Home/ Threat Actors/ BackdoorDiplomacy

🌐BackdoorDiplomacy

🌐 BackdoorDiplomacy is a tracked threat actor in the Clankerusecase corpus. ??-aligned. Primary motivation: Unknown. We map 14 detection use cases to this actor across 15 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G0135) ↗

14Use cases

0Articles

15Techniques

0IOCs

About this actor (MITRE)

[BackdoorDiplomacy](https://attack.mitre.org/groups/G0135) is a cyber espionage threat group that has been active since at least 2017. [BackdoorDiplomacy](https://attack.mitre.org/groups/G0135) has targeted Ministries of Foreign Affairs and telecommunication companies in Africa, Europe, the Middle East, and Asia.(Citation: ESET BackdoorDiplomacy Jun 2021)

Known aliases

BackdoorDiplomacy

Top techniques

T1027 · Obfuscated Files or Information T1036.004 · Masquerade Task or Service T1036.005 · Match Legitimate Resource Name or Location

All other tracked techniques

T1046 · Network Service Discovery T1049 · System Network Connections Discovery T1055.001 · Dynamic-link Library Injection T1074.001 · Local Data Staging T1095 · Non-Application Layer Protocol T1105 · Ingress Tool Transfer T1120 · Peripheral Device Discovery T1190 · Exploit Public-Facing Application T1505.003 · Web Shell T1574.001 · DLL T1588.001 · Malware T1588.002 · Tool

Detection use cases (14)

BackdoorDiplomacy Turian DLL search-order hijack via co-planted signed AV/security vendor binary AI · profile SΣ BackdoorDiplomacy IIS / Exchange webshell post-exploitation: w3wp.exe → recon + tunnel staging AI · profile SΣ Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) MITRE match Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command execution MITRE match Low-Code / AI Workflow Runtime Sandbox-Escape — Server Process Spawns Shell + Public Egress MITRE match npm/yarn/pnpm Install-Hook Spawn → Credential-Store Read or Worm-Payload Drop in node_modules MITRE match Package Manager Install Hook Spawns Scripting Interpreter Then Touches Credential Files or Egresses Off-Registry MITRE match Package-install lifecycle script harvests local credentials and beacons to a non-baselined domain MITRE match Post-Auth Privilege Boundary Crossing on Edge/Management Appliances (low-priv -> admin within 10m) MITRE match Self-hosted application service spawns shell or SSH within seconds of inbound unauthenticated API write MITRE match Server / AI-agent process spawns shell or LOLBIN with public egress — post-RCE behavioural chain MITRE match Service-process parent spawns subprocess containing CLI-argument-injection tokens MITRE match