
The Chinese APT group called Vixen Panda has been linked to a new series of attacks targeting the Iranian government during Q3 and Q4 of 2022.
Vixen Panda is also known as APT15, Backdoor Diplomacy, KeChang, and NICKEL targeting government and diplomatic entities in North and South America, Africa, and the Middle East.
This backdoor remains under active development, and with the evolution of this capability, we recently identified new variants of this backdoor as well as new command and control infrastructure.
Both variants, which featured additional obfuscation and a modified network protocol, were deployed in attacks against several Iranian government networks, in which numerous connections were established towards Playful Taurus C2 servers
The upgrades to the Turian backdoor and new C2 infrastructure suggest that Vixen Panda continues to see success during its cyber-espionage campaigns.
This research was documented by researchers from Palo Alto
Indicators of Compromise
- 152.32.181[.]16
- 158.247.222[.]6
- vpnkerio[.]com
- update.delldrivers[.]in
- scm.oracleapps[.]org
- update.adboeonline[.]net
- mail.indiarailways[.]net
- cfd9884511f2b5171c00570da837c31094e2ec72
- 1cf1985aec3dd1f7040d8e9913d9286a52243aca
- 67c911510e257b341be77bc2a88cedc99ace2af852f7825d9710016619875e80
- 8549c5bafbfad6c7127f9954d0e954f9550d9730ec2e06d6918c050bf3cb19c3
- 5bb99755924ccb6882fc0bdedb07a482313daeaaa449272dc291566cd1208ed5
- ad22f4731ab228a8b63510a3ab6c1de5760182a7fe9ff98a8e9919b0cf100c58
- 6828b5ec8111e69a0174ec14a2563df151559c3e9247ef55aeaaf8c11ef88bfa