Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to threat actors
9 malware familiesExploits CVEs in the wild

CloudComputating

Also known ascloudcomputating

CloudComputating is a Chinese-speaking threat actor assessed in the provided reporting to be responsible, with medium confidence, for deployment of the QSC modular in-memory malware framework and the GoClient Golang backdoor. The actor is also identified in the content as BackdoorDiplomacy or Faking Dragon. Reporting cited here links CloudComputating to targeting of high-profile Middle Eastern diplomatic entities, as well as government targets in the Middle East and Africa, telecom targets in South Asia, and an ISP in West Asia. The actor’s tooling and operations described in the content include use of Quarian version 3, also known as Turian, to deploy QSC and later GoClient. QSC is described as a plugin-based in-memory framework composed of Loader, Core, Network, Command Shell, and File Manager modules, with TLS communications via MbedTLS and support for proxying or internal pivot routing. GoClient is a Golang backdoor used for command execution, file operations, screenshot capture, self-deletion, and reconnaissance. The reporting also associates CloudComputating with TailorScan and StowProxy, and notes infrastructure overlap involving proxy.oracleapps.org previously linked to BackdoorDiplomacy. Operationally, the content describes CloudComputating using Windows service modification for persistence and loader execution, extensive host and domain reconnaissance, enumeration of domain controllers and file servers, use of rar.exe and batch scripts to collect data, registry modification to disable UAC remote restrictions, lateral movement with WMIC and stolen domain administrator credentials, pass-the-hash activity via we.exe, theft of NTDS.dit through shadow-copy creation, and use of pf.exe on pivot hosts to forward traffic to remote command-and-control. The reporting further notes earlier Quarian and PlugX activity, including one case following exploitation of Microsoft Exchange CVE-2020-0688 and deployment via a ChinaChopper web shell. Overall, the content portrays CloudComputating/BackdoorDiplomacy/Faking Dragon as a Chinese-speaking espionage actor focused on diplomatic, government, telecom, and related strategic targets, with an evolution toward modular, memory-resident tooling and internal network pivoting.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

  • Telecommunication Services
MITRE ATT&CK

Tradecraft

20 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

9 of 15 tactics31 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0001
Initial Access
1 technique
T1190
Exploit Public-Facing Application
TA0002
Execution
3 techniques
T1059
Command and Scripting Interpreter
T1059.003
Windows Command Shell
T1569
System Services
T1569.002
Service Execution
T1574
Hijack Execution Flow
T1574.011
Services Registry Permissions Weakness
TA0003
Persistence
1 technique
T1505
Server Software Component
T1505.003
Web Shell
TA0005
Stealth
3 techniques
T1070
Indicator Removal
T1070.004
File Deletion
T1574
Hijack Execution Flow
T1574.011
Services Registry Permissions Weakness
T1620
Reflective Code Loading
TA0006
Credential Access
1 technique
T1003
OS Credential Dumping
T1003.003
NTDS
TA0007
Discovery
5 techniques
T1016
System Network Configuration Discovery
T1046
Network Service Discovery
T1082
System Information Discovery
T1083
File and Directory Discovery
T1087
Account Discovery
T1087.002
Domain Account
TA0008
Lateral Movement
2 techniques
T1021
Remote Services
T1021.003
Distributed Component Object Model
T1550
Use Alternate Authentication Material
T1550.002
Pass the Hash
TA0009
Collection
3 techniques
T1005
Data from Local System
T1113
Screen Capture
T1560
Archive Collected Data
TA0011
Command and Control
2 techniques
T1090
Proxy
T1105
Ingress Tool Transfer
ARSENAL

Associated malware families

9 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
QuarianOur investigation found that the target machines had been infected with the Quarian backdoor version 3 (aka Turian) since 2022, and the same attackers had used this access to deploy the QSC framework starting on October 10, 2023.2Jun 14, 2026
ChinaChopperthe server was indeed compromised and was hosting the ChinaChopper webshell, which was used to obtain, and later launch, the Quarian and PlugX backdoors.1Mar 18, 2026
GoClientIn addition to the QSC framework, the attackers also deployed a new backdoor written in Golang, which we have named “GoClient”.1Jun 14, 2026
Hias"...fileless version of the well-known ‘HiKit’ malware dubbed ‘Hias’."1Mar 18, 2026
Hikit"...a fileless version of the well-known ‘HiKit’ malware dubbed ‘Hias’."1Mar 18, 2026

4 additional families tracked in Mallory.

WEAPONIZED

Associated vulnerabilities

1 CVE this actor has used in observed campaigns. 1 of them exploited in the wild.

CVE-2020-0688Microsoft Exchange Memory Corruption VulnerabilityIn the wildEvidence1

In one case, we could see that this variant was deployed following exploitation of the CVE-2020-0688 vulnerability on the network of a government entity. This vulnerability, which was publicly reported in February 2020, allows an authenticated user to run commands as SYSTEM on a Microsoft Exchange server.

IOCS

Observables

36 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

36 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app
securelistNews
May 13, 2021
QSC: new modular framework in CloudComputating campaigns | Securelist

Conducting targeted espionage intrusions against telecommunications/ISP organizations in South and West Asia using Quarian (Turian) for initial access/persistence, then deploying the QSC modular framework and GoClient backdoor for persistence, reconnaissance, remote command execution, credential abuse, lateral movement, and NTDS theft.

Read more
securelistNews
Jul 29, 2020
APT trends report Q2 2020

Assessed behind 2020 attacks on Middle Eastern and African governments using Quarian and PlugX, with initial access via Exchange exploitation (CVE-2020-0688) and ChinaChopper webshell deployment; historically targets high-profile Middle Eastern diplomatic entities.

Read more
securelistNews
Aug 8, 2017
APT Trends report Q2 2017

Chinese-speaking activity cluster tied (in this text) to Hias, a fileless variant of HiKit, based on discovery of its persistence mechanism.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping20

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal9

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs1

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables36

Domains, IPs, and hashes tied to this actor, refreshed continuously.