S0647: Turian
Turian is a backdoor that has been used by BackdoorDiplomacy to target Ministries of Foreign Affairs, telecommunication companies, and charities in Africa, Europe, the Middle East, and Asia. First reported in 2021, Turian is likely related to Quarian, an older backdoor that was last observed being used in 2013 against diplomatic targets in Syria and the United States.[1]
Analyst context for executives and security teams
Turian is a Windows and Linux backdoor associated in ATT&CK with BackdoorDiplomacy, a cyber espionage group reported to target foreign affairs ministries, telecommunications companies, and charities across several regions. Its practical significance is not just the malware name: the mapped behaviors show a post-compromise toolset for discovery, command execution, persistence, collection, staging, and web-based command-and-control that may blend with normal traffic and use obfuscation.
Executive priority
Treat Turian as a planning reference for espionage-style intrusion readiness, especially where diplomatic, telecom, charity, or similarly sensitive operations are in scope. Leaders should ask whether endpoint, identity, and network teams can prove visibility across Windows and Linux hosts for persistence, shell execution, local data staging, screenshots, archive creation, and web-protocol command-and-control. This object is also useful for audit and tabletop evidence: it highlights whether the organization can reconstruct attacker activity after a backdoor is present, not just block initial access.
Technical view
ATT&CK provides no official detection text for Turian, so validation should be relationship-driven. SOC and IR teams should map coverage to the techniques Turian uses: web C2 with junk data, network/system/user/file/peripheral discovery, Windows and Unix shell execution, Python execution, tool transfer, local staging, screen capture, deobfuscation, archive creation, masqueraded tasks/services, and Windows Run Key/Startup Folder persistence. On Windows, prioritize process, command-line, registry, service/task, file, and network telemetry. On Linux, prioritize shell execution, Python use, file staging, archive utilities, persistence/service naming anomalies where applicable, and outbound web traffic inspection metadata.
Likely telemetry
- Endpoint process creation and command-line telemetry for cmd, Unix shells, Python, archive utilities, discovery commands, and file transfer activity
- Windows Registry monitoring for Run Keys and Startup Folder persistence paths
- Service, scheduled task, or system service metadata sufficient to identify masqueraded names or suspicious creation/modification
- File creation, modification, and directory enumeration telemetry for local staging, archives, transferred tools, and decoded or deobfuscated payloads
- Network telemetry for HTTP/S or other web-protocol command-and-control patterns, including unusual destinations, timing, user-agent/header anomalies, and payload size irregularities
Detection direction
- Build detections around behavior chains rather than the malware name alone: discovery followed by shell/Python execution, tool transfer, staging, archiving, and outbound web traffic is more actionable than any single event.
- Tune web-protocol C2 analytics for abnormal client behavior and junk-data-like irregularities while accounting for legitimate web applications that may generate noisy or variable traffic.
- Validate Windows persistence coverage for Run Keys and Startup Folder entries, especially when paired with newly written binaries, scripts, or masqueraded task/service names.
- Review false positives from administrators, software deployment tools, backup agents, and monitoring scripts that legitimately run discovery, shell, Python, archive, or transfer utilities.
- Because ATT&CK provides no Turian-specific detection guidance, use local baselines, known-good administrative activity, and incident response findings to refine alerts.
Mitigation priorities
- Prioritize visibility first: confirm endpoint and network logging exists for the Windows and Linux behaviors mapped to Turian before assuming coverage.
- Harden persistence surfaces, especially Windows Run Keys/Startup Folder and task or service creation paths, with change monitoring and least-privilege administration.
- Restrict and monitor script and shell execution where operationally feasible, including Python and command interpreters on systems that do not require them.
- Apply egress control and proxy inspection policies that make unusual web-protocol command-and-control easier to identify and contain.
- Limit local data staging and archive abuse through least privilege, sensitive data access controls, and monitoring of unusual archive creation or bulk file movement.
Analyst notes and limits
The strongest defensive value comes from the ATT&CK relationships, not from a Turian-specific detection paragraph. The mapped techniques describe a backdoor capable of reconnaissance, execution, persistence, collection, and command-and-control behaviors that are common in hands-on intrusion activity. BackdoorDiplomacy is the related group in the supplied relationship context, and the official description cites reported targeting of ministries of foreign affairs, telecommunications companies, and charities.
No official ATT&CK detection text, aliases, labels, or malware-specific indicators were supplied. The malware object lists Windows and Linux platforms and no explicit tactics; tactics are inferred only from related technique context. This take does not assert current activity, customer exposure, guaranteed detection, or indicators beyond the supplied ATT&CK fields and references.
Turian
Turian is a backdoor that has been used by BackdoorDiplomacy to target Ministries of Foreign Affairs, telecommunication companies, and charities in Africa, Europe, the Middle East, and Asia. First reported in 2021, Turian is likely related to Quarian, an older backdoor that was last observed being used in 2013 against diplomatic targets in Syria and the United States.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1059.004 | Unix Shell Sub-technique | Turian has the ability to use |
| Enterprise | T1083 | File and Directory Discovery | Turian can search for specific files and list directories.CitationESET BackdoorDiplomacy Jun 2021 |
| Enterprise | T1027 | Obfuscated Files or Information | Turian can use VMProtect for obfuscation.CitationESET BackdoorDiplomacy Jun 2021 |
| Enterprise | T1113 | Screen Capture | Turian has the ability to take screenshots.CitationESET BackdoorDiplomacy Jun 2021 |
| Enterprise | T1033 | System Owner/User Discovery | Turian can retrieve usernames.CitationESET BackdoorDiplomacy Jun 2021 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Turian can establish persistence by adding Registry Run keys.CitationESET BackdoorDiplomacy Jun 2021 |
| Enterprise | T1560.001 | Archive via Utility Sub-technique | Turian can use WinRAR to create a password-protected archive for files of interest.CitationESET BackdoorDiplomacy Jun 2021 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Turian has the ability to use a XOR decryption key to extract C2 server domains and IP addresses.CitationESET BackdoorDiplomacy Jun 2021 |
| Enterprise | T1016 | System Network Configuration Discovery | Turian can retrieve the internal IP address of a compromised host.CitationESET BackdoorDiplomacy Jun 2021 |
| Enterprise | T1059.006 | Python Sub-technique | Turian has the ability to use Python to spawn a Unix shell.CitationESET BackdoorDiplomacy Jun 2021 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | Turian can store copied files in a specific directory prior to exfiltration.CitationESET BackdoorDiplomacy Jun 2021 |
| Enterprise | T1001.001 | Junk Data Sub-technique | Turian can insert pseudo-random characters into its network encryption setup.CitationESET BackdoorDiplomacy Jun 2021 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Turian has the ability to use HTTP for its C2.CitationESET BackdoorDiplomacy Jun 2021 |
| Enterprise | T1105 | Ingress Tool Transfer | Turian can download additional files and tools from its C2.CitationESET BackdoorDiplomacy Jun 2021 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | |
| Enterprise | T1082 | System Information Discovery | Turian can retrieve system information including OS version, memory usage, local hostname, and system adapter information.CitationESET BackdoorDiplomacy Jun 2021 |
| Enterprise | T1036.004 | Masquerade Task or Service Sub-technique | Turian can disguise as a legitimate service to blend into normal operations.CitationESET BackdoorDiplomacy Jun 2021 |
| Enterprise | T1120 | Peripheral Device Discovery | Turian can scan for removable media to collect data.CitationESET BackdoorDiplomacy Jun 2021 |
Groups, software, and campaigns
G0135: BackdoorDiplomacy
BackdoorDiplomacy is a cyber espionage threat group that has been active since at least 2017. BackdoorDiplomacy has targeted Ministries of Foreign Affairs and telecommunication companies in Africa, Europe, the Middle East, and Asia.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | edc9bb48be3c… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ESET BackdoorDiplomacy Jun 2021
Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021
Open source URL -
[2]
mitre-attack S0647Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.