September 30, 2023

The Chinese APT group called Vixen Panda has been linked to a new series of attacks targeting the Iranian government during Q3 and Q4 of 2022.

Vixen Panda is also known as APT15, Backdoor Diplomacy, KeChang, and NICKEL  targeting government and diplomatic entities in North and South America, Africa, and the Middle East.


This backdoor remains under active development, and with the evolution of this capability, we recently identified new variants of this backdoor as well as new command and control infrastructure.

Both variants, which featured additional obfuscation and a modified network protocol, were deployed in attacks against several Iranian government networks, in which numerous connections were established towards Playful Taurus C2 servers

The upgrades to the Turian backdoor and new C2 infrastructure suggest that Vixen Panda continues to see success during its cyber-espionage campaigns.

This research was documented by researchers from Palo Alto


Indicators of Compromise

  • 152.32.181[.]16
  • 158.247.222[.]6
  • vpnkerio[.]com
  • update.delldrivers[.]in
  • scm.oracleapps[.]org
  • update.adboeonline[.]net
  • mail.indiarailways[.]net
  • cfd9884511f2b5171c00570da837c31094e2ec72
  • 1cf1985aec3dd1f7040d8e9913d9286a52243aca
  • 67c911510e257b341be77bc2a88cedc99ace2af852f7825d9710016619875e80
  • 8549c5bafbfad6c7127f9954d0e954f9550d9730ec2e06d6918c050bf3cb19c3
  • 5bb99755924ccb6882fc0bdedb07a482313daeaaa449272dc291566cd1208ed5
  • ad22f4731ab228a8b63510a3ab6c1de5760182a7fe9ff98a8e9919b0cf100c58
  • 6828b5ec8111e69a0174ec14a2563df151559c3e9247ef55aeaaf8c11ef88bfa

Leave a Reply

%d bloggers like this: