Playful Taurus (APT15) continues to evolve its toolkit, upgrading the Turian backdoor and expanding C2 infrastructure, with Iranian government networks likely compromised. The investigation maps infrastructure ties, updated variants, and supporting artifacts like certificates and domain activity to illustrate ongoing espionage campaigns against government and diplomatic entities across regions.
#PlayfulTaurus #APT15 #Turian #BackdoorDiplomacy #VixenPanda #NICKEL #IranianGovernment #ForeignMinistryOfIran
#PlayfulTaurus #APT15 #Turian #BackdoorDiplomacy #VixenPanda #NICKEL #IranianGovernment #ForeignMinistryOfIran
Keypoints
- Playful Taurus (also known as APT15, BackdoorDiplomacy, Vixen Panda, KeChang, and NICKEL) is a Chinese APT that has actively targeted government and diplomatic entities since at least 2010.
- The group upgraded its toolkit in 2021 with a new backdoor named Turian, with new variants and C2 infrastructure identified since, indicating ongoing development and activity.
- Iranian government networks show connections to Playful Taurus infrastructure, with multiple Iranian organizations connecting to 152.32.181.16 and related domains and certificates.
- Turian uses a SSPI-based network protocol and SSL/TLS for C2 communications, including an SSL handshake and encrypted traffic, sometimes with additional XOR obfuscation.
- The Turian variant introduces updated command IDs, supports updating the C2, executing commands, spawning reverse shells, and other capabilities, signaling newer, more flexible control.
MITRE Techniques
- [T1071.001] Web Protocols ā The malware uses TLS/SSL to communicate with its C2; āa socket is then opened to the remote C2, using standard Winsock API, with connect() being called to establish a connection.ā
- [T1027] Obfuscated/Compressed Files and Information ā The sample is packed with VMProtect, which obfuscates API calls within the sample.
- [T1140] Deobfuscate/Decode Files or Information ā The XOR decryption function is used to decrypt the embedded C2 server (update.delldrivers.in).
- [T1059] Command and Scripting Interpreter ā The updated Turian variant supports executing commands and spawning reverse shells as part of its functionality.
Indicators of Compromise
- [IP Address] Iranian government/infrastructure connections ā 109.201.27.66, 185.4.17.10, 37.156.28.101, 37.156.29.172, 31.47.62.201
- [IP Address] Playful Taurus infrastructure host ā 152.32.181.16, 158.247.222.6
- [Domain] Playful Taurus domains ā vpnkerio.com, update.delldrivers.in, scm.oracleapps.org, update.adboeonline.net, mail.indiarailways.net
- [SHA-1 Certificate] Suspected Playful Taurus certificate ā cfd9884511f2b5171c00570da837c31094e2ec72, (Table 1)
- [SHA-256 Certificate] Turian-related samples ā 67c911510e257b341be77bc2a88cedc99ace2af852f7825d9710016619875e80, 8549c5bafbfad6c7127f9954d0e954f9550d9730ec2e06d6918c050bf3cb19c3, 5bb99755924ccb6882fc0bdedb07a482313daeaaa449272dc291566cd1208ed5, ad22f4731ab228a8b63510a3ab6c1de5760182a7fe9ff98a8e9919b0cf100c58, 6828b5ec8111e69a0174ec14a2563df151559c3e9247ef55aeaaf8c11ef88bfa
- [Filename] Turian/C2-related samples ā dellux.exe, scm.exe
Read more: https://unit42.paloaltonetworks.com/playful-taurus/