial access risk by maintaining an accurate inventory of public-facing applications and prioritizing patching, secure configuration, and exposure reduction for internet-accessible services.
- Harden and monitor web servers: restrict write permissions, control script execution paths, review web roots, and maintain tested procedures for web shell containment and eradication.
- Limit credential theft impact through least privilege, administrative tiering, credential protection, and rapid rotation procedures after suspected compromise.
- Constrain tool transfer and C2 opportunities with egress controls, segmentation, allowlisting where appropriate, and monitoring of unusual protocols or destinations.
- Improve post-compromise resilience by collecting endpoint and network telemetry needed to investigate discovery, staging, DLL abuse, and persistence behaviors.
Analyst notes and limits
The official ATT&CK description identifies BackdoorDiplomacy as a cyber espionage group active since at least 2017 and reports targeting of Ministries of Foreign Affairs and telecommunications companies in Africa, Europe, the Middle East, and Asia. The most decision-useful context comes from relationships to tools and techniques: Mimikatz, China Chopper, QuasarRAT, NBTscan, Turian, public-facing application exploitation, web shells, discovery, staging, obfuscation, DLL behaviors, and command-and-control/tool transfer techniques.
No official detection guidance, platforms, or tactics are provided on the group object itself. Related techniques and software include platform information, but that should not be treated as a complete platform scope for the group. Local validation is required to determine whether relevant assets, logs, controls, and detections exist.
BackdoorDiplomacy
BackdoorDiplomacy is a cyber espionage threat group that has been active since at least 2017. BackdoorDiplomacy has targeted Ministries of Foreign Affairs and telecommunication companies in Africa, Europe, the Middle East, and Asia.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1027 | Obfuscated Files or Information | BackdoorDiplomacy has obfuscated tools and malware it uses with VMProtect.CitationESET BackdoorDiplomacy Jun 2021 |
| Enterprise | T1505.003 | Web Shell Sub-technique | BackdoorDiplomacy has used web shells to establish an initial foothold and for lateral movement within a victim's system.CitationESET BackdoorDiplomacy Jun 2021 |
| Enterprise | T1190 | Exploit Public-Facing Application | BackdoorDiplomacy has exploited CVE-2020-5902, an F5 BIP-IP vulnerability, to drop a Linux backdoor. BackdoorDiplomacy has also exploited mis-configured Plesk servers.CitationESET BackdoorDiplomacy Jun 2021 |
| Enterprise | T1588.002 | Tool Sub-technique | BackdoorDiplomacy has obtained a variety of open-source reconnaissance and red team tools for discovery and lateral movement.CitationESET BackdoorDiplomacy Jun 2021 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | BackdoorDiplomacy has dropped implants in folders named for legitimate software.CitationESET BackdoorDiplomacy Jun 2021 |
| Enterprise | T1055.001 | Dynamic-link Library Injection Sub-technique | BackdoorDiplomacy has dropped legitimate software onto a compromised host and used it to execute malicious DLLs.CitationESET BackdoorDiplomacy Jun 2021 |
| Enterprise | T1105 | Ingress Tool Transfer | BackdoorDiplomacy has downloaded additional files and tools onto a compromised host.CitationESET BackdoorDiplomacy Jun 2021 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | BackdoorDiplomacy has copied files of interest to the main drive's recycle bin.CitationESET BackdoorDiplomacy Jun 2021 |
| Enterprise | T1046 | Network Service Discovery | BackdoorDiplomacy has used SMBTouch, a vulnerability scanner, to determine whether a target is vulnerable to EternalBlue malware.CitationESET BackdoorDiplomacy Jun 2021 |
| Enterprise | T1049 | System Network Connections Discovery | BackdoorDiplomacy has used NetCat and PortQry to enumerate network connections and display the status of related TCP and UDP ports.CitationESET BackdoorDiplomacy Jun 2021 |
| Enterprise | T1120 | Peripheral Device Discovery | BackdoorDiplomacy has used an executable to detect removable media, such as USB flash drives.CitationESET BackdoorDiplomacy Jun 2021 |
| Enterprise | T1095 | Non-Application Layer Protocol | BackdoorDiplomacy has used EarthWorm for network tunneling with a SOCKS5 server and port transfer functionalities.CitationESET BackdoorDiplomacy Jun 2021 |
| Enterprise | T1574.001 | DLL Sub-technique | BackdoorDiplomacy has executed DLL search order hijacking.CitationESET BackdoorDiplomacy Jun 2021 |
| Enterprise | T1588.001 | Malware Sub-technique | BackdoorDiplomacy has obtained and used leaked malware, including DoublePulsar, EternalBlue, EternalRocks, and EternalSynergy, in its operations.CitationESET BackdoorDiplomacy Jun 2021 |
| Enterprise | T1036.004 | Masquerade Task or Service Sub-technique | BackdoorDiplomacy has disguised their backdoor droppers with naming conventions designed to blend into normal operations.CitationESET BackdoorDiplomacy Jun 2021 |
Groups, software, and campaigns
S0647: Turian
Turian is a backdoor that has been used by BackdoorDiplomacy to target Ministries of Foreign Affairs, telecommunication companies, and charities in Africa, Europe, the Middle East, and Asia. First reported in 2021, Turian is likely related to Quarian, an older backdoor that was last observed being used in 2013 against diplomatic targets in Syria and the United States.[1]
S0020: China Chopper
S0002: Mimikatz
S0590: NBTscan
S0262: QuasarRAT
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | d4d11aef9c4f… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ESET BackdoorDiplomacy Jun 2021
Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021
Open source URL -
[2]
mitre-attack G0135Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.