Playful Taurus (aka APT15, BackdoorDiplomacy, Vixen Panda, KeChang and NICKEL) is a Chinese APT group typically focused on cyber espionage campaigns, historically targeting government and diplomatic entities across North America, South America, Africa, and the Middle East.
Unit 42’s research on Playful Taurus (aka APT15, BackdoorDiplomacy, Vixen Panda, KeChang and NICKEL) reveals:
- · Unit 42 identified several Iranian Government entities attempting to connect to known Playful Taurus malware infrastructure between July and late December 2022 – this activity suggests a likely compromise of the Iran Ministry of Foreign Affairs and Iranian Natural Resource Organization and other Iranian Government infrastructure.
- · Unit 42 identified new variants of the Turian backdoor.
- · Recent upgrades to the Turian backdoor and new C2 infrastructure suggest that these actors continue to see success during their cyber espionage campaigns.
- · Chinese APT actor Playful Taurus remains an active threat to government and diplomatic entities across North and South America, Africa, and the Middle East.
This activity between China and Iran is also occurring amid the backdrop of the 2021 25-year cooperation accord that both countries signed that entails economic, military and security cooperation, even as both countries are under different levels of United States sanctions.
Executive Summary
Playful Taurus, also known as APT15, BackdoorDiplomacy, Vixen Panda, KeChang and NICKEL, is a Chinese advanced persistent threat group that routinely conducts cyber espionage campaigns. The group has been active since at least 2010 and has historically targeted government and diplomatic entities across North and South America, Africa and the Middle East. In June 2021, ESET reported that this group had upgraded their tool kit to include a new backdoor called Turian. This backdoor remains under active development, and we assess that it is used exclusively by Playful Taurus actors. Following the evolution of this capability, we recently identified new variants of this backdoor as well as new command and control infrastructure. Analysis of both the samples and connections to the malicious infrastructure suggests that several Iranian government networks have likely been compromised by Playful Taurus.
Palo Alto Networks customers receive protections from the threats described in this blog through Advanced URL Filtering, DNS Security, Cortex XDR and WildFire malware analysis.
