October 2, 2023

Researchers have spotted the activities of APT15 (Vixen Panda), a Chinese state-sponsored threat group that has developed a fresh backdoor known as Graphican.

The campaign spanned from 2022 to 2023 and primarily focused on foreign affairs ministries in the Americas. It did target a government finance department, a company that sells products in Central and South America, and a European entity.

Apart from Graphican, APT15 used various other tools, including EWSTEW, Mimikatz, web shells, SharpSecDump, and Lazagne.It exploited CVE-2020-1472 – a privilege escalation bug affecting the Netlogon Remote Protocol. Successful exploitation of the flaw could enable the attacker to run a specially crafted application on a device in the network.


Graphican backdoor is an evolved version of a previous malware named Ketrican, which utilizes the Microsoft Graph API and OneDrive for its C2 infrastructure.

The operation of Graphican involves disabling Internet Explorer’s first-run wizard, authenticating with Microsoft Graph API, decrypting folder names for use as C2 servers, generating unique Bot IDs, and executing commands received from the control server.

APT15 continues to develop new tools, as demonstrated by the use of Graphican. The group has a history of creating custom tools, and the similarities between Graphican and the Ketrican backdoor suggest a lack of concern for attribution.

Flea traditionally used email as an initial infection vector, but there have also been reports of it exploiting public-facing applications, as well as using VPNs, to gain initial access to victim networks.


Microsoft seized domains belonging to Flea in December 2021. The company seized 42 domains that it said were used in operations that targeted organizations in the U.S. and 28 other countries for intelligence-gathering purposes.

Flea’s targets, foreign ministries, align with its previous activities, indicating consistent interests alongside evolving techniques.

Indicators of Compromise

  • 65436d5646c2dbb61607ed466132302f8c87dab82251f9e3f20443d5370b7806
  • 44c1c5c92771c0384182f72e9866d5fed4fda896d90c931fe8de363ed81106cf
  • 7fa350350fc1735a9b6f162923df8d960daffb73d6f5470df3c3317ae237a4e6
  • 9a94483a4563228cb698173c1991c7cf90726c2c126a3ce74c66ba226040f760
  • f4575af8f42a1830519895a294c98009ffbb44b20baa170a6b5e4a71fd9ba663
  • 2da9a09a14c52e3f3d8468af24607602cca13bc579af958be9e918d736418660
  • d21797e95b0003d5f1b41a155cced54a45cd22eec3f997e867c11f6173ee7337
  • 31529b8b86d4b6a99d8f3b5f4b1f1b67f3c713c11b83b71d8df7d963275c5203
  • 7d3f6188bfdde612acb17487da1b0b1aaaeb422adc9e13fd7eb61044bac7ae08
  • 2b60e49e85b21a439855b5cb43cf799c1fb3cc0860076d52e41d48d88487e6d8
  • 819d0b70a905ae5f8bef6c47423964359c2a90a168414f5350328f568e1c7301
  • 7aa10e5c59775bfde81d27e63dfca26a1ec38065ddc87fe971c30d2b2b72d978
  • Network Indicators
  • 172.104.244[.]187
  • 50.116.3[.]164
  • http://www.beltsymd[.]org
  • http://www.cyclophilit[.]com
  • http://www.cyprus-villas[.]org
  • http://www.perusmartcity[.]com
  • http://www.verisims[.]com

Leave a Reply

%d bloggers like this: