<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="canonical" href="https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/"><title>BackdoorDiplomacy: Upgrading from Quarian to Turian</title><meta content="BackdoorDiplomacy: Upgrading from Quarian to Turian" property="og:title"><meta content="https://web-assets.esetstatic.com/wls/2021/06/eset-research-backdoordiplomacy-quarian-turian-apt.jpg" property="og:image"><meta content="ESET Research uncovers BackdoorDiplomacy, a new APT group that mainly targets ministries in the Middle East and Africa and deploys a backdoor ESET calls Turian." property="og:description"><meta content="https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/" property="og:url"><meta content="article" property="og:type"><meta name="robots" content="index, follow, max-image-preview:large, max-video-preview:-1"><meta name="description" content="ESET Research uncovers BackdoorDiplomacy, a new APT group that mainly targets ministries in the Middle East and Africa and deploys a backdoor ESET calls Turian."><meta name="twitter:title" content="BackdoorDiplomacy: Upgrading from Quarian to Turian"><meta name="twitter:description" content="ESET researchers discover a new campaign that evolved from the Quarian backdoor"><meta name="twitter:image" content="https://web-assets.esetstatic.com/wls/2021/06/eset-research-backdoordiplomacy-quarian-turian-apt.jpg"><meta name="twitter:card" content="summary"><meta name="twitter:site" content="@welivesecurity"><meta name="twitter:creator" content="@welivesecurity"><meta name="twitter:url" content="https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/"> <!-- Preloading resources --> <link rel="preload" href="https://www.welivesecurity.com/build/assets/FedraSansAltPro-BookLF-405f3258.woff" as="font" type="font/woff" crossorigin> <link rel="preload" href="https://www.welivesecurity.com/build/assets/FedraSansAltPro-BoldLF-31f4bc72.woff" as="font" type="font/woff" crossorigin> <link rel="preload" href="https://www.welivesecurity.com/build/assets/FedraSansAltPro-DemiLF-8885b886.woff" as="font" type="font/woff" crossorigin> <link rel="preload" href="https://web-assets.esetstatic.com/tn/-x266/wls/2021/06/eset-research-backdoordiplomacy-quarian-turian-apt.jpg" as="image" media="(max-width: 768px)"> <link rel="preload" href="https://web-assets.esetstatic.com/tn/-x425/wls/2021/06/eset-research-backdoordiplomacy-quarian-turian-apt.jpg" as="image" media="(min-width: 768.1px)"> <link rel="modulepreload" href="https://www.welivesecurity.com/build/assets/article-header-995fa639.js" /><script type="module" src="https://www.welivesecurity.com/build/assets/article-header-995fa639.js"></script> <script> window.addEventListener('pageLoaded', () => { window.dispatchEvent(new CustomEvent('postPageViewed', { detail: { 'id': 5467, 'publicationId': 10274, 'name': 'BackdoorDiplomacy: Upgrading from Quarian to Turian', 'author': 'Adam Burgher', 'category': 'ESET Research', 'section': null, 'branch': 'en', 'date': '2021/06/10' } })); }); </script> <!-- Google Tag Manager --> <script type="module"> window.addEventListener("pageLoaded", () => { (function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src= '//www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f); })(window,document,'script','dataLayer','GTM-PMDGSM'); }); </script> <!-- End Google Tag Manager --> <script type="module"> window.dispatchEvent(new CustomEvent("pageLoaded")); </script> <!-- Styles --> <link rel="preload" as="style" href="https://www.welivesecurity.com/build/assets/app-22f82615.css" /><link rel="stylesheet" href="https://www.welivesecurity.com/build/assets/app-22f82615.css" /> <!-- Others --> <script> window.$current_language = JSON.parse('{"id":1,"code":"en","name":"English","is_pblic":true,"is_active":true,"is_default":true,"is_rtl":false}'); </script> <script>(window.BOOMR_mq=window.BOOMR_mq||[]).push(["addVar",{"rua.upush":"false","rua.cpush":"false","rua.upre":"false","rua.cpre":"false","rua.uprl":"false","rua.cprl":"false","rua.cprf":"false","rua.trans":"","rua.cook":"false","rua.ims":"false","rua.ufprl":"false","rua.cfprl":"false","rua.isuxp":"false","rua.texp":"norulematch","rua.ceh":"false","rua.ueh":"false","rua.ieh.st":"0"}]);</script> <script>!function(e){var n="https://s.go-mpulse.net/boomerang/";if("False"=="True")e.BOOMR_config=e.BOOMR_config||{},e.BOOMR_config.PageParams=e.BOOMR_config.PageParams||{},e.BOOMR_config.PageParams.pci=!0,n="https://s2.go-mpulse.net/boomerang/";if(window.BOOMR_API_key="7R9SM-QGSYF-QDLJK-UETXR-SPM6B",function(){function e(){if(!o){var e=document.createElement("script");e.id="boomr-scr-as",e.src=window.BOOMR.url,e.async=!0,i.parentNode.appendChild(e),o=!0}}function t(e){o=!0;var n,t,a,r,d=document,O=window;if(window.BOOMR.snippetMethod=e?"if":"i",t=function(e,n){var t=d.createElement("script");t.id=n||"boomr-if-as",t.src=window.BOOMR.url,BOOMR_lstart=(new Date).getTime(),e=e||d.body,e.appendChild(t)},!window.addEventListener&&window.attachEvent&&navigator.userAgent.match(/MSIE [67]\./))return window.BOOMR.snippetMethod="s",void t(i.parentNode,"boomr-async");a=document.createElement("IFRAME"),a.src="about:blank",a.title="",a.role="presentation",a.loading="eager",r=(a.frameElement||a).style,r.width=0,r.height=0,r.border=0,r.display="none",i.parentNode.appendChild(a);try{O=a.contentWindow,d=O.document.open()}catch(_){n=document.domain,a.src="javascript:var d=document.open();d.domain='"+n+"';void(0);",O=a.contentWindow,d=O.document.open()}if(n)d._boomrl=function(){this.domain=n,t()},d.write("<bo"+"dy onload='document._boomrl();'>");else if(O._boomrl=function(){t()},O.addEventListener)O.addEventListener("load",O._boomrl,!1);else if(O.attachEvent)O.attachEvent("onload",O._boomrl);d.close()}function a(e){window.BOOMR_onload=e&&e.timeStamp||(new Date).getTime()}if(!window.BOOMR||!window.BOOMR.version&&!window.BOOMR.snippetExecuted){window.BOOMR=window.BOOMR||{},window.BOOMR.snippetStart=(new Date).getTime(),window.BOOMR.snippetExecuted=!0,window.BOOMR.snippetVersion=12,window.BOOMR.url=n+"7R9SM-QGSYF-QDLJK-UETXR-SPM6B";var i=document.currentScript||document.getElementsByTagName("script")[0],o=!1,r=document.createElement("link");if(r.relList&&"function"==typeof r.relList.supports&&r.relList.supports("preload")&&"as"in r)window.BOOMR.snippetMethod="p",r.href=window.BOOMR.url,r.rel="preload",r.as="script",r.addEventListener("load",e),r.addEventListener("error",function(){t(!0)}),setTimeout(function(){if(!o)t(!0)},3e3),BOOMR_lstart=(new Date).getTime(),i.parentNode.appendChild(r);else t(!1);if(window.addEventListener)window.addEventListener("load",a,!1);else if(window.attachEvent)window.attachEvent("onload",a)}}(),"".length>0)if(e&&"performance"in e&&e.performance&&"function"==typeof e.performance.setResourceTimingBufferSize)e.performance.setResourceTimingBufferSize();!function(){if(BOOMR=e.BOOMR||{},BOOMR.plugins=BOOMR.plugins||{},!BOOMR.plugins.AK){var n=""=="true"?1:0,t="",a="bdpnbevydn5uaz2cvxeq-f-b6fdab78a-clientnsv4-s.akamaihd.net",i="false"=="true"?2:1,o={"ak.v":"39","ak.cp":"1251022","ak.ai":parseInt("757730",10),"ak.ol":"0","ak.cr":1,"ak.ipv":4,"ak.proto":"http/1.1","ak.rid":"239aa6a7","ak.r":41571,"ak.a2":n,"ak.m":"dscr","ak.n":"ff","ak.bpcip":"8.222.208.0","ak.cport":47202,"ak.gh":"184.27.123.93","ak.quicv":"","ak.tlsv":"tls1.2","ak.0rtt":"","ak.0rtt.ed":"","ak.csrc":"-","ak.acc":"reno","ak.t":"1732423113","ak.ak":"hOBiQwZUYzCg5VSAfCLimQ==0hCxG8wCkMk7R+AimG5pGNU/AMs8/qE6UHTm68F3qGZ8aHL7/0KRX1HUAt90nzEzT2PApCc1Zfu85442wEiSc4u7dZSKVLrGaKsxlM7R+X/wdZHFJOnXnvA/LRdf1nztq5dWtSx6EQb8CJmy375oRY1dJrx48IB2wO8BS0po+XqQ6hhaL164Iy1lNbGu8bIn+fCn7cku8r4O3pPRNc3KHl9kC6+8ZWMrgkRN7FsiHhYZrjNw/X5RaA7TM7Q3dY1/Mk6IuBOBEjnXeudiGnNNBFZ7QhEjGxPLpVPkVW7HqtreSdo3u7R9Wize/1y05y+yJFYDxKKNO+twVct0gMutjeaVlbaJfI1wfaqWW96yo6O/bsDQguhvC/dSoMF7Ket/Q7QkLjONZQ/BbwEFhOGYRThC9Fk91hdG8E7kVu68+yE=","ak.pv":"20","ak.dpoabenc":"","ak.tf":i};if(""!==t)o["ak.ruds"]=t;var r={i:!1,av:function(n){var t="http.initiator";if(n&&(!n[t]||"spa_hard"===n[t]))o["ak.feo"]=void 0!==e.aFeoApplied?1:0,BOOMR.addVar(o)},rv:function(){var e=["ak.bpcip","ak.cport","ak.cr","ak.csrc","ak.gh","ak.ipv","ak.m","ak.n","ak.ol","ak.proto","ak.quicv","ak.tlsv","ak.0rtt","ak.0rtt.ed","ak.r","ak.acc","ak.t","ak.tf"];BOOMR.removeVar(e)}};BOOMR.plugins.AK={akVars:o,akDNSPreFetchDomain:a,init:function(){if(!r.i){var e=BOOMR.subscribe;e("before_beacon",r.av,null,null),e("onbeacon",r.rv,null,null),r.i=!0}return this},is_complete:function(){return!0}}}}()}(window);</script></head> <body> <!-- Google Tag Manager (noscript) --> <noscript> <iframe src=https://www.googletagmanager.com/ns.html?id=GTM-PMDGSM height="0" width="0" style="display:none;visibility:hidden"></iframe> </noscript> <!-- End Google Tag Manager (noscript) --> <div id="app" > <!-- navbar --> <header id="wls-nav-header" class="wls-header navbar sticky-top navbar-expand-lg has-shadow"> <div class="container first-line"> <a class="header-brand" href="/en/" title="WeLiveSecurity"> <?xml version="1.0" encoding="UTF-8"?><svg id="Layer_2" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 290 31.7919"><defs><style>.cls-1{fill:#0b8690;}.cls-2{fill:#053b44;}</style></defs><g id="Layer_1-2"><g><path class="cls-2" d="M0,8.6081H5.1069l2.869,10.7299,3.3282-10.845h4.3616l3.3833,10.845,2.9261-10.7879h4.9947l-5.51,17.8465h-4.5336l-3.3833-10.903-3.5012,10.903H5.451L0,8.6081Zm26.6257,9.0093h0c0-5.1069,3.6153-9.2964,8.7792-9.2964,5.9102,0,8.6651,4.5907,8.6651,9.6405,0,.4021-.057,.8603-.057,1.3195h-12.3955c.3233,2.123,2.219,3.6443,4.3616,3.5003,1.6303,.0269,3.1951-.6409,4.3036-1.8367l2.8729,2.5259c-1.7441,2.1958-4.4284,3.4313-7.2306,3.3282-4.9064,.227-9.0678-3.5664-9.2947-8.4728-.0109-.236-.0124-.4724-.0045-.7085Zm12.5095-1.4916c-.29-2.2378-1.6066-3.7874-3.7303-3.7874s-3.4432,1.4916-3.8444,3.7874h7.5747Zm57.842,7.9179l2.1266-3.3282c1.5999,1.2513,3.5393,1.9923,5.566,2.1267,1.4345,0,2.1266-.5162,2.1266-1.3195v-.057c0-1.0904-1.7216-1.4345-3.6733-2.0658-2.4679-.7463-5.2789-1.8937-5.2789-5.3369v-.057c0-3.6153,2.9261-5.6231,6.4843-5.6231,2.3553,.0234,4.6511,.742,6.5994,2.0658l-1.8937,3.5003c-1.4459-.9422-3.1015-1.5139-4.8207-1.6646-1.2054,0-1.8366,.5162-1.8366,1.2054v.057c0,.9754,1.6646,1.4345,3.6153,2.1267,2.4679,.8033,5.3369,2.0087,5.3369,5.2789v.057c0,3.9633-2.9261,5.7381-6.7666,5.7381-2.7543-.0573-5.4158-1.006-7.5854-2.7037Zm15.4356-6.4264h0c0-5.1069,3.6153-9.2964,8.7792-9.2964,5.9102,0,8.6651,4.5907,8.6651,9.6405,0,.4021-.057,.8603-.057,1.3195h-12.3375c.3233,2.123,2.219,3.6443,4.3616,3.5003,1.6303,.0269,3.1951-.6409,4.3036-1.8367l2.869,2.5249c-1.744,2.1959-4.4283,3.4315-7.2306,3.3282-5.3901,.001-9.3534-3.7835-9.3534-9.1804Zm12.5095-1.4916c-.29-2.2378-1.6066-3.7874-3.7303-3.7874s-3.4432,1.4916-3.8444,3.7874h7.5747Zm6.1412,1.4906h0c-.0992-5.0349,3.9019-9.197,8.9368-9.2964h.3596c2.6878-.1539,5.2947,.9485,7.0566,2.9841l-3.0991,3.3282c-.9721-1.2277-2.4505-1.9458-4.0165-1.9507-2.5249,0-4.3036,2.2378-4.3036,4.8198v.057c0,2.697,1.7787,4.8778,4.4756,4.8778,1.5606-.0446,3.0342-.7295,4.0745-1.8937l2.9261,2.9841c-1.7686,2.1577-4.4423,3.3673-7.2306,3.2712-5.0035,.0682-9.115-3.9326-9.1832-8.9361,0-.0009,0-.0017,0-.0026,.0026-.0806,.0038-.1614,.0039-.2426Zm17.9606,2.5249V8.6642h5.0498v9.8706c0,2.4099,1.1474,3.6153,3.0411,3.6153s3.1562-1.2054,3.1562-3.6153V8.6071h5.0498V26.3386h-5.0498v-2.5249c-1.1459,1.7743-3.1079,2.8527-5.22,2.869-3.7893,.001-6.0271-2.4669-6.0271-6.5414Zm18.4767-11.5342h5.0498v3.5573c1.0324-2.4679,2.697-4.0165,5.6811-3.9024v5.2789h-.29c-3.3282,0-5.3939,2.0087-5.3939,6.2543v6.5414h-5.047V8.6071Zm12.5666,0h5.0498V26.3386h-5.0498V8.6071Zm8.9561,12.7396V12.9117h-2.1267v-4.3036h2.1267V4.0745h5.0498v4.5336h4.1885v4.3036h-4.1924v7.5747c0,1.1474,.5162,1.7216,1.6066,1.7216,.8637,.0094,1.7148-.2083,2.4679-.6312v4.0165c-1.1964,.7132-2.571,1.0716-3.9633,1.0334-3.0952,.057-5.1571-1.2054-5.1571-5.2799Zm11.4153,9.1813l1.6646-3.6153c.6415,.4009,1.372,.6373,2.1267,.6883,.7821,.0558,1.5071-.4118,1.7787-1.1474l-6.9474-17.7885h5.3369l4.0165,12.1074,3.8444-12.1074h5.22l-6.7666,18.1326c-1.3775,3.6153-2.812,4.9928-5.8531,4.9928-1.5664,.0294-3.1059-.4102-4.4205-1.2625ZM182.4783,1.3195c1.3945,0,2.5249,1.1304,2.5249,2.5249s-1.1304,2.5249-2.5249,2.5249-2.5249-1.1304-2.5249-2.5249,1.1304-2.5249,2.5249-2.5249Zm38.8471,2.754v2.1267h-.6312v-2.1267h-.8603v-.5162h2.3528v.4592h-.8603l-.0009,.057Zm4.0755,2.1238v-1.7796l-.8033,1.7787h-.6312l-.7463-1.7787,.057,.3441v1.3775h-.5732V3.5573h.7463l.8603,2.0658,.9753-2.0658h.6883v2.6399h-.5732Z" /><path class="cls-1" d="M46.2508,2.2378h5.0498V26.3956h-5.0498V2.2378Zm7.9189,6.3693h5.0498V26.3386h-5.0498V8.6071Zm6.5414,0h5.3369l3.9633,11.8783,4.0126-11.8783h5.22l-7.0005,17.8465h-4.5907l-6.9416-17.8465Zm17.9035,9.0102h0c0-5.1069,3.6153-9.2964,8.7792-9.2964,5.9102,0,8.6651,4.5907,8.6651,9.6405,0,.4021-.057,.8603-.057,1.3195h-12.3375c.3232,2.1226,2.2184,3.6438,4.3606,3.5003,1.6303,.0269,3.1951-.6409,4.3036-1.8367l2.869,2.5249c-1.744,2.1959-4.4283,3.4315-7.2306,3.3282-5.3891,.001-9.3524-3.7835-9.3524-9.1804Zm12.5095-1.4916c-.29-2.2378-1.6066-3.7874-3.7294-3.7874s-3.4432,1.4916-3.8444,3.7874h7.5738ZM56.6366,0c-1.7746,0-3.2132,1.4386-3.2132,3.2132,0,1.7746,1.4386,3.2132,3.2132,3.2132,1.7746,0,3.2132-1.4386,3.2132-3.2132h0c-.0188-1.7667-1.4464-3.1943-3.2132-3.2132Zm0,4.5907c-.7567-.0094-1.3677-.6208-1.3765-1.3775-.0202-.7605,.58-1.3933,1.3405-1.4135,.7605-.0202,1.3933,.58,1.4135,1.3405,.0006,.0243,.0006,.0487,0,.073-.0089,.7571-.6204,1.3686-1.3775,1.3775Zm191.3425,4.0213c-2.2021-.0287-4.2611,1.0885-5.4375,2.9502-.9299,1.6095-1.1339,4.233-1.1339,5.9711s.2049,4.3596,1.1339,5.9691c1.1767,1.8615,3.2355,2.9785,5.4375,2.9502h34.4972c2.2018,.0283,4.2603-1.0888,5.4365-2.9502,.928-1.6095,1.1349-4.233,1.1349-5.9711s-.2069-4.3567-1.1349-5.9662c-1.1762-1.8615-3.2347-2.9786-5.4365-2.9502l-34.4972-.0029Zm22.9572,7.9392h2.9v-.0899c0-1.3272-.5326-1.4268-1.4896-1.4268-1.16,0-1.3794,.377-1.4133,1.5167m-20.3859-1.4297c.9512,0,1.4635,.0967,1.4635,1.3997v.0628h-2.8487c.0319-1.1165,.2591-1.4626,1.3852-1.4626m-4.0233,2.463c0,3.1262,.783,4.2533,4.0745,4.2533,1.0071,.0751,2.0175-.0927,2.9464-.4891,.7808-.4894,1.2122-1.3829,1.1097-2.2987h-2.5965c-.0271,.8903-.6322,.9821-1.4626,.9821-1.1996,0-1.4336-.4833-1.4336-1.9788v-.0638h5.4887v-.405c0-3.4123-.9231-4.2668-4.06-4.2668-3.3553,0-4.0745,1.044-4.0745,4.2668m9.8793-1.5621c0,1.6665,.5742,2.4476,4.0735,2.4476,.3744-.0275,.7508,.0097,1.1126,.1102,.2736,.1199,.4021,.3586,.4021,.7927,0,.726-.2658,.8043-1.5128,.8043-.6931,0-1.3987-.0155-1.4307-.9502h-2.6438c.0203,1.8425,.8932,2.4447,2.5085,2.5732,.4882,.0377,1.0188,.0348,1.565,.0348,2.2233,0,4.0735-.3712,4.0735-2.7849,0-2.2997-1.1996-2.463-4.0745-2.5288-1.4268-.0319-1.5109-.3316-1.5109-.8043,0-.5616,.0619-.7405,1.5119-.7405,.5317,0,1.0633,.0474,1.1822,.7086h2.4882v-.3393c0-2.001-2.0967-2.03-3.6733-2.03-2.3625,0-4.0735,.0532-4.0735,2.7066m21.6744-2.7066h6.5018v1.9005h-1.9333v6.525h-2.6274v-6.524h-1.9333l-.0077-1.9014Zm-9.7275,4.2059c0-3.2122,.7086-4.2398,4.0464-4.2398,3.1194,0,4.031,.842,4.031,4.2398v.376h-5.4896v.0909c0,1.4945,.2359,2.0058,1.4587,2.0058,.8226,0,1.45-.0909,1.4896-.9821h2.5413c.0948,.8946-.3269,1.7653-1.0875,2.2456-.9243,.3931-1.9294,.5588-2.9309,.4833-3.276,0-4.0464-1.1088-4.0464-4.2224m-23.7624,5.7874c-1.3214-1.421-1.6134-3.652-1.6134-5.7739s.29-4.35,1.6134-5.7758c1.0333-.9868,2.3994-1.5498,3.828-1.5776h17.7865v14.7048h-17.7865c-1.4285-.0278-2.7946-.5908-3.828-1.5776m43.7423-16.12c.0004-.036-.009-.0714-.0271-.1025-.0116-.0387-.0445-.0628-.086-.0899-.0385-.0194-.0807-.0303-.1237-.0319-.0559-.0087-.1126-.0123-.1692-.0106h-.1508v.5394h.115c.0678,.0013,.1357-.0022,.203-.0106,.0495-.0114,.0968-.0307,.1402-.057,.0317-.0265,.0574-.0594,.0754-.0967,.016-.0456,.0235-.0938,.0222-.1421m.8226,1.3533h-.61l-.5742-.7086h-.1933v.7066h-.4679v-1.913h.7269c.1085-.0031,.2172,.0024,.3248,.0164,.0855,.0088,.1681,.0355,.2426,.0783,.0789,.0405,.1456,.1012,.1933,.1759,.0425,.0819,.0625,.1737,.058,.2658,.0044,.1242-.0384,.2454-.1199,.3393-.0832,.0952-.1884,.1685-.3064,.2136l.7259,.8255Zm.4186-.9203c.0053-.4029-.1547-.7903-.4427-1.072-.2749-.2868-.6574-.4452-1.0546-.4369-.3998-.0086-.7851,.1497-1.0633,.4369-.5856,.5955-.5856,1.5505,0,2.146,.5715,.5851,1.5091,.5962,2.0942,.0247,.0083-.0081,.0166-.0164,.0247-.0247,.289-.2818,.4492-.6703,.4427-1.074m.4253,0c.0069,.5131-.1972,1.0066-.5645,1.3649-.7536,.747-1.9685,.747-2.7221,0-.3705-.3563-.5758-.851-.5665-1.3649-.0083-.5104,.1971-1.001,.5665-1.3533,.7441-.75,1.955-.7561,2.7066-.0135l.0135,.0135c.3662,.3543,.5704,.8438,.5645,1.3533m-64.0238,6.7637h2.1044c1.5563,0,2.32,.6206,2.32,1.74,.0109,.539-.2936,1.0349-.7791,1.2692v.0242c.7243,.1716,1.2395,.8131,1.2509,1.5573,0,1.16-.6767,1.9652-2.5133,1.9652h-2.3828v-6.5559Zm2.0483,2.7588c.7414,0,1.1126-.2591,1.1126-.8893,0-.6767-.4456-.899-1.2799-.899h-.6109v1.7883h.7782Zm.2127,2.7898c.87,0,1.362-.2223,1.362-.9261s-.5007-.9667-1.4829-.9667h-.87v1.8908l.9908,.0019Zm4.9406-1.248l-2.32-4.3007h1.4548l1.5418,3.2267,1.6433-3.2248h1.4084l-2.4659,4.2726v2.2775h-1.2566l-.0058-2.2514Z" /></g></g></svg> </a> <p> Award-winning news, views, and insight from the ESET security community </p> <div class="ms-auto"> <div class="language-picker dropdown"><div class="language-picker-wrapper"><button class="btn dropdown-toggle" type="button" data-bs-toggle="dropdown"aria-expanded="false">English</button><ul class="dropdown-menu dropdown-menu-center"><a class="dropdown-item" href="/es/" title="Español">Español</a><a class="dropdown-item" href="/de/" title="Deutsch">Deutsch</a><a class="dropdown-item" href="/pt/" title="Português">Português</a><a class="dropdown-item" href="/fr/" title="Français">Français</a></ul></div></div> </div> </div> <div class="second-line"> <div class="container"> <div class="navbar-header"> <a class="header-brand" href="/en/" title="WeLiveSecurity"> <?xml version="1.0" encoding="UTF-8"?><svg id="Layer_2" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 290 31.7919"><defs><style>.cls-1{fill:#0b8690;}.cls-2{fill:#053b44;}</style></defs><g id="Layer_1-2"><g><path class="cls-2" d="M0,8.6081H5.1069l2.869,10.7299,3.3282-10.845h4.3616l3.3833,10.845,2.9261-10.7879h4.9947l-5.51,17.8465h-4.5336l-3.3833-10.903-3.5012,10.903H5.451L0,8.6081Zm26.6257,9.0093h0c0-5.1069,3.6153-9.2964,8.7792-9.2964,5.9102,0,8.6651,4.5907,8.6651,9.6405,0,.4021-.057,.8603-.057,1.3195h-12.3955c.3233,2.123,2.219,3.6443,4.3616,3.5003,1.6303,.0269,3.1951-.6409,4.3036-1.8367l2.8729,2.5259c-1.7441,2.1958-4.4284,3.4313-7.2306,3.3282-4.9064,.227-9.0678-3.5664-9.2947-8.4728-.0109-.236-.0124-.4724-.0045-.7085Zm12.5095-1.4916c-.29-2.2378-1.6066-3.7874-3.7303-3.7874s-3.4432,1.4916-3.8444,3.7874h7.5747Zm57.842,7.9179l2.1266-3.3282c1.5999,1.2513,3.5393,1.9923,5.566,2.1267,1.4345,0,2.1266-.5162,2.1266-1.3195v-.057c0-1.0904-1.7216-1.4345-3.6733-2.0658-2.4679-.7463-5.2789-1.8937-5.2789-5.3369v-.057c0-3.6153,2.9261-5.6231,6.4843-5.6231,2.3553,.0234,4.6511,.742,6.5994,2.0658l-1.8937,3.5003c-1.4459-.9422-3.1015-1.5139-4.8207-1.6646-1.2054,0-1.8366,.5162-1.8366,1.2054v.057c0,.9754,1.6646,1.4345,3.6153,2.1267,2.4679,.8033,5.3369,2.0087,5.3369,5.2789v.057c0,3.9633-2.9261,5.7381-6.7666,5.7381-2.7543-.0573-5.4158-1.006-7.5854-2.7037Zm15.4356-6.4264h0c0-5.1069,3.6153-9.2964,8.7792-9.2964,5.9102,0,8.6651,4.5907,8.6651,9.6405,0,.4021-.057,.8603-.057,1.3195h-12.3375c.3233,2.123,2.219,3.6443,4.3616,3.5003,1.6303,.0269,3.1951-.6409,4.3036-1.8367l2.869,2.5249c-1.744,2.1959-4.4283,3.4315-7.2306,3.3282-5.3901,.001-9.3534-3.7835-9.3534-9.1804Zm12.5095-1.4916c-.29-2.2378-1.6066-3.7874-3.7303-3.7874s-3.4432,1.4916-3.8444,3.7874h7.5747Zm6.1412,1.4906h0c-.0992-5.0349,3.9019-9.197,8.9368-9.2964h.3596c2.6878-.1539,5.2947,.9485,7.0566,2.9841l-3.0991,3.3282c-.9721-1.2277-2.4505-1.9458-4.0165-1.9507-2.5249,0-4.3036,2.2378-4.3036,4.8198v.057c0,2.697,1.7787,4.8778,4.4756,4.8778,1.5606-.0446,3.0342-.7295,4.0745-1.8937l2.9261,2.9841c-1.7686,2.1577-4.4423,3.3673-7.2306,3.2712-5.0035,.0682-9.115-3.9326-9.1832-8.9361,0-.0009,0-.0017,0-.0026,.0026-.0806,.0038-.1614,.0039-.2426Zm17.9606,2.5249V8.6642h5.0498v9.8706c0,2.4099,1.1474,3.6153,3.0411,3.6153s3.1562-1.2054,3.1562-3.6153V8.6071h5.0498V26.3386h-5.0498v-2.5249c-1.1459,1.7743-3.1079,2.8527-5.22,2.869-3.7893,.001-6.0271-2.4669-6.0271-6.5414Zm18.4767-11.5342h5.0498v3.5573c1.0324-2.4679,2.697-4.0165,5.6811-3.9024v5.2789h-.29c-3.3282,0-5.3939,2.0087-5.3939,6.2543v6.5414h-5.047V8.6071Zm12.5666,0h5.0498V26.3386h-5.0498V8.6071Zm8.9561,12.7396V12.9117h-2.1267v-4.3036h2.1267V4.0745h5.0498v4.5336h4.1885v4.3036h-4.1924v7.5747c0,1.1474,.5162,1.7216,1.6066,1.7216,.8637,.0094,1.7148-.2083,2.4679-.6312v4.0165c-1.1964,.7132-2.571,1.0716-3.9633,1.0334-3.0952,.057-5.1571-1.2054-5.1571-5.2799Zm11.4153,9.1813l1.6646-3.6153c.6415,.4009,1.372,.6373,2.1267,.6883,.7821,.0558,1.5071-.4118,1.7787-1.1474l-6.9474-17.7885h5.3369l4.0165,12.1074,3.8444-12.1074h5.22l-6.7666,18.1326c-1.3775,3.6153-2.812,4.9928-5.8531,4.9928-1.5664,.0294-3.1059-.4102-4.4205-1.2625ZM182.4783,1.3195c1.3945,0,2.5249,1.1304,2.5249,2.5249s-1.1304,2.5249-2.5249,2.5249-2.5249-1.1304-2.5249-2.5249,1.1304-2.5249,2.5249-2.5249Zm38.8471,2.754v2.1267h-.6312v-2.1267h-.8603v-.5162h2.3528v.4592h-.8603l-.0009,.057Zm4.0755,2.1238v-1.7796l-.8033,1.7787h-.6312l-.7463-1.7787,.057,.3441v1.3775h-.5732V3.5573h.7463l.8603,2.0658,.9753-2.0658h.6883v2.6399h-.5732Z" /><path class="cls-1" d="M46.2508,2.2378h5.0498V26.3956h-5.0498V2.2378Zm7.9189,6.3693h5.0498V26.3386h-5.0498V8.6071Zm6.5414,0h5.3369l3.9633,11.8783,4.0126-11.8783h5.22l-7.0005,17.8465h-4.5907l-6.9416-17.8465Zm17.9035,9.0102h0c0-5.1069,3.6153-9.2964,8.7792-9.2964,5.9102,0,8.6651,4.5907,8.6651,9.6405,0,.4021-.057,.8603-.057,1.3195h-12.3375c.3232,2.1226,2.2184,3.6438,4.3606,3.5003,1.6303,.0269,3.1951-.6409,4.3036-1.8367l2.869,2.5249c-1.744,2.1959-4.4283,3.4315-7.2306,3.3282-5.3891,.001-9.3524-3.7835-9.3524-9.1804Zm12.5095-1.4916c-.29-2.2378-1.6066-3.7874-3.7294-3.7874s-3.4432,1.4916-3.8444,3.7874h7.5738ZM56.6366,0c-1.7746,0-3.2132,1.4386-3.2132,3.2132,0,1.7746,1.4386,3.2132,3.2132,3.2132,1.7746,0,3.2132-1.4386,3.2132-3.2132h0c-.0188-1.7667-1.4464-3.1943-3.2132-3.2132Zm0,4.5907c-.7567-.0094-1.3677-.6208-1.3765-1.3775-.0202-.7605,.58-1.3933,1.3405-1.4135,.7605-.0202,1.3933,.58,1.4135,1.3405,.0006,.0243,.0006,.0487,0,.073-.0089,.7571-.6204,1.3686-1.3775,1.3775Zm191.3425,4.0213c-2.2021-.0287-4.2611,1.0885-5.4375,2.9502-.9299,1.6095-1.1339,4.233-1.1339,5.9711s.2049,4.3596,1.1339,5.9691c1.1767,1.8615,3.2355,2.9785,5.4375,2.9502h34.4972c2.2018,.0283,4.2603-1.0888,5.4365-2.9502,.928-1.6095,1.1349-4.233,1.1349-5.9711s-.2069-4.3567-1.1349-5.9662c-1.1762-1.8615-3.2347-2.9786-5.4365-2.9502l-34.4972-.0029Zm22.9572,7.9392h2.9v-.0899c0-1.3272-.5326-1.4268-1.4896-1.4268-1.16,0-1.3794,.377-1.4133,1.5167m-20.3859-1.4297c.9512,0,1.4635,.0967,1.4635,1.3997v.0628h-2.8487c.0319-1.1165,.2591-1.4626,1.3852-1.4626m-4.0233,2.463c0,3.1262,.783,4.2533,4.0745,4.2533,1.0071,.0751,2.0175-.0927,2.9464-.4891,.7808-.4894,1.2122-1.3829,1.1097-2.2987h-2.5965c-.0271,.8903-.6322,.9821-1.4626,.9821-1.1996,0-1.4336-.4833-1.4336-1.9788v-.0638h5.4887v-.405c0-3.4123-.9231-4.2668-4.06-4.2668-3.3553,0-4.0745,1.044-4.0745,4.2668m9.8793-1.5621c0,1.6665,.5742,2.4476,4.0735,2.4476,.3744-.0275,.7508,.0097,1.1126,.1102,.2736,.1199,.4021,.3586,.4021,.7927,0,.726-.2658,.8043-1.5128,.8043-.6931,0-1.3987-.0155-1.4307-.9502h-2.6438c.0203,1.8425,.8932,2.4447,2.5085,2.5732,.4882,.0377,1.0188,.0348,1.565,.0348,2.2233,0,4.0735-.3712,4.0735-2.7849,0-2.2997-1.1996-2.463-4.0745-2.5288-1.4268-.0319-1.5109-.3316-1.5109-.8043,0-.5616,.0619-.7405,1.5119-.7405,.5317,0,1.0633,.0474,1.1822,.7086h2.4882v-.3393c0-2.001-2.0967-2.03-3.6733-2.03-2.3625,0-4.0735,.0532-4.0735,2.7066m21.6744-2.7066h6.5018v1.9005h-1.9333v6.525h-2.6274v-6.524h-1.9333l-.0077-1.9014Zm-9.7275,4.2059c0-3.2122,.7086-4.2398,4.0464-4.2398,3.1194,0,4.031,.842,4.031,4.2398v.376h-5.4896v.0909c0,1.4945,.2359,2.0058,1.4587,2.0058,.8226,0,1.45-.0909,1.4896-.9821h2.5413c.0948,.8946-.3269,1.7653-1.0875,2.2456-.9243,.3931-1.9294,.5588-2.9309,.4833-3.276,0-4.0464-1.1088-4.0464-4.2224m-23.7624,5.7874c-1.3214-1.421-1.6134-3.652-1.6134-5.7739s.29-4.35,1.6134-5.7758c1.0333-.9868,2.3994-1.5498,3.828-1.5776h17.7865v14.7048h-17.7865c-1.4285-.0278-2.7946-.5908-3.828-1.5776m43.7423-16.12c.0004-.036-.009-.0714-.0271-.1025-.0116-.0387-.0445-.0628-.086-.0899-.0385-.0194-.0807-.0303-.1237-.0319-.0559-.0087-.1126-.0123-.1692-.0106h-.1508v.5394h.115c.0678,.0013,.1357-.0022,.203-.0106,.0495-.0114,.0968-.0307,.1402-.057,.0317-.0265,.0574-.0594,.0754-.0967,.016-.0456,.0235-.0938,.0222-.1421m.8226,1.3533h-.61l-.5742-.7086h-.1933v.7066h-.4679v-1.913h.7269c.1085-.0031,.2172,.0024,.3248,.0164,.0855,.0088,.1681,.0355,.2426,.0783,.0789,.0405,.1456,.1012,.1933,.1759,.0425,.0819,.0625,.1737,.058,.2658,.0044,.1242-.0384,.2454-.1199,.3393-.0832,.0952-.1884,.1685-.3064,.2136l.7259,.8255Zm.4186-.9203c.0053-.4029-.1547-.7903-.4427-1.072-.2749-.2868-.6574-.4452-1.0546-.4369-.3998-.0086-.7851,.1497-1.0633,.4369-.5856,.5955-.5856,1.5505,0,2.146,.5715,.5851,1.5091,.5962,2.0942,.0247,.0083-.0081,.0166-.0164,.0247-.0247,.289-.2818,.4492-.6703,.4427-1.074m.4253,0c.0069,.5131-.1972,1.0066-.5645,1.3649-.7536,.747-1.9685,.747-2.7221,0-.3705-.3563-.5758-.851-.5665-1.3649-.0083-.5104,.1971-1.001,.5665-1.3533,.7441-.75,1.955-.7561,2.7066-.0135l.0135,.0135c.3662,.3543,.5704,.8438,.5645,1.3533m-64.0238,6.7637h2.1044c1.5563,0,2.32,.6206,2.32,1.74,.0109,.539-.2936,1.0349-.7791,1.2692v.0242c.7243,.1716,1.2395,.8131,1.2509,1.5573,0,1.16-.6767,1.9652-2.5133,1.9652h-2.3828v-6.5559Zm2.0483,2.7588c.7414,0,1.1126-.2591,1.1126-.8893,0-.6767-.4456-.899-1.2799-.899h-.6109v1.7883h.7782Zm.2127,2.7898c.87,0,1.362-.2223,1.362-.9261s-.5007-.9667-1.4829-.9667h-.87v1.8908l.9908,.0019Zm4.9406-1.248l-2.32-4.3007h1.4548l1.5418,3.2267,1.6433-3.2248h1.4084l-2.4659,4.2726v2.2775h-1.2566l-.0058-2.2514Z" /></g></g></svg> </a> <div class="me-2"> <button class=" navbar-toggler button-hamburger collapsed d-flex d-lg-none flex-column justify-content-around" type="button" data-bs-toggle="collapse" data-bs-target="#navbarNavDropdown" aria-controls="navbarNavDropdown" aria-expanded="false" aria-label="This is toggle button"><span class="toggler-icon top-bar"></span><span class="toggler-icon middle-bar"></span><span class="toggler-icon bottom-bar"></span></button> </div> </div> <nav id="navbarNavDropdown" class="collapse navbar-collapse page-navbar"><ul class="navbar-nav"><li class="nav-item d-lg-none"><div class="search-bar-input"><search-bar-component placeholder="Search WeLiveSecurity"class="search-bar-component-wrapper"></search-bar-component></div></li><li class="nav-item"><a class="nav-link" href="/en/tips-advice/" title="TIPS &amp; ADVICE"><span class="">TIPS &amp; ADVICE</span></a></li><hr class="articles-card-divider px-0 m-0" /><li class="nav-item"><a class="nav-link" href="/en/business-security/" title="BUSINESS SECURITY"><span class="">BUSINESS SECURITY</span></a></li><hr class="articles-card-divider px-0 m-0" /><li class="nav-item dropdown"><a class="nav-link dropdown-toggle" href="" title="ESET RESEARCH" role="button" data-bs-toggle="dropdown"aria-expanded="false">ESET RESEARCH</a><div class="dropdown-menu dropdown-menu-center"><div class="dropdown-items-wrapper"><a class="dropdown-item" href="/en/about-eset-research/" title="About ESET Research"><span class="">About ESET Research</span></a><a class="dropdown-item" href="/en/eset-research/" title="Blogposts"><span class="">Blogposts</span></a><a class="dropdown-item" href="/en/podcasts/" title="Podcasts"><span class="">Podcasts</span></a><a class="dropdown-item" href="/en/white-papers/" title="White papers"><span class="">White papers</span></a><a class="dropdown-item" href="/en/threat-reports/" title="Threat reports"><span class="">Threat reports</span></a></div></div></li><hr class="articles-card-divider px-0 m-0" /><li class="nav-item"><a class="nav-link" href="/en/we-live-science/" title="WeLiveScience"><span class="button-link">WeLiveScience</span></a></li><hr class="articles-card-divider px-0 m-0" /><li class="nav-item dropdown"><a class="nav-link dropdown-toggle" href="" title="FEATURED" role="button" data-bs-toggle="dropdown"aria-expanded="false">FEATURED</a><div class="dropdown-menu dropdown-menu-center"><div class="dropdown-items-wrapper"><a class="dropdown-item" href="/en/ukraine-crisis-digital-security-resource-center/" title="Ukraine crisis – Digital security resource center"><span class="">Ukraine crisis – Digital security resource center</span></a><a class="dropdown-item" href="/en/we-live-progress/" title="WeLiveProgress"><span class="">WeLiveProgress</span></a><a class="dropdown-item" href="/en/covid-19/" title="COVID-19"><span class="">COVID-19</span></a><a class="dropdown-item" href="/en/resources/" title="Resources"><span class="">Resources</span></a><a class="dropdown-item" href="/en/videos/" title="Videos"><span class="">Videos</span></a></div></div></li><hr class="articles-card-divider px-0 m-0" /><li class="nav-item dropdown"><a class="nav-link dropdown-toggle" href="" title="TOPICS" role="button" data-bs-toggle="dropdown"aria-expanded="false">TOPICS</a><div class="dropdown-menu dropdown-menu-center"><div class="dropdown-items-wrapper"><a class="dropdown-item" href="/en/cybersecurity/" title="Digital Security"><span class="">Digital Security</span></a><a class="dropdown-item" href="/en/scams/" title="Scams"><span class="">Scams</span></a><a class="dropdown-item" href="/en/how-to/" title="How to"><span class="">How to</span></a><a class="dropdown-item" href="/en/privacy/" title="Privacy"><span class="">Privacy</span></a><a class="dropdown-item" href="/en/cybercrime/" title="Cybercrime"><span class="">Cybercrime</span></a><a class="dropdown-item" href="/en/kids-online/" title="Kids online"><span class="">Kids online</span></a><a class="dropdown-item" href="/en/social-media/" title="Social media"><span class="">Social media</span></a><a class="dropdown-item" href="/en/internet-of-things/" title="Internet of Things"><span class="">Internet of Things</span></a><a class="dropdown-item" href="/en/malware/" title="Malware"><span class="">Malware</span></a><a class="dropdown-item" href="/en/ransomware/" title="Ransomware"><span class="">Ransomware</span></a><a class="dropdown-item" href="/en/secure-coding/" title="Secure coding"><span class="">Secure coding</span></a><a class="dropdown-item" href="/en/mobile-security/" title="Mobile security"><span class="">Mobile security</span></a><a class="dropdown-item" href="/en/critical-infrastructure/" title="Critical infrastructure"><span class="">Critical infrastructure</span></a><a class="dropdown-item" href="/en/about-eset-research/" title="Threat research"><span class="">Threat research</span></a></div></div></li><hr class="articles-card-divider px-0 m-0" /><li class="nav-item dropdown"><a class="nav-link dropdown-toggle" href="" title="ABOUT US" role="button" data-bs-toggle="dropdown"aria-expanded="false">ABOUT US</a><div class="dropdown-menu dropdown-menu-center"><div class="dropdown-items-wrapper"><a class="dropdown-item" href="/en/company/about-us/" title="About WeLiveSecurity"><span class="">About WeLiveSecurity</span></a><a class="dropdown-item" href="/en/our-experts/" title="Our Experts"><span class="">Our Experts</span></a><a class="dropdown-item" href="/en/company/contact-us/" title="Contact Us"><span class="">Contact Us</span></a></div></div></li><hr class="articles-card-divider px-0 m-0" /><li class="nav-item dropdown d-lg-none"><a class="nav-link dropdown-toggle languages" href="/en/" title="English" role="button"data-bs-toggle="dropdown" aria-expanded="false">English</a><div class="dropdown-menu dropdown-menu-center"><div class="dropdown-items-wrapper"><a class="dropdown-item" href="/es/" title="Español">Español</a><a class="dropdown-item" href="/de/" title="Deutsch">Deutsch</a><a class="dropdown-item" href="/pt/" title="Português">Português</a><a class="dropdown-item" href="/fr/" title="Français">Français</a></div></div></li><li class="nav-item ms-auto d-none d-lg-block"><button class="nav-link ms-auto search-button-close" type="button" data-bs-toggle="collapse"data-bs-target=".search-bar-wrapper" aria-expanded="false"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 19.9485 19.9001" fill="#424D56"><path d="m19.5429,17.9473l-4.86-4.852c2.7034-3.5802,1.9927-8.674-1.5874-11.3774C9.5153-.9856,4.4214-.2749,1.718,3.3053-.9854,6.8854-.2747,11.9793,3.3055,14.6827c1.4094,1.0643,3.1273,1.6402,4.8934,1.6406,1.7749.0083,3.5023-.5739,4.91-1.655l4.883,4.829c.207.2113.4912.329.787.326.2948-.0022.5771-.1191.787-.326.4163-.4365.406-1.126-.023-1.55Zm-11.316-3.821c-3.2811-.0017-5.9396-2.663-5.9378-5.9442.0017-3.2811,2.663-5.9396,5.9442-5.9378,1.5726.0008,3.0806.6251,4.1937,1.736,1.1259,1.1056,1.7528,2.6221,1.736,4.2-.0007,1.5744-.6249,3.0845-1.736,4.2-1.1067,1.1254-2.6216,1.7552-4.2,1.746Z" /></svg></button></li></ul><div class="search-bar"><div class="collapse search-bar-wrapper"><div class="search-bar-input"><search-bar-component placeholder="Search WeLiveSecurity"class="search-bar-component-wrapper"></search-bar-component><button class="nav-link search-button-close" type="button" data-bs-toggle="collapse"data-bs-target=".search-bar-wrapper" aria-expanded="false"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 18.1065 18.0626"><polygon points="10.6883 9.0363 17.4683 15.8163 15.8383 17.4463 9.0583 10.6663 2.2683 17.4463 .6383 15.8163 7.4283 9.0363 .6383 2.2463 2.2683 .6163 9.0583 7.4063 15.8383 .6163 17.4683 2.2463 10.6883 9.0363" /></svg></button></div></div></div></nav> </div> </div> <div class="additional-info d-none"> <div class="container"> <p> Award-winning news, views, and insight from the ESET security community </p> </div> </div> </header> <!-- main content --> <div id="main"> <div class="container article-page py-5"> <div class="row"> <div class="col col-lg-8 pe-lg-0"> <div class="article-header"> <p class="category text-uppercase">ESET Research</p> <h1 class="page-headline">BackdoorDiplomacy: Upgrading from Quarian to Turian</h1> <p class="sub-title">ESET researchers discover a new campaign that evolved from the Quarian backdoor</p> <div class="article-authors d-flex flex-wrap"><div class="article-author d-flex"><a href="/en/our-experts/adam-burgher/" title="Adam Burgher"><picture><source srcset="https://web-assets.esetstatic.com/tn/-x45/wls/2021/06/Adam-Burgher.jpg" media="(max-width: 768px)" /><img class="author-image me-3" src="https://web-assets.esetstatic.com/tn/-x45/wls/2021/06/Adam-Burgher.jpg" alt="Adam Burgher" /></picture></a><div class="author-text"><p><a href="/en/our-experts/adam-burgher/" title="Adam Burgher"><b>Adam Burgher</b></a></p></div></div></div> <p class="article-info mb-5"> <span>10 Jun 2021</span> <span class="d-none d-lg-inline">&nbsp;&bull;&nbsp;</span> <span class="d-inline d-lg-none">, </span> <span>14 min. read</span> </p> <div class="hero-image-container"> <picture><source srcset="https://web-assets.esetstatic.com/tn/-x266/wls/2021/06/eset-research-backdoordiplomacy-quarian-turian-apt.jpg" media="(max-width: 768px)" /><source srcset="https://web-assets.esetstatic.com/tn/-x425/wls/2021/06/eset-research-backdoordiplomacy-quarian-turian-apt.jpg" media="(max-width: 1120px)" /><img class="hero-image" src="https://web-assets.esetstatic.com/tn/-x700/wls/2021/06/eset-research-backdoordiplomacy-quarian-turian-apt.jpg" alt="BackdoorDiplomacy: Upgrading from Quarian to Turian" /></picture> </div> </div> <div class="article-body"> <h2>Executive summary</h2> <p>An APT group that we are calling BackdoorDiplomacy, due to the main vertical of its victims, has been targeting Ministries of Foreign Affairs and telecommunication companies in Africa and the Middle East since at least 2017. For initial infection vectors, the group favors exploiting vulnerable internet-exposed devices such as web servers and management interfaces for networking equipment. Once on a system, its operators make use of open-source tools for scanning the environment and lateral movement. Interactive access is achieved in two ways: (1) via a custom backdoor we are calling Turian that is derived from the Quarian backdoor; and (2) in fewer instances, when more direct and interactive access is required, certain open-source remote access tools are deployed. In several instances, the group has been observed targeting removable media for data collection and exfiltration. Finally, both Windows and Linux operating systems have been targeted.</p> <h2>Links with known groups</h2> <p>BackdoorDiplomacy shares commonalities with several other Asian groups. Most obvious among them is the connection between the Turian backdoor and the Quarian backdoor. Specific observations regarding the Turian-Quarian connection are recorded below in the <em>Turian</em> section. We believe this group is also linked with a group Kaspersky referred to as “<a href="https://securelist.com/apt-trends-report-q2-2020/97937/" target="_blank" rel="noopener"><em>CloudComputating</em></a>” that was also analyzed by <a href="https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~SVProxy-A/detailed-analysis.aspx" target="_blank" rel="noopener"><em>Sophos</em></a>.</p> <p>Several victims were compromised via mechanisms that closely matched the <a href="https://www.fortinet.com/blog/threat-research/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations" target="_blank" rel="noopener"><em>Rehashed Rat</em></a> and a <a href="https://www.intezer.com/blog/research/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/" target="_blank" rel="noopener"><em>MirageFox-APT15</em></a> campaign documented by Fortinet in 2017 and Intezer in 2018, respectively. The BackdoorDiplomacy operators made use of their specific form of DLL Search-Order Hijacking.</p> <p>Finally, the network encryption method BackdoorDiplomacy uses is quite similar to a backdoor <a href="https://news.drweb.com/show/?i=13907&amp;lng=en" target="_blank" rel="noopener"><em>Dr.Web</em></a> calls <a href="https://vms.drweb.co.jp/search/?q=BackDoor.Whitebird.1&amp;lng=en" target="_blank" rel="noopener"><em>Backdoor.Whitebird.1</em></a>. Whitebird was used to target government institutions in Kazakhstan and Kyrgyzstan (both neighbors of a BackdoorDiplomacy victim in Uzbekistan) within the same 2017-to-present timeframe in which BackdoorDiplomacy has been active.</p> <h2>Victimology</h2> <p>Quarian was used to target the <a href="https://securelist.com/a-targeted-attack-against-the-syrian-ministry-of-foreign-affairs/34742/" target="_blank" rel="noopener"><em>Syrian Ministry of Foreign Affairs in 2012</em></a>, as well as the <a href="https://threatconnect.com/blog/divide-and-conquer/" target="_blank" rel="noopener"><em>US State Department in 2013</em></a>. This trend of targeting Ministries of Foreign Affairs continues with Turian.</p> <p>Victims have been discovered in the Ministries of Foreign Affairs of several African countries, as well as in Europe, the Middle East, and Asia. Additional targets include telecommunication companies in Africa, and at least one Middle Eastern charity. In each case, operators employed similar tactics, techniques, and procedures (TTPs), but modified the tools used, even within close geographic regions, likely to make tracking the group more difficult. See Figure 1 for a map of victims by country and vertical.</p> <p><div class="caption center"><a href="https://web-assets.esetstatic.com/wls/2021/06/Figure-1.-Victims-by-country-and-vertical.jpg"><img class="wp-image-151510" src="https://web-assets.esetstatic.com/wls/2021/06/Figure-1.-Victims-by-country-and-vertical.jpg" alt="" width="800" height="485" /></a><p class="caption-text"><em>Figure 1. Victims by country and vertical</em></p></div></p> <h2>Attack vectors</h2> <p>BackdoorDiplomacy targeted servers with internet-exposed ports, likely exploiting unpatched vulnerabilities or poorly enforced file-upload security. In one specific instance, we observed the operators exploit an F5 BIP-IP vulnerability (<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5902" target="_blank" rel="noopener"><em>CVE-2020-5902</em></a>) to drop a Linux backdoor. In another, a Microsoft Exchange server was exploited via a PowerShell dropper that installed <a href="https://attack.mitre.org/software/S0020/" target="_blank" rel="noopener"><em>China Chopper</em></a>, a well-known webshell in use, by various groups, since 2013. In a third, we observed a <a href="https://www.plesk.com/" target="_blank" rel="noopener"><em>Plesk</em></a> server with poorly configured file-upload security execute another webshell similar to China Chopper. See Figure 2 for an overview of the exploit chain.</p> <p><div class="caption center"><a href="https://web-assets.esetstatic.com/wls/2021/06/Figure-2.-Exploit-chain-from-initial-compromise-to-backdoor-with-CC-communications.jpg"><img class="wp-image-151511" src="https://web-assets.esetstatic.com/wls/2021/06/Figure-2.-Exploit-chain-from-initial-compromise-to-backdoor-with-CC-communications.jpg" alt="" width="800" height="248" /></a><p class="caption-text"><em>Figure 2. Exploit chain from initial compromise to backdoor with C&amp;C communications</em></p></div></p> <h2>Reconnaissance and lateral movement</h2> <p>Following the initial compromise, in many instances the BackdoorDiplomacy group employed open-source reconnaissance and red-team tools to evaluate the environment for additional targets of opportunity and lateral movement. Among the tools documented are:</p> <ul> <li><a href="https://rootkiter.com/EarthWorm/en/index.html" target="_blank" rel="noopener"><em>EarthWorm</em></a>, a simple network tunnel with SOCKS v5 server and port transfer functionalities</li> <li><a href="https://github.com/gentilkiwi/mimikatz/wiki" target="_blank" rel="noopener"><em>Mimikatz</em></a>, and various versions including <a href="https://github.com/GhostPack/SafetyKatz" target="_blank" rel="noopener"><em>SafetyKatz</em></a></li> <li><a href="http://www.unixwiz.net/tools/nbtscan.html" target="_blank" rel="noopener"><em>Nbtscan</em></a>, a command line NetBIOS scanner for Windows</li> <li><a href="http://netcat.sourceforge.net/" target="_blank" rel="noopener"><em>NetCat</em></a>, a networking utility that reads and writes data across network connections</li> <li><a href="https://ss64.com/nt/portqry.html" target="_blank" rel="noopener"><em>PortQry</em></a>, a tool to display the status of TCP and UDP ports on remote systems</li> <li><a href="https://github.com/3gstudent/Smbtouch-Scanner" target="_blank" rel="noopener"><em>SMBTouch</em></a>, used to determine whether a target is vulnerable to EternalBlue</li> <li>Various tools from the ShadowBrokers dump of NSA tools including, but not limited to: <ul> <li>DoublePulsar</li> <li>EternalBlue</li> <li>EternalRocks</li> <li>EternalSynergy</li> </ul> </li> </ul> <p>Commonly used directories for staging recon and lateral movement tools include:</p> <ul> <li><span style="font-family: courier new, courier, monospace;">C:\Program Files\Windows Mail\en-US\</span></li> <li><span style="font-family: courier new, courier, monospace;">%LOCALAPPDATA%\Microsoft\InstallAgent\Checkpoints\</span></li> <li><span style="font-family: courier new, courier, monospace;">C:\ProgramData\ESET\ESET Security\Logs\eScan\</span></li> <li><span style="font-family: courier new, courier, monospace;">%USERPROFILE%\ESET\ESET Security\Logs\eScan\</span></li> <li><span style="font-family: courier new, courier, monospace;">C:\Program Files\hp\hponcfg\</span></li> <li><span style="font-family: courier new, courier, monospace;">C:\Program Files\hp\hpssa\</span></li> <li><span style="font-family: courier new, courier, monospace;">C:\hp\hpsmh\</span></li> <li><span style="font-family: courier new, courier, monospace;">C:\ProgramData\Mozilla\updates\</span></li> </ul> <p>Of the tools listed above, many were obfuscated with VMProtect (v1.60-2.05), a recurring theme with BackdoorDiplomacy tools.</p> <h2>Windows</h2> <h3>Backdoor droppers</h3> <p>In some instances, operators were observed uploading backdoor droppers. Operators attempted to disguise their backdoor droppers and evade detection in various ways.</p> <ul> <li>Naming conventions designed to blend into normal operations (e.g. <span style="font-family: courier new, courier, monospace;">amsc.exe</span>, <span style="font-family: courier new, courier, monospace;">msvsvr.dll</span>, <span style="font-family: courier new, courier, monospace;">alg.exe</span>)</li> <li>Dropping implants in folders named for legitimate software (e.g., <span style="font-family: courier new, courier, monospace;">C:\Program Files\hp</span>, <span style="font-family: courier new, courier, monospace;">C:\ProgramData\ESET</span>, <span style="font-family: courier new, courier, monospace;">C:\ProgramData\Mozilla</span>)</li> <li><a href="https://attack.mitre.org/techniques/T1574/001/" target="_blank" rel="noopener"><em>DLL search order hijacking</em></a></li> </ul> <p>In one such instance, the operators uploaded, via a webshell, both <span style="font-family: courier new, courier, monospace;">ScnCfg.exe</span> (SHA-1: <span style="font-family: courier new, courier, monospace;">573C35AB1F243D6806DEDBDD7E3265BC5CBD5B9A</span>), a legitimate McAfee executable, and <span style="font-family: courier new, courier, monospace;">vsodscpl.dll</span>, a malicious DLL named after a legitimate McAfee DLL that is called by <span style="font-family: courier new, courier, monospace;">ScnCfg.exe</span>. The version of <span style="font-family: courier new, courier, monospace;">vsodscpl.dll</span> (SHA-1: <span style="font-family: courier new, courier, monospace;">FCD8129EA56C8C406D1461CE9DB3E02E616D2AA9</span>) deployed was called by <span style="font-family: courier new, courier, monospace;">ScnCfg.exe</span>, at which point <span style="font-family: courier new, courier, monospace;">vsodscpl.dll</span> extracted Turian embedded within its code, wrote it to memory, and executed it.</p> <p>On a different system, operators dropped a legitimate copy of <span style="font-family: courier new, courier, monospace;">credwize.exe</span>, the Microsoft Credential Backup and Restore Wizard, on disk and used it to execute the malicious library <span style="font-family: courier new, courier, monospace;">New.dll</span>, another Turian variant.</p> <h3>Turian</h3> <p>About half of the samples we collected were obfuscated with VMProtect. A compilation of observed operator commands is included in the <em>Operator commands</em> section. Unique network encryption schemes are individually discussed below as well.</p> <h4><strong>Similarities with Quarian</strong></h4> <p>The initial reporting by Kaspersky notes that the victims of Quarian were at the Syrian Ministry of Foreign Affairs, a similar target-set of Turian.</p> <p>In many of the Turian samples we collected, there are obvious similarities with Quarian. Mutexes are used by both to verify that only one instance is running, although the mutexes used are dissimilarly named. We observed the following mutexes used by Turian:</p> <ul> <li><span style="font-family: courier new, courier, monospace;">winsupdatetw</span></li> <li><span style="font-family: courier new, courier, monospace;">clientsix</span></li> <li><span style="font-family: courier new, courier, monospace;">client</span></li> <li><span style="font-family: courier new, courier, monospace;">updatethres</span></li> <li>Others: dynamically generated based on the system’s hostname, limited to eight hex characters, lower-case, and prefaced with a leading zero</li> </ul> <p>C&amp;C server domains and IP addresses are extracted with similar XOR routines; where Quarian uses a decryption key of <span style="font-family: courier new, courier, monospace;">0x44</span>, Turian uses <span style="font-family: courier new, courier, monospace;">0xA9</span>.</p> <p>Turian and Quarian both read the first four bytes from the file <span style="font-family: courier new, courier, monospace;">cf</span> in the same directory as the malware’s executable, which are then used as the sleep length as part of the C&amp;C beacon routine.</p> <p>The Turian network connection process follows a similar pattern to Quarian, attempting to make a direct connection. If that fails due to a local proxy with a response of 407 (Authorization Required), both try to use locally cached credentials. However, the request sent to the proxy by Turian does not contain any of the grammatical mistakes that Quarian sent. See Figure 3 for a comparison of proxy connection attempts.</p> <p><div class="caption center"><a href="https://web-assets.esetstatic.com/wls/2021/06/Figure-3.-Comparison-of-proxy-connection-attempts-Turian-left-and-Quarian-right.jpg"><img class="wp-image-151512" src="https://web-assets.esetstatic.com/wls/2021/06/Figure-3.-Comparison-of-proxy-connection-attempts-Turian-left-and-Quarian-right.jpg" alt="" width="800" height="106" /></a><p class="caption-text"><em>Figure 3. Comparison of proxy connection attempts, Turian (left) and Quarian (right)</em></p></div></p> <p>Finally, both Turian and Quarian create a remote shell by copying <span style="font-family: courier new, courier, monospace;">cmd.exe</span> to<span style="font-family: courier new, courier, monospace;"> alg.exe</span>.</p> <h4><strong>Persistence</strong></h4> <p>After initial execution, Turian establishes persistence by creating the file <span style="font-family: courier new, courier, monospace;">tmp.bat</span> in the current working directory, writing the following lines to the file, then running the file:</p> <p style="margin-left: 3%; margin-right: 3%;"><span style="font-family: courier new, courier, monospace;">ReG aDd HKEY_CURRENT_USER\sOFtWArE\MIcrOsOft\WindOwS\CurRentVeRsiOn\RuN /v Turian_filename&gt; /t REG_SZ /d “&lt;location_of_Turian_on_disk&gt;\&lt;Turian_fiilename&gt;” /f</span></p> <p style="margin-left: 3%; margin-right: 2%;"><span style="font-family: courier new, courier, monospace;">ReG aDd HKEY_LOCAL_MACHINE\sOFtWArE\MIcrOsOft\WindOwS\CurRentVeRsiOn\RuN /v &lt;Turian_filename&gt; /t REG_SZ /d “&lt;location_of_Turian_on_disk&gt;\&lt;Turian_fiilename&gt;” /f</span></p> <p style="margin-left: 3%; margin-right: 3%;"><span style="font-family: courier new, courier, monospace;">del %0</span></p> <p>Turian then checks for the presence of the file <span style="font-family: courier new, courier, monospace;">Sharedaccess.ini</span> in its working directory. If that file is present, Turian attempts to load the C&amp;C IP or domain from there, if present. We did not observe Turian pass IPs or domains in this manner but testing confirmed Turian looks to load the C&amp;C address from here first. After checking <span style="font-family: courier new, courier, monospace;">Sharedaccess.ini</span>, Turian attempts to connect with a hardcoded IP or domain and sets up its network encryption protocol.</p> <h4><strong>Network encryption</strong></h4> <p>Quarian is known to have used both an eight-byte XOR key (see Talos on <a href="https://blog.talosintelligence.com/2012/12/quarian.html" target="_blank" rel="noopener"><em>Quarian: Reversing the C&amp;C Protocol</em></a>) and an eight-byte nonce to create a session key (see ThreatConnect on Quarian Network Protocol Analysis in <a href="https://threatconnect.com/blog/divide-and-conquer/" target="_blank" rel="noopener"><em>Divide and Conquer: Unmasking China’s ‘Quarian’ Campaigns Through Community</em></a>). Turian has a distinct method for exchanging network encryption keys. See Figure 4 for a breakdown of the Turian network encryption setup.</p> <p><div class="caption center"><a href="https://web-assets.esetstatic.com/wls/2021/06/Figure-4.-Turian-network-encryption-setup.jpg"><img class="wp-image-151513" src="https://web-assets.esetstatic.com/wls/2021/06/Figure-4.-Turian-network-encryption-setup.jpg" alt="" width="800" height="618" /></a><p class="caption-text"><em>Figure 4. Turian network encryption setup</em></p></div></p> <p>After receiving the last 56-byte packet, Turian calls the network encryption initialization function in Figure 5, and accepts the 56 bytes of data in the last C&amp;C packet as the only argument.</p> <p><div class="caption center"><a href="https://web-assets.esetstatic.com/wls/2021/06/Figure-5.-Hex-Rays-decompiled-view-of-the-encryption-key-initialization-function.jpg"><img class="wp-image-151514 size-full" src="https://web-assets.esetstatic.com/wls/2021/06/Figure-5.-Hex-Rays-decompiled-view-of-the-encryption-key-initialization-function.jpg" alt="" width="665" height="905" /></a><p class="caption-text"><em>Figure 5. Hex-Rays decompiled view of the encryption key initialization function</em></p></div></p> <p>A second network encryption setup was also observed, as depicted in Figure 6.</p> <p><div class="caption center"><a href="https://web-assets.esetstatic.com/wls/2021/06/Figure-6.-Second-Turian-network-encryption-set-up-protocol.jpg"><img class="wp-image-151515" src="https://web-assets.esetstatic.com/wls/2021/06/Figure-6.-Second-Turian-network-encryption-set-up-protocol.jpg" alt="" width="800" height="625" /></a><p class="caption-text"><em>Figure 6. Second Turian network encryption set up protocol</em></p></div></p> <p>The last iteration of the four-iteration loop (QWORD byte[5]) is used as the seed for the key initialization function, as shown below in Figure 7.</p> <p><div class="caption center"><a href="https://web-assets.esetstatic.com/wls/2021/06/Figure-7.-Second-key-initialization-function.jpg"><img class="wp-image-151516 size-full" src="https://web-assets.esetstatic.com/wls/2021/06/Figure-7.-Second-key-initialization-function.jpg" alt="" width="695" height="860" /></a><p class="caption-text"><em>Figure 7. Second key initialization function</em></p></div></p> <h3>Operator commands</h3> <p>The full list of Turian operator commands is shown in Table 1.</p> <p><em>Table 1. Turian C&amp;C commands</em></p> <p><table> <thead> <tr> <th>ID</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td>0x01</td> <td>Get system information including OS version, memory usage, local hostname, system adapter info, internal IP, current username, state of the directory service installation and domain data.</td> </tr> <tr> <td>0x02</td> <td>Interactive shell – copy <span style="font-family: courier new, courier, monospace;">%WINDIR%\system32\cmd.exe </span>to <span style="font-family: courier new, courier, monospace;">%WINDIR%\alg.exe</span> and spawn <span style="font-family: courier new, courier, monospace;">alg.exe</span> in a new thread.</td> </tr> <tr> <td>0x03</td> <td>Spawn a new thread, acknowledge the command and wait for one of the three-digit commands below.</td> </tr> <tr> <td>0x04</td> <td>Take screenshot.</td> </tr> <tr> <td>0x103/203</td> <td>Write file.</td> </tr> <tr> <td>0x403</td> <td>List directory.</td> </tr> <tr> <td>0x503</td> <td>Move file.</td> </tr> <tr> <td>0x603</td> <td>Delete file.</td> </tr> <tr> <td>0x703</td> <td>Get startup info.</td> </tr> </tbody> </table></p> <h2>Targeting removable media</h2> <p>A subset of victims was targeted with data collection executables that were designed to look for removable media (most likely USB flash drives). The implant routinely scans for such drives, specifically targeting removable media (return value of <span style="font-family: courier new, courier, monospace;">GetDriveType</span> is 2). If found, the implant uses an embedded version of WinRAR to execute these hardcoded commands:</p> <ul> <li><span style="font-family: courier new, courier, monospace;">CMD.exe /C %s a -m5 -hp1qaz@WSX3edc -r %s %s\\*.*</span></li> <li><span style="font-family: courier new, courier, monospace;">CMD.exe /C %s a -m5 -hpMyHost-1 -r %s %s\\*.*</span></li> <li><span style="font-family: courier new, courier, monospace;">CMD.exe /C rd /s /q \"%s"\</span></li> </ul> <p>The parameters in the command break out to:</p> <ul> <li><span style="font-family: courier new, courier, monospace;">a</span> == add files to archive</li> <li><span style="font-family: courier new, courier, monospace;">-m[0:5]</span> == compression level</li> <li><span style="font-family: courier new, courier, monospace;">-hp&lt;password&gt;</span></li> <li><span style="font-family: courier new, courier, monospace;">-r</span> == recurse subdirectories</li> <li><span style="font-family: courier new, courier, monospace;">rd</span> == remove directory</li> <li><span style="font-family: courier new, courier, monospace;">/s</span> == delete a directory tree</li> <li><span style="font-family: courier new, courier, monospace;">/q</span> == quiet mode</li> <li><span style="font-family: courier new, courier, monospace;">\"%s"\</span> == directory to act on</li> </ul> <p>The implant, upon detecting a removable media being inserted, attempts to copy all the files on the drive to a password-protected archive and puts the archive in the following directory, which is hardcoded and so the same for every victim:</p> <ul> <li><span style="font-family: courier new, courier, monospace;">C:\RECYCLER\S-1-3-33-854245398-2067806209-0000980848-2003\</span></li> </ul> <p>The implant also has the capability to delete files, based on the third command listed above.</p> <h3>Remote access tools</h3> <p>Occasionally, BackdoorDiplomacy’s operators require a greater degree of access or more interactivity than that  provided by Turian. On those occasions, they employ open-source remote access tools such as <a href="https://github.com/quasar/Quasar" target="_blank" rel="noopener"><em>Quasar</em></a>, which offers a wide variety of capabilities and runs on virtually all versions of Windows.</p> <h2>Linux</h2> <p>We discovered, via a shared C&amp;C server domain, a <a href="https://isc.sans.edu/diary/F5+BigIP+vulnerability+exploitation+followed+by+a+backdoor+implant+attempt/26322" target="_blank" rel="noopener"><em>Linux backdoor</em></a> using similar network infrastructure and that was deployed after exploiting a known vulnerability in F5 BIG-IP load balancers’ traffic management user interface (TMUI), which permits remote code execution (RCE). The Linux variant attempts to persist by writing itself to <a href="https://www.programmersought.com/article/62905849883/" target="_blank" rel="noopener"><em>/etc/init.d/rc.local</em></a></p> <p>Next, it runs through a loop to extract strings from memory:</p> <ul> <li><span style="font-family: courier new, courier, monospace;">bash -version</span></li> <li><span style="font-family: courier new, courier, monospace;">echo $PWD</span></li> <li><span style="font-family: courier new, courier, monospace;">/bin/sh</span></li> <li><span style="font-family: courier new, courier, monospace;">/tmp/AntiVirtmp</span></li> <li><span style="font-family: courier new, courier, monospace;">eth0</span></li> <li><span style="font-family: courier new, courier, monospace;">/proc/%d/exe</span></li> </ul> <p>Then, it calls its daemon function and forks off a child process which then begins the work of decrypting the C&amp;C IP address and/or domain name then initiates a loop that reaches out to the C&amp;C using <span style="font-family: courier new, courier, monospace;">Mozilla/5.0 (X11; Linux i686; rv:22.0) Firefox/22.0</span> as its user-agent. This C&amp;C loop continues until a successful connection is made. Once a connection is established, the Linux agent goes through a similar network encryption setup to what the Windows version of Turian carries out. See Figure 8 for the network encryption protocol used by the Linux variant of Turian.</p> <p><div class="caption center"><a href="https://web-assets.esetstatic.com/wls/2021/06/Figure-8.-Linux-Turian-variant-network-encryption-protocol-setup-routine.jpg"><img class="wp-image-151517" src="https://web-assets.esetstatic.com/wls/2021/06/Figure-8.-Linux-Turian-variant-network-encryption-protocol-setup-routine.jpg" alt="" width="750" height="581" /></a><p class="caption-text"><em>Figure 8. Linux Turian variant - network encryption protocol setup routine</em></p></div></p> <p>After receiving the last 56-byte packet, the Linux agent calls the network encryption key initialization function depicted in Figure 9.</p> <p><div class="caption center"><a href="https://web-assets.esetstatic.com/wls/2021/06/Figure-9.-Hex-Rays-decompiled-network-encryption-key-initialization-function.jpg"><img class="wp-image-151518" src="https://web-assets.esetstatic.com/wls/2021/06/Figure-9.-Hex-Rays-decompiled-network-encryption-key-initialization-function.jpg" alt="" width="750" height="456" /></a><p class="caption-text"><em>Figure 9. Hex-Rays decompiled network encryption key initialization function</em></p></div></p> <p>Upon successful completion of the network protocol setup, it forks off another child process and attempts to spawn a TTY reverse shell :</p> <ul> <li><span style="font-family: courier new, courier, monospace;">python -c 'import pty; pty.spawn("/bin/sh")'</span></li> </ul> <h2>Conclusion</h2> <p>BackdoorDiplomacy is a group that primarily targets diplomatic organizations in the Middle East and Africa, and less frequently, telecommunication companies. Their initial attack methodology is focused on exploiting vulnerable internet-exposed applications on webservers, in order to drop and execute a webshell. Post compromise, via the webshell, BackdoorDiplomacy deploys open-source software for reconnaissance and information gathering, and favors the use of DLL search order hijacking to install its backdoor, Turian. Finally, BackdoorDiplomacy employs a separate executable to detect removable media, likely USB flash drives, and copy their contents to the main drive’s recycle bin.</p> <p>BackdoorDiplomacy shares tactics, techniques, and procedures with other Asian groups. Turian likely represents a next stage evolution of Quarian, the backdoor last observed in use in 2013 against diplomatic targets in Syria and the United States. Turian’s network encryption protocol is nearly identical to the network encryption protocol used by Whitebird, a backdoor operated by Calypso, another Asian group. Whitebird was deployed within diplomatic organizations in Kazakhstan and Kyrgyzstan during the same timeframe as BackdoorDiplomacy (2017-2020). Additionally, BackdoorDiplomacy and APT15 use the same techniques and tactics to drop their backdoors on systems, namely the aforementioned DLL search order hijacking.</p> <p>BackdoorDiplomacy is also cross-platform group targeting both Windows and Linux systems. The Linux variant of Turian shares the same network encryption protocol characteristics and attempts to return a TTY reverse shell to the operator.</p> <h2>IoCs</h2> <h3>Samples</h3> <p><table> <thead> <tr> <th>SHA-1</th> <th>Filename</th> <th>ESET Detection Name</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td><span style="font-family: courier new, courier, monospace;">3C0DB3A5194E1568E8E2164149F30763B7F3043D</span></td> <td><span style="font-family: courier new, courier, monospace;">logout.aspx</span></td> <td>ASP/Webshell.H</td> <td>BackdoorDiplomacy webshell – variant N2</td> </tr> <tr> <td><span style="font-family: courier new, courier, monospace;">32EF3F67E06C43C18E34FB56E6E62A6534D1D694</span></td> <td><span style="font-family: courier new, courier, monospace;">current.aspx</span></td> <td>ASP/Webshell.O</td> <td>BackdoorDiplomacy webshell – variant S1</td> </tr> <tr> <td><span style="font-family: courier new, courier, monospace;">8C4D2ED23958919FE10334CCFBE8D78CD0D991A8</span></td> <td><span style="font-family: courier new, courier, monospace;">errorEE.aspx</span></td> <td>ASP/Webshell.J</td> <td>BackdoorDiplomacy webshell – variant N1</td> </tr> <tr> <td><span style="font-family: courier new, courier, monospace;">C0A3F78CF7F0B592EF813B15FC0F1D28D94C9604</span></td> <td><span style="font-family: courier new, courier, monospace;">App_Web_xcg2dubs.dll</span></td> <td>MSIL/Webshell.C</td> <td>BackdoorDiplomacy webshell – variant N3</td> </tr> <tr> <td><span style="font-family: courier new, courier, monospace;">CDD583BB6333644472733617B6DCEE2681238A11</span></td> <td><span style="font-family: courier new, courier, monospace;">N/A</span></td> <td>Linux/Agent.KD</td> <td>Linux Turian backdoor</td> </tr> <tr> <td><span style="font-family: courier new, courier, monospace;">FA6C20F00F3C57643F312E84CC7E46A0C7BABE75</span></td> <td><span style="font-family: courier new, courier, monospace;">N/A</span></td> <td>Linux/Agent.KD</td> <td>Linux Turian backdoor</td> </tr> <tr> <td><span style="font-family: courier new, courier, monospace;">5F87FBFE30CA5D6347F4462D02685B6E1E90E464</span></td> <td><span style="font-family: courier new, courier, monospace;">ScnCfg.exe</span></td> <td>Win32/Agent.TGO</td> <td>Windows Turian backdoor</td> </tr> <tr> <td><span style="font-family: courier new, courier, monospace;">B6936BD6F36A48DD1460EEB4AB8473C7626142AC</span></td> <td><span style="font-family: courier new, courier, monospace;">VMSvc.exe</span></td> <td>Win32/Agent.QKK</td> <td>Windows Turian backdoor</td> </tr> <tr> <td><span style="font-family: courier new, courier, monospace;">B16393DFFB130304AD627E6872403C67DD4C0AF3</span></td> <td><span style="font-family: courier new, courier, monospace;">svchost.exe</span></td> <td>Win32/Agent.TZI</td> <td>Windows Turian backdoor</td> </tr> <tr> <td><span style="font-family: courier new, courier, monospace;">9DBBEBEBBA20B1014830B9DE4EC9331E66A159DF</span></td> <td><span style="font-family: courier new, courier, monospace;">nvsvc.exe</span></td> <td>Win32/Agent.UJH</td> <td>Windows Turian backdoor</td> </tr> <tr> <td><span style="font-family: courier new, courier, monospace;">564F1C32F2A2501C3C7B51A13A08969CDC3B0390</span></td> <td><span style="font-family: courier new, courier, monospace;">AppleVersions.dll</span></td> <td>Win64/Agent.HA</td> <td>Windows Turian backdoor</td> </tr> <tr> <td><span style="font-family: courier new, courier, monospace;">6E1BB476EE964FFF26A86E4966D7B82E7BACBF47</span></td> <td><span style="font-family: courier new, courier, monospace;">MozillaUpdate.exe</span></td> <td>Win32/Agent.UJH</td> <td>Windows Turian backdoor</td> </tr> <tr> <td><span style="font-family: courier new, courier, monospace;">FBB0A4F4C90B513C4E51F0D0903C525360FAF3B7</span></td> <td><span style="font-family: courier new, courier, monospace;">nvsvc.exe</span></td> <td>Win32/Agent.QAY</td> <td>Windows Turian backdoor</td> </tr> <tr> <td><span style="font-family: courier new, courier, monospace;">2183AE45ADEF97500A26DBBF69D910B82BFE721A</span></td> <td><span style="font-family: courier new, courier, monospace;">nvsvcv.exe</span></td> <td>Win32/Agent.UFX</td> <td>Windows Turian backdoor</td> </tr> <tr> <td><span style="font-family: courier new, courier, monospace;">849B970652678748CEBF3C4D90F435AE1680601F</span></td> <td><span style="font-family: courier new, courier, monospace;">efsw.exe</span></td> <td>Win32/Agent.UFX</td> <td>Windows Turian backdoor</td> </tr> <tr> <td><span style="font-family: courier new, courier, monospace;">C176F36A7FC273C9C98EA74A34B8BAB0F490E19E</span></td> <td><span style="font-family: courier new, courier, monospace;">iexplore32.exe</span></td> <td>Win32/Agent.QAY</td> <td>Windows Turian backdoor</td> </tr> <tr> <td><span style="font-family: courier new, courier, monospace;">626EFB29B0C58461D831858825765C05E1098786</span></td> <td><span style="font-family: courier new, courier, monospace;">iexplore32.exe</span></td> <td>Win32/Agent.UFX</td> <td>Windows Turian backdoor</td> </tr> <tr> <td><span style="font-family: courier new, courier, monospace;">40E73BF21E31EE99B910809B3B4715AF017DB061</span></td> <td><span style="font-family: courier new, courier, monospace;">explorer32.exe</span></td> <td>Win32/Agent.QAY</td> <td>Windows Turian backdoor</td> </tr> <tr> <td><span style="font-family: courier new, courier, monospace;">255F54DE241A3D12DEBAD2DF47BAC5601895E458</span></td> <td><span style="font-family: courier new, courier, monospace;">Duser.dll</span></td> <td>Win32/Agent.URH</td> <td>Windows Turian backdoor</td> </tr> <tr> <td><span style="font-family: courier new, courier, monospace;">A99CF07FBA62A63A44C6D5EF6B780411CF1B1073</span></td> <td><span style="font-family: courier new, courier, monospace;">Duser.dll</span></td> <td>Win64/Agent.HA</td> <td>Windows Turian backdoor</td> </tr> <tr> <td><span style="font-family: courier new, courier, monospace;">934B3934FDB4CD55DC4EA1577F9A394E9D74D660</span></td> <td><span style="font-family: courier new, courier, monospace;">Duser.dll</span></td> <td>Win32/Agent.TQI</td> <td>Windows Turian backdoor</td> </tr> <tr> <td><span style="font-family: courier new, courier, monospace;">EF4DF176916CE5882F88059011072755E1ECC482</span></td> <td><span style="font-family: courier new, courier, monospace;">iexplore32.exe</span></td> <td>Win32/Agent.QAY</td> <td>Windows Turian backdoor</td> </tr> </tbody> </table></p> <h3>Network</h3> <h4><strong>C&amp;Cs</strong></h4> <p><table> <thead> <tr> <th>AS</th> <th>Hoster</th> <th>IP address</th> <th>Domain</th> </tr> </thead> <tbody> <tr> <td>AS20473</td> <td>AS-CHOOPA</td> <td><span style="font-family: courier new, courier, monospace;">199.247.9[.]67</span></td> <td><span style="font-family: courier new, courier, monospace;">bill.microsoftbuys[.]com</span></td> </tr> <tr> <td rowspan="2">AS132839</td> <td>POWER LINE DATACENTER</td> <td><span style="font-family: courier new, courier, monospace;">43.251.105[.]218</span></td> <td><span style="font-family: courier new, courier, monospace;">dnsupdate.dns2[.]us</span></td> </tr> <tr> <td>#rowspan#</td> <td><span style="font-family: courier new, courier, monospace;">43.251.105[.]222</span></td> <td>#rowspan#</td> </tr> <tr> <td>AS40065</td> <td>Cnservers LLC</td> <td><span style="font-family: courier new, courier, monospace;">162.209.167[.]154</span></td> <td>#rowspan#</td> </tr> <tr> <td>AS132839</td> <td>POWER LINE DATACENTER</td> <td><span style="font-family: courier new, courier, monospace;">43.225.126[.]179</span></td> <td><span style="font-family: courier new, courier, monospace;">www.intelupdate.dns1[.]us</span></td> </tr> <tr> <td>AS46573</td> <td>LAYER-HOST</td> <td><span style="font-family: courier new, courier, monospace;">23.247.47[.]252</span></td> <td><span style="font-family: courier new, courier, monospace;">www.intelupdate.dns1[.]us</span></td> </tr> <tr> <td>AS132839</td> <td>POWER LINE DATACENTER</td> <td><span style="font-family: courier new, courier, monospace;">43.251.105[.]222</span></td> <td><span style="font-family: courier new, courier, monospace;">winupdate.ns02[.]us</span></td> </tr> <tr> <td>AS40065</td> <td>Cnservers LLC</td> <td><span style="font-family: courier new, courier, monospace;">162.209.167[.]189</span></td> <td>#rowspan#</td> </tr> <tr> <td rowspan="2">AS25820</td> <td>IT7NET</td> <td><span style="font-family: courier new, courier, monospace;">23.83.224[.]178</span></td> <td><span style="font-family: courier new, courier, monospace;">winupdate.ns02[.]us</span></td> </tr> <tr> <td>#rowspan#</td> <td><span style="font-family: courier new, courier, monospace;">23.106.140[.]207</span></td> <td>#rowspan#</td> </tr> <tr> <td>AS132839</td> <td>POWER LINE DATACENTER</td> <td><span style="font-family: courier new, courier, monospace;">43.251.105[.]218</span></td> <td>#rowspan#</td> </tr> <tr> <td>AS20473</td> <td>AS-CHOOPA</td> <td><span style="font-family: courier new, courier, monospace;">45.76.120[.]84</span></td> <td><span style="font-family: courier new, courier, monospace;">icta.worldmessg[.]com</span></td> </tr> <tr> <td rowspan="4">AS20473</td> <td>AS-CHOOPA</td> <td><span style="font-family: courier new, courier, monospace;">78.141.243[.]45</span></td> <td>#rowspan#</td> </tr> <tr> <td>#rowspan#</td> <td><span style="font-family: courier new, courier, monospace;">78.141.196[.]159</span></td> <td><span style="font-family: courier new, courier, monospace;">Infoafrica[.]top</span></td> </tr> <tr> <td>#rowspan#</td> <td><span style="font-family: courier new, courier, monospace;">45.77.215[.]53</span></td> <td><span style="font-family: courier new, courier, monospace;">szsz.pmdskm[.]top</span></td> </tr> <tr> <td>#rowspan#</td> <td><span style="font-family: courier new, courier, monospace;">207.148.8[.]82</span></td> <td><span style="font-family: courier new, courier, monospace;">pmdskm[.]top</span></td> </tr> <tr> <td rowspan="2">AS132839</td> <td>POWER LINE DATACENTER</td> <td><span style="font-family: courier new, courier, monospace;">43.251.105[.]139</span></td> <td><span style="font-family: courier new, courier, monospace;">www.freedns02.dns2[.]us</span></td> </tr> <tr> <td>#rowspan#</td> <td><span style="font-family: courier new, courier, monospace;">43.251.105[.]139</span></td> <td><span style="font-family: courier new, courier, monospace;">web.vpnkerio[.]com</span></td> </tr> <tr> <td>AS20473</td> <td>AS-CHOOPA</td> <td><span style="font-family: courier new, courier, monospace;">45.77.215[.]53</span></td> <td></td> </tr> <tr> <td>AS135377</td> <td>UCloud (HK) Holdings Group Limited</td> <td><span style="font-family: courier new, courier, monospace;">152.32.180[.]34</span></td> <td></td> </tr> <tr> <td>AS132839</td> <td>POWER LINE DATACENTER</td> <td><span style="font-family: courier new, courier, monospace;">43.251.105[.]218</span></td> <td><span style="font-family: courier new, courier, monospace;">officeupdates.cleansite[.]us</span></td> </tr> <tr> <td rowspan="3">AS25820</td> <td>IT7NET</td> <td><span style="font-family: courier new, courier, monospace;">23.106.140[.]207</span></td> <td><span style="font-family: courier new, courier, monospace;">dynsystem.imbbs[.]in</span></td> </tr> <tr> <td>#rowspan#</td> <td>#rowspan#</td> <td><span style="font-family: courier new, courier, monospace;">officeupdate.ns01[.]us</span></td> </tr> <tr> <td>#rowspan#</td> <td>#rowspan#</td> <td><span style="font-family: courier new, courier, monospace;">systeminfo.oicp[.]net</span></td> </tr> <tr> <td>AS40676</td> <td>Psychz Networks</td> <td><span style="font-family: courier new, courier, monospace;">23.228.203[.]130</span></td> <td><span style="font-family: courier new, courier, monospace;">systeminfo.myftp[.]name</span></td> </tr> <tr> <td>#rowspan#</td> <td>#rowspan#</td> <td><span style="font-family: courier new, courier, monospace;">systeminfo.cleansite[.]info</span></td> </tr> <tr> <td>#rowspan#</td> <td>#rowspan#</td> <td><span style="font-family: courier new, courier, monospace;">updateip.onmypc[.]net</span></td> </tr> <tr> <td>#rowspan#</td> <td>#rowspan#</td> <td><span style="font-family: courier new, courier, monospace;">buffetfactory.oicp[.]io</span></td> </tr> </tbody> </table></p> <h4><strong>Registrars</strong></h4> <p><table> <thead> <tr> <th>Registrar</th> <th>Domain</th> </tr> </thead> <tbody> <tr> <td><span style="font-family: courier new, courier, monospace;">expdns[.]net</span></td> <td><span style="font-family: courier new, courier, monospace;">update.officenews365[.]com</span></td> </tr> <tr> <td><span style="font-family: courier new, courier, monospace;">ezdnscenter[.]com</span></td> <td><span style="font-family: courier new, courier, monospace;">bill.microsoftbuys[.]com</span></td> </tr> <tr> <td rowspan="9"><span style="font-family: courier new, courier, monospace;">changeip[.]org</span></td> <td><span style="font-family: courier new, courier, monospace;">dnsupdate.dns2[.]us</span></td> </tr> <tr> <td><span style="font-family: courier new, courier, monospace;">dnsupdate.dns1[.]us</span></td> </tr> <tr> <td><span style="font-family: courier new, courier, monospace;">www.intelupdate.dns1[.]us</span></td> </tr> <tr> <td><span style="font-family: courier new, courier, monospace;">winupdate.ns02[.]us</span></td> </tr> <tr> <td><span style="font-family: courier new, courier, monospace;">www.freedns02.dns2[.]us</span></td> </tr> <tr> <td><span style="font-family: courier new, courier, monospace;">officeupdates.cleansite[.]us</span></td> </tr> <tr> <td><span style="font-family: courier new, courier, monospace;">officeupdate.ns01[.]us</span></td> </tr> <tr> <td><span style="font-family: courier new, courier, monospace;">systeminfo.cleansite[.]info</span></td> </tr> <tr> <td><span style="font-family: courier new, courier, monospace;">updateip.onmypc[.]net</span></td> </tr> <tr> <td><span style="font-family: courier new, courier, monospace;">hichina[.]com</span></td> <td><span style="font-family: courier new, courier, monospace;">Infoafrica[.]top</span></td> </tr> <tr> <td><span style="font-family: courier new, courier, monospace;">domaincontrol[.]com</span></td> <td><span style="font-family: courier new, courier, monospace;">web.vpnkerio[.]com</span></td> </tr> <tr> <td><span style="font-family: courier new, courier, monospace;">exhera[.]com</span></td> <td><span style="font-family: courier new, courier, monospace;">dynsystem.imbbs[.]in</span></td> </tr> <tr> <td><span style="font-family: courier new, courier, monospace;">systeminfo.oicp[.]net</span></td> </tr> </tbody> </table></p> <h2>MITRE ATT&amp;CK techniques</h2> <p><em>Note: This table was built using </em><a href="https://attack.mitre.org/resources/versions/" target="_blank" rel="noopener"><em>version 9</em></a><em> of the MITRE ATT&amp;CK framework.</em></p> <p><table> <thead> <tr> <th>Tactic</th> <th>ID</th> <th>Name</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td>Initial Access</td> <td><a href="https://attack.mitre.org/versions/v9/techniques/T1190/" rel="noopener" target="_blank">T1190</a></td> <td>Exploit Public-Facing Application</td> <td>BackdoorDiplomacy exploits the vulnerability CVE-2020-5902.</td> </tr> <tr> <td rowspan="2">Execution</td> <td><a href="https://attack.mitre.org/versions/v9/techniques/T1059/003/" rel="noopener" target="_blank">T1059.003</a></td> <td>Windows Command Shell</td> <td>Turian relies on a batch script to create persistence.</td> </tr> <tr> <td><a href="https://attack.mitre.org/versions/v9/techniques/T1203/" rel="noopener" target="_blank">T1203</a></td> <td>Exploitation for Client Execution</td> <td>Turian has exploited client software vulnerabilities for execution, such as CVE-2020-5902.</td> </tr> <tr> <td rowspan="2">Persistence</td> <td><a href="https://attack.mitre.org/versions/v9/techniques/T1547/001/" rel="noopener" target="_blank">T1547.001</a></td> <td>Registry Run Keys / Startup Folder</td> <td>Turian uses the HKLM and HKCU <span style="font-family: courier new, courier, monospace;">CurrentVersion</span> Run keys to persist after reboot.</td> </tr> <tr> <td><a href="https://attack.mitre.org/versions/v9/techniques/T1548/002/" rel="noopener" target="_blank">T1548.002</a></td> <td>Bypass User Account Control</td> <td>Turian uses JuicyPotato to bypass UAC.</td> </tr> <tr> <td rowspan="2">Privilege Escalation</td> <td><a href="https://attack.mitre.org/versions/v9/techniques/T1547/001/" rel="noopener" target="_blank">T1547.001</a></td> <td>Registry Run Keys / Startup Folder</td> <td>Turian uses the HKLM and HKCU <span style="font-family: courier new, courier, monospace;">CurrentVersion</span> Run keys to persist after reboot.</td> </tr> <tr> <td><a href="https://attack.mitre.org/versions/v9/techniques/T1548/002/" rel="noopener" target="_blank">T1548.002</a></td> <td>Bypass User Account Control</td> <td>Turian uses JuicyPotato to bypass UAC.</td> </tr> <tr> <td rowspan="3">Defense Evasion</td> <td><a href="https://attack.mitre.org/versions/v9/techniques/T1140/" rel="noopener" target="_blank">T1140</a></td> <td>Deobfuscate/Decode Files or Information</td> <td>Turian uses VMProtect to obfuscate its code.</td> </tr> <tr> <td><a href="https://attack.mitre.org/versions/v9/techniques/T1550/" rel="noopener" target="_blank">T1550</a></td> <td>Use Alternate Authentication Material</td> <td>Turian uses Mimikatz.</td> </tr> <tr> <td><a href="https://attack.mitre.org/versions/v9/techniques/T1083/" rel="noopener" target="_blank">T1083</a></td> <td>File and Directory Discovery</td> <td>Turian lists drives.</td> </tr> <tr> <td>Discovery</td> <td><a href="https://attack.mitre.org/versions/v9/techniques/T1550/" rel="noopener" target="_blank">T1550</a></td> <td>Use Alternate Authentication Material</td> <td>Turian uses Mimikatz.</td> </tr> <tr> <td>Lateral Movement</td> <td><a href="https://attack.mitre.org/versions/v9/techniques/T1005/" rel="noopener" target="_blank">T1005</a></td> <td>Data from Local System</td> <td>Turian collects files from the victim’s machine.</td> </tr> <tr> <td rowspan="2">Collection</td> <td><a href="https://attack.mitre.org/versions/v9/techniques/T1113/" rel="noopener" target="_blank">T1113</a></td> <td>Screen Capture</td> <td>Turian captures screenshots.</td> </tr> <tr> <td><a href="https://attack.mitre.org/versions/v9/techniques/T1071/001/" rel="noopener" target="_blank">T1071.001</a></td> <td>Web Protocols</td> <td>Turian uses HTTP to communicate with the C&C server.</td> </tr> <tr> <td>Command and Control</td> <td><a href="https://attack.mitre.org/versions/v9/techniques/T1573/001/" rel="noopener" target="_blank">T1573.001</a></td> <td>Symmetric Cryptography</td> <td>Turian uses XOR routine to encrypt communication with the C&C server.</td> </tr> <tr> <td><a href="https://attack.mitre.org/versions/v9/techniques/T1095/" rel="noopener" target="_blank">T1095</a></td> <td>Non-Application Layer Protocol</td> <td>Turian uses raw sockets to communicate with the C&C server.</td> </tr> </tbody> </table></p> <p><a class="no-fancy" href="https://www.eset.com/int/business/services/threat-intelligence/?utm_source=welivesecurity.com&amp;utm_medium=referral&amp;utm_campaign=wls-research&amp;utm_content=backdoordiplomacy-upgrading-quarian-turian" target="_blank" rel="noopener"><img class="aligncenter wp-image-151620" src="https://web-assets.esetstatic.com/wls/2021/06/ETI-2.png" alt="" width="900" height="506" /></a></p> </div> <div class="article-subscribe-form mb-4"> <hr /> <div class="form-wrapper"> <div class="overlay"> <h2 class="title"> Let us keep you <br class='d-md-none'>up to date </h2> <p class="subtitle"> Sign up for our newsletters </p> <div class="form"> <form action="https://enjoy.eset.com/pub/rf" class="basic-searchform col-md-12 col-sm-12 col-xs-12 no-padding newsletter px-0" target="_blank" method="post" role="search"> <div class="search-input clearfix"> <input type="text" name="EMAIL_ADDRESS_" value="" placeholder="Your Email Address" required> <input type="checkbox" id="TOPIC" name="TOPIC" value="We Live Security Ukraine Newsletter"> <label for="TOPIC">Ukraine Crisis newsletter</label> <input type="checkbox" id="NEWSLETTER" name="NEWSLETTER" value="We Live Security"> <label for="NEWSLETTER">Regular weekly newsletter</label> <input type="hidden" name="_ri_" value="X0Gzc2X%3DAQpglLjHJlTQGgXv4jDGEK4KW2uhw0qgUzfwuivmOJOPCgzgo9vsI3VwjpnpgHlpgneHmgJoXX0Gzc2X%3DAQpglLjHJlTQGzbD6yU2pAgzaJM16bkTA7tOwuivmOJOPCgzgo9vsI3"> <input type="hidden" name="_ei_" value="Ep2VKa8UKNIAPP_2GAEW0bY"> <input type="hidden" name="_di_" value="m0a5n0j02duo9clmm4btuu5av8rdtvqfqd03v1hallrvcob47ad0"> <input type="hidden" name="EMAIL_PERMISSION_STATUS_" value="0"> <input type="hidden" name="CONTACT_SOURCE_MOST_RECENT" value="WLS_Subscribe_Form"> <button type="submit" class="redirect-button primary">Subscribe</button> </div> </form> </div> </div> <svg class="wave-overlay" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 600 201.7451"><g><path class="cls-1" d="m600,0v176.576c0,13.8934-11.2757,25.1691-25.1691,25.1691H25.1691c-13.9034,0-25.1691-11.2757-25.1691-25.1691v-110.6331c36.0722,38.8207,82.2223,71.8325,145.2255,88.6052.0402,0,.0805.0101.1107.0301,0,0,.0906,0,.1107.0302,108.7605,28.9444,198.3321-8.95,271.9366-49.865l29.5585-16.9537L600,0Z" /></g></svg></div> </div> <div class="d-block"> <div class="post-related-articles"> <h4 class="articles-title-divider py-4 my-2"> Related Articles </h4> <div class="articles-card-grid row g-0 pb-2 pb-md-3"><div class="col-12 col-sm-12 col-md-6 col-lg-4 article"><div class="card-divider"><hr class="articles-card-divider px-0 m-0" /></div><div class="article-card"><a href="/en/eset-research/unveiling-wolfsbane-gelsemiums-linux-counterpart-to-gelsevirine/" title="Unveiling WolfsBane: Gelsemium’s Linux counterpart to Gelsevirine"><div class="row g-0 row-cols-1"><div class="article-list-card-header col"><div class="row g-0"><div class="col-9 d-md-none pe-3"><div class="article-list-card-title"><p class="category text-uppercase">ESET Research</p><p class="title">Unveiling WolfsBane: Gelsemium’s Linux counterpart to Gelsevirine</p></div></div><div class="col-3 col-md-12"><picture><source srcset="https://web-assets.esetstatic.com/tn/-x82/wls/2024/11-2024/wolfsbane/wolfsbane-gelsemium-gelsevirine-linux.jpeg" media="(max-width: 768px)" /><img class="article-list-image small-card mt-1 mt-md-0 w-100" src="https://web-assets.esetstatic.com/tn/-x145/wls/2024/11-2024/wolfsbane/wolfsbane-gelsemium-gelsevirine-linux.jpeg" alt="Unveiling WolfsBane: Gelsemium’s Linux counterpart to Gelsevirine" loading="lazy" /></picture></div></div></div><div class="article-list-card-body col ps-0"><div class="d-none d-md-block pb-1"><div class="article-list-card-title"><p class="category text-uppercase">ESET Research</p><p class="title">Unveiling WolfsBane: Gelsemium’s Linux counterpart to Gelsevirine</p></div></div><div><div class="article-title-info"><p><b></b></p></div></div></div></div></a></div></div><div class="col-12 col-sm-12 col-md-6 col-lg-4 article"><div class="card-divider"><hr class="articles-card-divider px-0 m-0" /></div><div class="article-card"><a href="/en/podcasts/eset-research-podcast-gamaredon/" title="ESET Research Podcast: Gamaredon"><div class="row g-0 row-cols-1"><div class="article-list-card-header col"><div class="row g-0"><div class="col-9 d-md-none pe-3"><div class="article-list-card-title"><p class="category text-uppercase">ESET Research</p><p class="title">ESET Research Podcast: Gamaredon</p></div></div><div class="col-3 col-md-12"><picture><source srcset="https://web-assets.esetstatic.com/tn/-x82/wls/2024/11-2024/cyberespionage-gamaredon-way.jpeg" media="(max-width: 768px)" /><img class="article-list-image small-card mt-1 mt-md-0 w-100" src="https://web-assets.esetstatic.com/tn/-x145/wls/2024/11-2024/cyberespionage-gamaredon-way.jpeg" alt="ESET Research Podcast: Gamaredon" loading="lazy" /></picture></div></div></div><div class="article-list-card-body col ps-0"><div class="d-none d-md-block pb-1"><div class="article-list-card-title"><p class="category text-uppercase">ESET Research</p><p class="title">ESET Research Podcast: Gamaredon</p></div></div><div><div class="article-title-info"><p><b></b></p></div></div></div></div></a></div></div><div class="col-12 col-sm-12 col-md-6 col-lg-4 article"><div class="card-divider"><hr class="articles-card-divider px-0 m-0" /></div><div class="article-card"><a href="/en/eset-research/life-crooked-redline-analyzing-infamous-infostealers-backend/" title="Life on a crooked RedLine: Analyzing the infamous infostealer’s backend"><div class="row g-0 row-cols-1"><div class="article-list-card-header col"><div class="row g-0"><div class="col-9 d-md-none pe-3"><div class="article-list-card-title"><p class="category text-uppercase">ESET Research</p><p class="title">Life on a crooked RedLine: Analyzing the infamous infostealer’s backend</p></div></div><div class="col-3 col-md-12"><picture><source srcset="https://web-assets.esetstatic.com/tn/-x82/wls/2024/11-2024/redline/redline-stealer-infostealer-malware.jpeg" media="(max-width: 768px)" /><img class="article-list-image small-card mt-1 mt-md-0 w-100" src="https://web-assets.esetstatic.com/tn/-x145/wls/2024/11-2024/redline/redline-stealer-infostealer-malware.jpeg" alt="Life on a crooked RedLine: Analyzing the infamous infostealer’s backend" loading="lazy" /></picture></div></div></div><div class="article-list-card-body col ps-0"><div class="d-none d-md-block pb-1"><div class="article-list-card-title"><p class="category text-uppercase">ESET Research</p><p class="title">Life on a crooked RedLine: Analyzing the infamous infostealer’s backend</p></div></div><div><div class="article-title-info"><p><b></b></p></div></div></div></div></a></div></div></div></div> </div> </div> <div class="sidebar col col-lg-4 ps-5 d-none d-lg-block position-sticky"> <div class="sticky-top sticky-top--container"> <div class="pb-4"> <div class="share-article-card"> <div class="sidebar-card-media"> <div class="mb-3"> <h3 class="articles-title-divider">Share Article</h3> </div> <div class="medias"> <a href="https://www.facebook.com/sharer/sharer.php?u&#x3D;https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/" title="Facebook" > <svg id="Layer_2" fill="#949ca1" class="facebook" xmlns="http://www.w3.org/2000/svg" width="35" height="35" viewBox="0 0 50 50"><g id="Layer_2-2"><circle cx="25" cy="25" r="25" /><path fill="white"d="m30.9623,26.8125l.8054-5.2483h-5.0359v-3.4058c0-1.4358.7035-2.8354,2.9589-2.8354h2.2894v-4.4684s-2.0776-.3546-4.064-.3546c-4.1472,0-6.858,2.5137-6.858,7.0642v4h-4.61v5.2483h4.61v12.6875h5.6737v-12.6875h4.2305Z" /></g></svg> </a> <a href="https://www.linkedin.com/shareArticle?mini&#x3D;true&amp;url&#x3D;https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/" title="LinkedIn" > <svg id="Layer_2" fill="#949ca1" class="linkedin" xmlns="http://www.w3.org/2000/svg" width="35" height="35" viewBox="0 0 50 50"><g id="Layer_2-2"><circle cx="25" cy="25" r="25" /><path fill="white"d="m18.7686,35.9995h-4.9757v-16.0232h4.9757v16.0232Zm-2.4905-18.2089c-1.5911,0-2.8816-1.3179-2.8816-2.9089.0002-1.5915,1.2906-2.8814,2.882-2.8812,1.5911.0002,2.881,1.29,2.8812,2.8812,0,1.5911-1.2911,2.9089-2.8816,2.9089Zm21.113,18.2089h-4.965v-7.8c0-1.8589-.0375-4.2429-2.587-4.2429-2.587,0-2.9834,2.0196-2.9834,4.1089v7.9339h-4.9704v-16.0232h4.7721v2.1857h.0696c.6643-1.2589,2.287-2.5875,4.7079-2.5875,5.0357,0,5.9614,3.3161,5.9614,7.6232v8.8018h-.0054Z" /></g></svg> </a> <a href="https://twitter.com/intent/tweet?url&#x3D;https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/" title="Twitter" > <svg id="Layer_2" fill="#949ca1" class="twitter" xmlns="http://www.w3.org/2000/svg" width="35" height="35" viewBox="0 0 50 50"><g id="Layer_2-2"><circle cx="25" cy="25" r="25" /><g id="twitter"><g id="Layer_2-3"><g id="Research_icons"><path id="twitter-2" fill="white"d="m36.0847,16.9564c1.1786-.1395,2.3298-.4543,3.4153-.934-.7998,1.1935-1.8049,2.2357-2.9686,3.0783v.7675c0,7.8581-5.9779,16.9184-16.9184,16.9184-3.2314.004-6.3954-.9238-9.113-2.6722.4703.0571.9436.0856,1.4173.0853,2.6784.0044,5.2803-.8925,7.3871-2.5463-2.5446-.0467-4.7777-1.7068-5.5555-4.1301.3681.0703.742.1056,1.1168.1056.5293,0,1.0564-.0696,1.5676-.2071-2.775-.5608-4.7696-3.0006-4.7677-5.8317v-.0731c.826.4573,1.7488.712,2.6925.7432-2.6116-1.7476-3.4122-5.2258-1.8275-7.9394,3.0149,3.7157,7.4653,5.9771,12.2441,6.2215-.7617-3.1963,1.2119-6.4049,4.4082-7.1666,2.0894-.4979,4.285.1691,5.7444,1.7451,1.3319-.2639,2.6091-.7528,3.7768-1.4457-.4477,1.3745-1.3782,2.5402-2.6194,3.2813Z" /></g></g></g></g></svg> </a> <a href="mailto:?&amp;subject&#x3D;I wanted you to see this site&amp;body&#x3D;https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/" title="mail" > <svg id="Layer_2" fill="#949ca1" class="social-icon" xmlns="http://www.w3.org/2000/svg" width="35" height="35" viewBox="0 0 50 50"><g id="Layer_2-2"><circle cx="25" cy="25" r="25" /><path id="Path_7761" fill="white"d="m13.1593,14.9378c-.2808,0-.5616.0936-.8424.1872l11.8875,11.5131c.3744.468,1.0296.468,1.404.0936.0936,0,.0936-.0936.0936-.0936l12.0747-11.5131c-.2808-.0936-.5616-.1872-.7488-.1872H13.1593Zm-2.1529,1.9656v15.8188c-.0936,1.2168.8424,2.2465,2.0593,2.3401h23.8686c1.2168-.0936,2.1529-1.1232,2.0593-2.3401v-15.7252l-11.7939,11.3259c-1.2168,1.2168-3.1825,1.2168-4.3057,0l-11.8875-11.4195Z" /></g></svg> </a> <a href="https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/" title="copy" class="copy-link" > <svg id="Layer_2" fill="#949ca1" class="social-icon" xmlns="http://www.w3.org/2000/svg" width="35" height="35" viewBox="0 0 50 50"><g id="Layer_2-2"><circle cx="25" cy="25" r="25" /><path fill="white"d="m32.2813,27.4375l3.7-3.7c2.7-2.7,2.7-7,0-9.7-2.7-2.7-7-2.7-9.7,0h0l-5.3,5.3c-2.7,2.7-2.7,7,0,9.7.4.4.8.7,1.3,1l2.8-2.8c-.6-.1-1.1-.4-1.5-.8-1.2-1.2-1.2-3.2,0-4.4l5.3-5.3c1.3-1.2,3.2-1.1,4.4.1,1.1,1.2,1.1,3.1,0,4.3l-1.6,1.6c.7,1.4.9,3.1.6,4.7h0Zm-14.7-4.7l-3.6,3.6c-2.7,2.7-2.6,7,0,9.7,2.7,2.6,6.9,2.6,9.6,0l5.3-5.3c2.7-2.7,2.7-7,0-9.7-.4-.4-.8-.7-1.3-1l-2.8,2.8c1.7.4,2.7,2.1,2.3,3.7-.1.6-.4,1.1-.8,1.5l-5.3,5.4c-1.2,1.3-3.1,1.3-4.4.1-1.3-1.2-1.3-3.1-.1-4.4,0-.1.1-.1.1-.1l1.6-1.5c-.7-1.6-.9-3.2-.6-4.8h0Z" /></g></svg> </a> </div> </div> </div> </div> <div class="pb-4"> <a class="d-block sidebar-card-banner" href="https://www.welivesecurity.com/en/eset-research/eset-apt-activity-report-q2-2024-q3-2024/" title="Apt Activity Report" target="_blank"> <img src="https://www.welivesecurity.com/build/assets/eset-apt-activity-report-q2-2024-q3-2024-d75a59c4.webp" alt="Apt Activity Report" class="w-100" > </a> </div> </div> </div> </div> <div class="row"> <div class="col col-lg-8 pe-lg-0"> <div class="my-4"> <h3 class="articles-title-divider">Discussion</h3> </div> <div id="disqus_thread"></div> </div> </div> </div> </div> <!-- footer --> <footer class="page-footer"> <div class="container"> <div class="row g-0"> <div class="col page-info-wrapper"> <div class="logo-wrapper"> <div class="logo"> <a href="/en/" title="Welivesecurity"> <?xml version="1.0" encoding="UTF-8"?><svg id="Layer_2" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 290 31.7919"><defs><style>.cls-1{fill:#0b8690;}.cls-2{fill:#053b44;}</style></defs><g id="Layer_1-2"><g><path class="cls-2" d="M0,8.6081H5.1069l2.869,10.7299,3.3282-10.845h4.3616l3.3833,10.845,2.9261-10.7879h4.9947l-5.51,17.8465h-4.5336l-3.3833-10.903-3.5012,10.903H5.451L0,8.6081Zm26.6257,9.0093h0c0-5.1069,3.6153-9.2964,8.7792-9.2964,5.9102,0,8.6651,4.5907,8.6651,9.6405,0,.4021-.057,.8603-.057,1.3195h-12.3955c.3233,2.123,2.219,3.6443,4.3616,3.5003,1.6303,.0269,3.1951-.6409,4.3036-1.8367l2.8729,2.5259c-1.7441,2.1958-4.4284,3.4313-7.2306,3.3282-4.9064,.227-9.0678-3.5664-9.2947-8.4728-.0109-.236-.0124-.4724-.0045-.7085Zm12.5095-1.4916c-.29-2.2378-1.6066-3.7874-3.7303-3.7874s-3.4432,1.4916-3.8444,3.7874h7.5747Zm57.842,7.9179l2.1266-3.3282c1.5999,1.2513,3.5393,1.9923,5.566,2.1267,1.4345,0,2.1266-.5162,2.1266-1.3195v-.057c0-1.0904-1.7216-1.4345-3.6733-2.0658-2.4679-.7463-5.2789-1.8937-5.2789-5.3369v-.057c0-3.6153,2.9261-5.6231,6.4843-5.6231,2.3553,.0234,4.6511,.742,6.5994,2.0658l-1.8937,3.5003c-1.4459-.9422-3.1015-1.5139-4.8207-1.6646-1.2054,0-1.8366,.5162-1.8366,1.2054v.057c0,.9754,1.6646,1.4345,3.6153,2.1267,2.4679,.8033,5.3369,2.0087,5.3369,5.2789v.057c0,3.9633-2.9261,5.7381-6.7666,5.7381-2.7543-.0573-5.4158-1.006-7.5854-2.7037Zm15.4356-6.4264h0c0-5.1069,3.6153-9.2964,8.7792-9.2964,5.9102,0,8.6651,4.5907,8.6651,9.6405,0,.4021-.057,.8603-.057,1.3195h-12.3375c.3233,2.123,2.219,3.6443,4.3616,3.5003,1.6303,.0269,3.1951-.6409,4.3036-1.8367l2.869,2.5249c-1.744,2.1959-4.4283,3.4315-7.2306,3.3282-5.3901,.001-9.3534-3.7835-9.3534-9.1804Zm12.5095-1.4916c-.29-2.2378-1.6066-3.7874-3.7303-3.7874s-3.4432,1.4916-3.8444,3.7874h7.5747Zm6.1412,1.4906h0c-.0992-5.0349,3.9019-9.197,8.9368-9.2964h.3596c2.6878-.1539,5.2947,.9485,7.0566,2.9841l-3.0991,3.3282c-.9721-1.2277-2.4505-1.9458-4.0165-1.9507-2.5249,0-4.3036,2.2378-4.3036,4.8198v.057c0,2.697,1.7787,4.8778,4.4756,4.8778,1.5606-.0446,3.0342-.7295,4.0745-1.8937l2.9261,2.9841c-1.7686,2.1577-4.4423,3.3673-7.2306,3.2712-5.0035,.0682-9.115-3.9326-9.1832-8.9361,0-.0009,0-.0017,0-.0026,.0026-.0806,.0038-.1614,.0039-.2426Zm17.9606,2.5249V8.6642h5.0498v9.8706c0,2.4099,1.1474,3.6153,3.0411,3.6153s3.1562-1.2054,3.1562-3.6153V8.6071h5.0498V26.3386h-5.0498v-2.5249c-1.1459,1.7743-3.1079,2.8527-5.22,2.869-3.7893,.001-6.0271-2.4669-6.0271-6.5414Zm18.4767-11.5342h5.0498v3.5573c1.0324-2.4679,2.697-4.0165,5.6811-3.9024v5.2789h-.29c-3.3282,0-5.3939,2.0087-5.3939,6.2543v6.5414h-5.047V8.6071Zm12.5666,0h5.0498V26.3386h-5.0498V8.6071Zm8.9561,12.7396V12.9117h-2.1267v-4.3036h2.1267V4.0745h5.0498v4.5336h4.1885v4.3036h-4.1924v7.5747c0,1.1474,.5162,1.7216,1.6066,1.7216,.8637,.0094,1.7148-.2083,2.4679-.6312v4.0165c-1.1964,.7132-2.571,1.0716-3.9633,1.0334-3.0952,.057-5.1571-1.2054-5.1571-5.2799Zm11.4153,9.1813l1.6646-3.6153c.6415,.4009,1.372,.6373,2.1267,.6883,.7821,.0558,1.5071-.4118,1.7787-1.1474l-6.9474-17.7885h5.3369l4.0165,12.1074,3.8444-12.1074h5.22l-6.7666,18.1326c-1.3775,3.6153-2.812,4.9928-5.8531,4.9928-1.5664,.0294-3.1059-.4102-4.4205-1.2625ZM182.4783,1.3195c1.3945,0,2.5249,1.1304,2.5249,2.5249s-1.1304,2.5249-2.5249,2.5249-2.5249-1.1304-2.5249-2.5249,1.1304-2.5249,2.5249-2.5249Zm38.8471,2.754v2.1267h-.6312v-2.1267h-.8603v-.5162h2.3528v.4592h-.8603l-.0009,.057Zm4.0755,2.1238v-1.7796l-.8033,1.7787h-.6312l-.7463-1.7787,.057,.3441v1.3775h-.5732V3.5573h.7463l.8603,2.0658,.9753-2.0658h.6883v2.6399h-.5732Z" /><path class="cls-1" d="M46.2508,2.2378h5.0498V26.3956h-5.0498V2.2378Zm7.9189,6.3693h5.0498V26.3386h-5.0498V8.6071Zm6.5414,0h5.3369l3.9633,11.8783,4.0126-11.8783h5.22l-7.0005,17.8465h-4.5907l-6.9416-17.8465Zm17.9035,9.0102h0c0-5.1069,3.6153-9.2964,8.7792-9.2964,5.9102,0,8.6651,4.5907,8.6651,9.6405,0,.4021-.057,.8603-.057,1.3195h-12.3375c.3232,2.1226,2.2184,3.6438,4.3606,3.5003,1.6303,.0269,3.1951-.6409,4.3036-1.8367l2.869,2.5249c-1.744,2.1959-4.4283,3.4315-7.2306,3.3282-5.3891,.001-9.3524-3.7835-9.3524-9.1804Zm12.5095-1.4916c-.29-2.2378-1.6066-3.7874-3.7294-3.7874s-3.4432,1.4916-3.8444,3.7874h7.5738ZM56.6366,0c-1.7746,0-3.2132,1.4386-3.2132,3.2132,0,1.7746,1.4386,3.2132,3.2132,3.2132,1.7746,0,3.2132-1.4386,3.2132-3.2132h0c-.0188-1.7667-1.4464-3.1943-3.2132-3.2132Zm0,4.5907c-.7567-.0094-1.3677-.6208-1.3765-1.3775-.0202-.7605,.58-1.3933,1.3405-1.4135,.7605-.0202,1.3933,.58,1.4135,1.3405,.0006,.0243,.0006,.0487,0,.073-.0089,.7571-.6204,1.3686-1.3775,1.3775Zm191.3425,4.0213c-2.2021-.0287-4.2611,1.0885-5.4375,2.9502-.9299,1.6095-1.1339,4.233-1.1339,5.9711s.2049,4.3596,1.1339,5.9691c1.1767,1.8615,3.2355,2.9785,5.4375,2.9502h34.4972c2.2018,.0283,4.2603-1.0888,5.4365-2.9502,.928-1.6095,1.1349-4.233,1.1349-5.9711s-.2069-4.3567-1.1349-5.9662c-1.1762-1.8615-3.2347-2.9786-5.4365-2.9502l-34.4972-.0029Zm22.9572,7.9392h2.9v-.0899c0-1.3272-.5326-1.4268-1.4896-1.4268-1.16,0-1.3794,.377-1.4133,1.5167m-20.3859-1.4297c.9512,0,1.4635,.0967,1.4635,1.3997v.0628h-2.8487c.0319-1.1165,.2591-1.4626,1.3852-1.4626m-4.0233,2.463c0,3.1262,.783,4.2533,4.0745,4.2533,1.0071,.0751,2.0175-.0927,2.9464-.4891,.7808-.4894,1.2122-1.3829,1.1097-2.2987h-2.5965c-.0271,.8903-.6322,.9821-1.4626,.9821-1.1996,0-1.4336-.4833-1.4336-1.9788v-.0638h5.4887v-.405c0-3.4123-.9231-4.2668-4.06-4.2668-3.3553,0-4.0745,1.044-4.0745,4.2668m9.8793-1.5621c0,1.6665,.5742,2.4476,4.0735,2.4476,.3744-.0275,.7508,.0097,1.1126,.1102,.2736,.1199,.4021,.3586,.4021,.7927,0,.726-.2658,.8043-1.5128,.8043-.6931,0-1.3987-.0155-1.4307-.9502h-2.6438c.0203,1.8425,.8932,2.4447,2.5085,2.5732,.4882,.0377,1.0188,.0348,1.565,.0348,2.2233,0,4.0735-.3712,4.0735-2.7849,0-2.2997-1.1996-2.463-4.0745-2.5288-1.4268-.0319-1.5109-.3316-1.5109-.8043,0-.5616,.0619-.7405,1.5119-.7405,.5317,0,1.0633,.0474,1.1822,.7086h2.4882v-.3393c0-2.001-2.0967-2.03-3.6733-2.03-2.3625,0-4.0735,.0532-4.0735,2.7066m21.6744-2.7066h6.5018v1.9005h-1.9333v6.525h-2.6274v-6.524h-1.9333l-.0077-1.9014Zm-9.7275,4.2059c0-3.2122,.7086-4.2398,4.0464-4.2398,3.1194,0,4.031,.842,4.031,4.2398v.376h-5.4896v.0909c0,1.4945,.2359,2.0058,1.4587,2.0058,.8226,0,1.45-.0909,1.4896-.9821h2.5413c.0948,.8946-.3269,1.7653-1.0875,2.2456-.9243,.3931-1.9294,.5588-2.9309,.4833-3.276,0-4.0464-1.1088-4.0464-4.2224m-23.7624,5.7874c-1.3214-1.421-1.6134-3.652-1.6134-5.7739s.29-4.35,1.6134-5.7758c1.0333-.9868,2.3994-1.5498,3.828-1.5776h17.7865v14.7048h-17.7865c-1.4285-.0278-2.7946-.5908-3.828-1.5776m43.7423-16.12c.0004-.036-.009-.0714-.0271-.1025-.0116-.0387-.0445-.0628-.086-.0899-.0385-.0194-.0807-.0303-.1237-.0319-.0559-.0087-.1126-.0123-.1692-.0106h-.1508v.5394h.115c.0678,.0013,.1357-.0022,.203-.0106,.0495-.0114,.0968-.0307,.1402-.057,.0317-.0265,.0574-.0594,.0754-.0967,.016-.0456,.0235-.0938,.0222-.1421m.8226,1.3533h-.61l-.5742-.7086h-.1933v.7066h-.4679v-1.913h.7269c.1085-.0031,.2172,.0024,.3248,.0164,.0855,.0088,.1681,.0355,.2426,.0783,.0789,.0405,.1456,.1012,.1933,.1759,.0425,.0819,.0625,.1737,.058,.2658,.0044,.1242-.0384,.2454-.1199,.3393-.0832,.0952-.1884,.1685-.3064,.2136l.7259,.8255Zm.4186-.9203c.0053-.4029-.1547-.7903-.4427-1.072-.2749-.2868-.6574-.4452-1.0546-.4369-.3998-.0086-.7851,.1497-1.0633,.4369-.5856,.5955-.5856,1.5505,0,2.146,.5715,.5851,1.5091,.5962,2.0942,.0247,.0083-.0081,.0166-.0164,.0247-.0247,.289-.2818,.4492-.6703,.4427-1.074m.4253,0c.0069,.5131-.1972,1.0066-.5645,1.3649-.7536,.747-1.9685,.747-2.7221,0-.3705-.3563-.5758-.851-.5665-1.3649-.0083-.5104,.1971-1.001,.5665-1.3533,.7441-.75,1.955-.7561,2.7066-.0135l.0135,.0135c.3662,.3543,.5704,.8438,.5645,1.3533m-64.0238,6.7637h2.1044c1.5563,0,2.32,.6206,2.32,1.74,.0109,.539-.2936,1.0349-.7791,1.2692v.0242c.7243,.1716,1.2395,.8131,1.2509,1.5573,0,1.16-.6767,1.9652-2.5133,1.9652h-2.3828v-6.5559Zm2.0483,2.7588c.7414,0,1.1126-.2591,1.1126-.8893,0-.6767-.4456-.899-1.2799-.899h-.6109v1.7883h.7782Zm.2127,2.7898c.87,0,1.362-.2223,1.362-.9261s-.5007-.9667-1.4829-.9667h-.87v1.8908l.9908,.0019Zm4.9406-1.248l-2.32-4.3007h1.4548l1.5418,3.2267,1.6433-3.2248h1.4084l-2.4659,4.2726v2.2775h-1.2566l-.0058-2.2514Z" /></g></g></svg> </a> </div> </div> <div class="page-info"> <p> Award-winning news, views, and insight from the ESET security community </p> </div> </div> <div class="col footer-links"> <a href="/en/company/about-us/" title="About us" >About us</a> <a href="https://www.eset.com" title="ESET" >ESET</a> <a href="/en/company/contact-us/" title="Contact us" >Contact us</a> <a href="/en/company/privacy/" title="Privacy Policy" >Privacy Policy</a> <a href="/en/company/legal-information/" title="Legal Information" >Legal Information</a> <a href="/en/#" title="Manage Cookies" id="manage-cookies" onclick="event.preventDefault()" >Manage Cookies</a> <a href="/en/rss/feed/" title="RSS Feed" >RSS Feed</a> </div> <div class="col social-networks"> <a href="https://www.facebook.com/eset/" title="Join our facebook fan site!"> <svg id="Layer_2" fill="#949ca1" class="facebook" xmlns="http://www.w3.org/2000/svg" width="35" height="35" viewBox="0 0 50 50"><g id="Layer_2-2"><circle cx="25" cy="25" r="25" /><path fill="white"d="m30.9623,26.8125l.8054-5.2483h-5.0359v-3.4058c0-1.4358.7035-2.8354,2.9589-2.8354h2.2894v-4.4684s-2.0776-.3546-4.064-.3546c-4.1472,0-6.858,2.5137-6.858,7.0642v4h-4.61v5.2483h4.61v12.6875h5.6737v-12.6875h4.2305Z" /></g></svg> </a> <a href="https://youtube.com/esetglobal" title="Watch our videos at YouTube Channel."> <svg id="Layer_2" fill="#949ca1" class="youtube" xmlns="http://www.w3.org/2000/svg" width="35" height="35" viewBox="0 0 50 50"><g id="Layer_2-2"><circle cx="25" cy="25" r="25" /><g id="Layer_1-2"><g id="youtube"><g id="SOCIAL_MEDIA"><path id="youtube-2" fill="white"d="m39.3741,17.7792c-.3492-1.2938-1.3598-2.3044-2.6536-2.6536-2.3399-.625-11.7206-.625-11.7206-.625,0,0-9.3745,0-11.7206.625-1.2941.3485-2.305,1.3594-2.6536,2.6536-.4319,2.3823-.6412,4.7997-.6249,7.2208-.0162,2.4211.193,4.8385.625,7.2208.3478,1.2946,1.359,2.3058,2.6536,2.6536,2.3399.625,11.7206.625,11.7206.625,0,0,9.3807,0,11.7206-.625,1.2942-.3485,2.3051-1.3594,2.6536-2.6536.4315-2.3824.6408-4.7997.625-7.2208.0158-2.4211-.1934-4.8384-.625-7.2208h0Zm-17.374,11.7205v-8.9994l7.7933,4.4997-7.7933,4.4997Z" /></g></g></g></g></svg> </a> <a href="https://twitter.com/ESET" title="Visit the official WLS Twitter page."> <svg id="Layer_2" fill="#949ca1" class="twitter" xmlns="http://www.w3.org/2000/svg" width="35" height="35" viewBox="0 0 50 50"><g id="Layer_2-2"><circle cx="25" cy="25" r="25" /><g id="twitter"><g id="Layer_2-3"><g id="Research_icons"><path id="twitter-2" fill="white"d="m36.0847,16.9564c1.1786-.1395,2.3298-.4543,3.4153-.934-.7998,1.1935-1.8049,2.2357-2.9686,3.0783v.7675c0,7.8581-5.9779,16.9184-16.9184,16.9184-3.2314.004-6.3954-.9238-9.113-2.6722.4703.0571.9436.0856,1.4173.0853,2.6784.0044,5.2803-.8925,7.3871-2.5463-2.5446-.0467-4.7777-1.7068-5.5555-4.1301.3681.0703.742.1056,1.1168.1056.5293,0,1.0564-.0696,1.5676-.2071-2.775-.5608-4.7696-3.0006-4.7677-5.8317v-.0731c.826.4573,1.7488.712,2.6925.7432-2.6116-1.7476-3.4122-5.2258-1.8275-7.9394,3.0149,3.7157,7.4653,5.9771,12.2441,6.2215-.7617-3.1963,1.2119-6.4049,4.4082-7.1666,2.0894-.4979,4.285.1691,5.7444,1.7451,1.3319-.2639,2.6091-.7528,3.7768-1.4457-.4477,1.3745-1.3782,2.5402-2.6194,3.2813Z" /></g></g></g></g></svg> </a> <a href="https://www.linkedin.com/company/eset" title="Follow us on LinkedIn."> <svg id="Layer_2" fill="#949ca1" class="linkedin" xmlns="http://www.w3.org/2000/svg" width="35" height="35" viewBox="0 0 50 50"><g id="Layer_2-2"><circle cx="25" cy="25" r="25" /><path fill="white"d="m18.7686,35.9995h-4.9757v-16.0232h4.9757v16.0232Zm-2.4905-18.2089c-1.5911,0-2.8816-1.3179-2.8816-2.9089.0002-1.5915,1.2906-2.8814,2.882-2.8812,1.5911.0002,2.881,1.29,2.8812,2.8812,0,1.5911-1.2911,2.9089-2.8816,2.9089Zm21.113,18.2089h-4.965v-7.8c0-1.8589-.0375-4.2429-2.587-4.2429-2.587,0-2.9834,2.0196-2.9834,4.1089v7.9339h-4.9704v-16.0232h4.7721v2.1857h.0696c.6643-1.2589,2.287-2.5875,4.7079-2.5875,5.0357,0,5.9614,3.3161,5.9614,7.6232v8.8018h-.0054Z" /></g></svg> </a> <a href="https://www.welivesecurity.com/rss-configurator/" title="Don´t miss a single post!"> <svg id="Layer_2" fill="#949ca1" class="social-icon" xmlns="http://www.w3.org/2000/svg" width="35" height="35" viewBox="0 0 50 50"><g id="Layer_2-2"><circle cx="25" cy="25" r="25" /><g id="rss"><g id="SOCIAL_MEDIA"><path id="rss-2" fill="white"d="m16.9299,36.9089c-1.8039-.0139-3.255-1.4876-3.2411-3.2915.0139-1.8039,1.4876-3.255,3.2915-3.2411,1.7931.0138,3.2398,1.4706,3.2412,3.2638-.006,1.8113-1.4791,3.2748-3.2904,3.2688-.0004,0-.0008,0-.0012,0Zm12.6168,0c-.0331-8.7521-7.1549-15.8203-15.907-15.7872h-.0014v4.6272c6.1869-.0232,11.2214,4.9731,11.2452,11.16h4.6632Zm8.0916,0c-.0503-13.2044-10.7953-23.8679-23.9997-23.8176-.0001,0-.0002,0-.0003,0v4.7628c10.5637-.0398,19.1597,8.4911,19.2,19.0548h4.8Z" /></g></g></g></svg> </a> </div> </div> <div class="row g-0"> <div class="col copyright"> Copyright © ESET, All Rights Reserved </div> </div> </div> </footer> </div> <!-- scripts --> <link rel="modulepreload" href="https://www.welivesecurity.com/build/assets/app-7a4ecde0.js" /><script type="module" src="https://www.welivesecurity.com/build/assets/app-7a4ecde0.js"></script> <link rel="modulepreload" href="https://www.welivesecurity.com/build/assets/search-7d9f58b7.js" /><link rel="modulepreload" href="https://www.welivesecurity.com/build/assets/_commonjsHelpers-042e6b4d.js" /><script type="module" src="https://www.welivesecurity.com/build/assets/search-7d9f58b7.js"></script> <script> var disqus_config = function () { this.page.url = "https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/"; this.page.identifier = "BackdoorDiplomacy: Upgrading from Quarian to Turian"; this.page.title = "10274"; this.language = "en"; }; (function() { var d = document, s = d.createElement('script'); s.src = 'https://welivesecurity.disqus.com/embed.js'; s.setAttribute('data-timestamp', +new Date()); (d.head || d.body).appendChild(s); })(); </script> <link rel="preload" as="style" href="https://www.welivesecurity.com/build/assets/prism-40494b65.css" /><link rel="modulepreload" href="https://www.welivesecurity.com/build/assets/prism-40d1b0a4.js" /><link rel="modulepreload" href="https://www.welivesecurity.com/build/assets/_commonjsHelpers-042e6b4d.js" /><link rel="stylesheet" href="https://www.welivesecurity.com/build/assets/prism-40494b65.css" /><script type="module" src="https://www.welivesecurity.com/build/assets/prism-40d1b0a4.js"></script> <link rel="preload" as="style" href="https://www.welivesecurity.com/build/assets/article-e3625c4c.css" /><link rel="modulepreload" href="https://www.welivesecurity.com/build/assets/article-98874652.js" /><link rel="modulepreload" href="https://www.welivesecurity.com/build/assets/table-wrapper-135558d1.js" /><link rel="stylesheet" href="https://www.welivesecurity.com/build/assets/article-e3625c4c.css" /><script type="module" src="https://www.welivesecurity.com/build/assets/article-98874652.js"></script></body> </html>