Chinese hackers targeted Iranian government entities for months

Chinese hackers targeted Iranian government entities for months

The networks of four Iranian government organisations including Iran’s Ministry of Foreign Affairs, have likely been compromised.

Credit: Dreamstime

Chinese advanced persistent threat actor, Playful Taurus, targeted several Iranian government entities between July and December 2022, according to a Palo Alto Networks report.

The Chinese threat actor also known as APT15, KeChang, NICKEL, BackdoorDiplomacy, and Vixen Panda, was observed attempting to connect government domains to malware infrastructure previously associated with the APT group, according to the report.

“Playful Taurus continues to evolve their tactics and their tooling. Recent upgrades to the Turian backdoor and new C2 infrastructure suggest that these actors continue to see success during their cyber espionage campaigns,” Palo Alto Networks said in a blog.

“Our analysis of the samples and connections to the malicious infrastructure suggest that Iranian government networks have likely to been compromised,” the cyber security firm added.

The firm has also cautioned that the threat actor has been deploying the same tactics and techniques against other government and diplomatic entities across North and South America, Africa and the Middle East.

Playful Taurus deployed new version of Turian malware

In the recent attacks against government entities in Iran, the researchers observed Playful Taurus was using a new version of the Turian malware and a new command and control (C2) infrastructure.

The new version of the threat actor’s backdoor has additional obfuscation and a modified network protocol, an updated decryption algorithm used to extract the C2 servers. The malware offers functions to update the C2 server to communicate with, execute commands and spawn reverse shells. 

The networks of four Iranian government organisations, including Iran’s Ministry of Foreign Affairs, have likely been compromised using the new version of the malware.

“We identified Iranian government infrastructure establishing connections with a known Playful Taurus command and control (C2) server,” Palo Alto Networks noted. “Pivoting on one of the Iranian government IPs, we then identified additional infrastructure hosting certificates that overlap with a second Playful Taurus C2 server."

Turian is the next stage evolution of Quarian, the backdoor last observed in use in 2013 against diplomatic targets in Syria and the United States by the threat actor. The use of Turian by Playful Taurus was first identified in June 2021 by ESET.

Several countries targeted over the years

Known to be active since 2010, the threat actor targets telecommunication companies and government diplomacies. Their initial attack vector focuses on exploiting vulnerable internet-exposed applications on web servers to drop and execute a Webshell.

Using the Webshell, Playful Taurus deploys open source software for information gathering. It uses the Dynamic-Link Library search order hijacking to install its backdoor, Turian. As a last step, the threat actor employs a separate executable to detect removable media, likely USB flash drives, and copy their contents to the main drive’s recycle bin, according to ESET researchers.

The threat actor uses similar tactics, techniques and procedures in its attacks but modified tools are used to avoid getting tracked. In 2012, Playful Taurus targeted the Syrian Ministry of Foreign Affairs, and the US Department of State in 2013.

In December 2021, Microsoft seized 42 domains in the US used by Playful Taurus for its attacks targeting 29 countries.

Follow Us

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags cyber security



How MSPs can capitalise on integrating AI into existing services

How MSPs can capitalise on integrating AI into existing services

​Given the pace of change, scale of digitalisation and evolution of generative AI, partners must get ahead of the trends to capture the best use of innovative AI solutions to develop new service opportunities. For MSPs, integrating AI capabilities into existing service portfolios can unlock enhancements in key areas including managed hosting, cloud computing and data centre management. This exclusive Reseller News roundtable in association with rhipe, a Crayon company and VMware, focused on how partners can integrate generative AI solutions into existing service offerings and unlocking new revenue streams.

How MSPs can capitalise on integrating AI into existing services
Access4 holds inaugural A/NZ Annual Conference

Access4 holds inaugural A/NZ Annual Conference

​Access4 held its inaugural Annual Conference in Port Douglass, Queensland, for Australia and New Zealand from 9-11 October, hosting partners from across the region with presentations on Access4 product updates, its 2023 Partner of the Year awards and more.

Access4 holds inaugural A/NZ Annual Conference
Show Comments