{ "Event": { "analysis": "1", "date": "2024-05-23", "extends_uuid": "", "info": "[Threat Intel] Operation Diplomatic Specter: An Active Chinese Cyberespionage Campaign Leverages Rare Tool Set to Target Governmental Entities in the Middle East, Africa and Asia", "protected": false, "publish_timestamp": "1780042000", "published": true, "threat_level_id": "2", "timestamp": "1780042000", "uuid": "2e091577-f7df-47ed-a59f-07e5eb07b7a7", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#1c006d", "local": false, "name": "rectifyq:topic=\"geopolitical\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"APT\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#fdcb58", "local": false, "name": "rectifyq:MY-relevancy=\"somewhat-relevant\"", "relationship_type": "" }, { "colour": "#0afe32", "local": false, "name": "misp-galaxy:producer=\"Palo Alto\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:region=\"002 - Africa\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:region=\"142 - Asia\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Diplomacy\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Military\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Political party\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"APT27\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"APT41\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"MUSTANG PANDA\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"CHINACHOPPER\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"Ghost RAT\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"HTran\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"PlugX\"", "relationship_type": "" }, { "colour": "#3a00dd", "local": false, "name": "rectifyq:action-taken=\"diamond-model\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1770868234", "to_ids": false, "type": "link", "uuid": "3a4b463e-9043-4dc1-92a2-5a4e7bd51438", "value": "https://unit42.paloaltonetworks.com/operation-diplomatic-specter/" }, { "category": "Payload delivery", "comment": "TunnelSpecter - Loader", "deleted": false, "disable_correlation": false, "timestamp": "1770868454", "to_ids": true, "type": "sha256", "uuid": "40510496-8550-4768-b4ab-feb072eeb495", "value": "0e0b5c5c5d569e2ac8b70ace920c9f483f8d25aae7769583a721b202bcc0778f" }, { "category": "Payload delivery", "comment": "TunnelSpecter - Encrypted payload", "deleted": false, "disable_correlation": false, "timestamp": "1770868454", "to_ids": true, "type": "sha256", "uuid": "19ed6d42-73bb-44f9-94b6-ba9b7158e094", "value": "62dec3fd2cdbc1374ec102d027f09423aa2affe1fb40ca05bf742f249ad7eb51" }, { "category": "Payload delivery", "comment": "TunnelSpecter - Decrypted payload", "deleted": false, "disable_correlation": false, "timestamp": "1770868454", "to_ids": true, "type": "sha256", "uuid": "08233402-a79a-4a2e-a108-4235f67290e3", "value": "22d556db39bde212e6dbaa154e9bcf57527e7f51fa2f8f7a60f6d7109b94048e" }, { "category": "Payload delivery", "comment": "SweetSpecter - Loader", "deleted": false, "disable_correlation": false, "timestamp": "1770868454", "to_ids": true, "type": "sha256", "uuid": "b7488ba3-dd8c-4d6d-bbbe-b81e823289ab", "value": "0b980e7a5dd5df0d6f07aabd6e7e9fc2e3c9e156ef8c0a62a0e20cd23c333373" }, { "category": "Payload delivery", "comment": "SweetSpecter - Encrypted payload", "deleted": false, "disable_correlation": false, "timestamp": "1770868454", "to_ids": true, "type": "sha256", "uuid": "a16a17f1-d8fe-4ae9-b700-44b33df4da66", "value": "8198c8b5eaf43b726594df62127bcb1a4e0e46cf5cb9fa170b8d4ac2a4dad179" }, { "category": "Payload delivery", "comment": "SweetSpecter - Decrypted payload", "deleted": false, "disable_correlation": false, "timestamp": "1770868454", "to_ids": true, "type": "sha256", "uuid": "fa76b0e5-5472-4b1b-9e6d-acc8b8ab5c09", "value": "0f72e9eb5201b984d8926887694111ed09f28c87261df7aab663f5dc493e215f" }, { "category": "Payload delivery", "comment": "Gh0st RAT", "deleted": false, "disable_correlation": false, "timestamp": "1770868454", "to_ids": true, "type": "sha256", "uuid": "d507cde1-89e3-4e69-acd0-b247d3a2a1a7", "value": "d5a44380e4f7c1096b1dddb6366713aa8ecb76ef36f19079087fc76567588977" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1770868454", "to_ids": true, "type": "hostname", "uuid": "9d1b52f7-27d4-4965-b89f-0949f2228c1b", "value": "home.microsoft-ns1.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1770868454", "to_ids": true, "type": "hostname", "uuid": "88d9fcde-8216-4194-8041-fb87adf8660b", "value": "cloud.microsoft-ns1.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1770868454", "to_ids": true, "type": "hostname", "uuid": "8bee22f5-556f-47ee-b9bb-fa968e6f0cea", "value": "static.microsoft-ns1.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1770868454", "to_ids": true, "type": "hostname", "uuid": "4205c9ce-257e-4f8e-9060-39c90e16d418", "value": "api.microsoft-ns1.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1770868454", "to_ids": true, "type": "hostname", "uuid": "377e72cd-5724-4de5-8126-ed623659e7b1", "value": "update.microsoft-ns1.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1770868454", "to_ids": true, "type": "hostname", "uuid": "7104a580-901d-4504-be53-6c37490c7d86", "value": "labour.govu.ml" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1770868454", "to_ids": true, "type": "domain", "uuid": "285603cd-5498-441c-89e2-b07f9f41f0c3", "value": "govm.tk" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1780041993", "to_ids": true, "type": "ip-dst", "uuid": "80d97d50-9408-43ea-9421-72625ba520e7", "value": "103.108.192.238", "Tag": [ { "colour": "#f8230e", "local": false, "name": "asn:asn=\"139021\"", "relationship_type": "" }, { "colour": "#879857", "local": false, "name": "asn:as-owner=\"WEST263GO-HK West263 International Limited\"", "relationship_type": "" }, { "colour": "#fbf8fb", "local": false, "name": "asn:as-country=\"HK\"", "relationship_type": "" }, { "colour": "#daa28c", "local": false, "name": "misp-galaxy:country=\"hong kong\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1780041995", "to_ids": true, "type": "ip-dst", "uuid": "d4068a86-2716-4c85-9931-1a22ac71b60c", "value": "103.149.90.235", "Tag": [ { "colour": "#3fa6ad", "local": false, "name": "asn:asn=\"401696\"", "relationship_type": "" }, { "colour": "#51efe5", "local": false, "name": "asn:as-owner=\"COGNETCLOUD\"", "relationship_type": "" }, { "colour": "#d16c37", "local": false, "name": "asn:as-country=\"US\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"united states of america\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1780041997", "to_ids": true, "type": "ip-dst", "uuid": "a844d673-de4d-4db2-8294-299565cf759c", "value": "192.225.226.217", "Tag": [ { "colour": "#fb82e8", "local": false, "name": "asn:asn=\"26665\"", "relationship_type": "" }, { "colour": "#7da366", "local": false, "name": "asn:as-owner=\"ZBUSA\"", "relationship_type": "" }, { "colour": "#d16c37", "local": false, "name": "asn:as-country=\"US\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"united states of america\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1780041998", "to_ids": true, "type": "ip-dst", "uuid": "9c07e1b3-87d1-43ed-b02c-2c3513831326", "value": "194.14.217.34", "Tag": [ { "colour": "#64bed2", "local": false, "name": "asn:asn=\"9009\"", "relationship_type": "" }, { "colour": "#41c276", "local": false, "name": "asn:as-owner=\"M247\"", "relationship_type": "" }, { "colour": "#26f3a1", "local": false, "name": "asn:as-country=\"RO\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"romania\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1780042000", "to_ids": true, "type": "ip-dst", "uuid": "ef4ee26b-3f09-4143-a5e9-f3cd6b5972b7", "value": "103.108.67.153", "Tag": [ { "colour": "#3fa6ad", "local": false, "name": "asn:asn=\"401696\"", "relationship_type": "" }, { "colour": "#51efe5", "local": false, "name": "asn:as-owner=\"COGNETCLOUD\"", "relationship_type": "" }, { "colour": "#d16c37", "local": false, "name": "asn:as-country=\"US\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"united states of america\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "diamond-model", "deleted": false, "disable_correlation": false, "timestamp": "1770868479", "to_ids": false, "type": "comment", "uuid": "7e61db8b-041b-4596-9a92-a0c45959e8d0", "value": "https://raw.githubusercontent.com/rectifyq/Collections/refs/heads/main/Diamond-Models/2024/240523-Operation-Diplomatic-Specter/240523-Operation-Diplomatic-Specter.png" } ] } }