Chinese APT Group Vixen Panda Targets Iranian Government Entities

Written by

The Chinese advanced persistent threat (APT) known as Vixen Panda has been linked to a new series of attacks targeting the Iranian government between July and December 2022.

The claims come from cybersecurity researchers at Palo Alto Networks’ Unit 42, who shared a report about them with Infosecurity via email.

Called "Playful Taurus" by Unit 42, Vixen Panda is also known as APT15, BackdoorDiplomacy, KeChang and NICKEL. The threat actor has been active since at least 2010, often targeting government and diplomatic entities in North and South America, Africa and the Middle East.

“In June 2021, ESET reported that this group had upgraded their tool kit to include a new backdoor called Turian,” wrote Unit 42 in the advisory published earlier today.

“This backdoor remains under active development, and we assess that it is used exclusively by Playful Taurus actors. Following the evolution of this capability, we recently identified new variants of this backdoor as well as new command and control infrastructure.”

Both variants, which featured additional obfuscation and a modified network protocol, were deployed in attacks against several Iranian government networks.

“We identified Iranian government infrastructure establishing connections with a known Playful Taurus command and control (C2) server,” wrote Unit 42. “Pivoting on one of the Iranian government IPs, we then identified additional infrastructure hosting certificates that overlap with a second Playful Taurus C2 server.”

According to Palo Alto Networks, the upgrades to the Turian backdoor and new C2 infrastructure suggest that Vixen Panda continues to see success during its cyber-espionage campaigns.

In the advisory, which is available here, the company has also shared file samples and indicators of compromise (IoC) of the new malicious campaign alongside various protection and mitigation suggestions.

These include the use of advanced URL filtering and DNS security practices to identify domains associated with Playful Taurus as malicious.

The Unit 42 advisory comes days after new data from Recorded Future suggested that restrictive laws in China may push cyber-criminals toward new monetization techniques.

What’s hot on Infosecurity Magazine?