Aoqin Dragon

Aoqin Dragon is a suspected Chinese cyber espionage threat group that has been active since at least 2013. Aoqin Dragon has primarily targeted government, education, and telecommunication organizations in Australia, Cambodia, Hong Kong, Singapore, and Vietnam. Security researchers noted a potential association between Aoqin Dragon and UNC94, based on malware, infrastructure, and targets.[1]

ID: G1007
Contributors: Hiroki Nagahama, NEC Corporation; Pooja Natarajan, NEC Corporation India; Manikantan Srinivasan, NEC Corporation India
Version: 1.0
Created: 14 July 2022
Last Modified: 24 October 2022

Techniques Used

Domain ID Name Use
Enterprise T1587 .001 Develop Capabilities: Malware

Aoqin Dragon has used custom malware, including Mongall and Heyoka Backdoor, in their operations.[1]

Enterprise T1203 Exploitation for Client Execution

Aoqin Dragon has exploited CVE-2012-0158 and CVE-2010-3333 for execution against targeted systems.[1]

Enterprise T1083 File and Directory Discovery

Aoqin Dragon has run scripts to identify file formats including Microsoft Word.[1]

Enterprise T1570 Lateral Tool Transfer

Aoqin Dragon has spread malware in target networks by copying modules to folders masquerading as removable devices.[1]

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

Aoqin Dragon has used fake icons including antivirus and external drives to disguise malicious payloads.[1]

Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

Aoqin Dragon has used the Themida packer to obfuscate malicious payloads.[1]

Enterprise T1588 .002 Obtain Capabilities: Tool

Aoqin Dragon obtained the Heyoka open source exfiltration tool and subsequently modified it for their operations.[1]

Enterprise T1091 Replication Through Removable Media

Aoqin Dragon has used a dropper that employs a worm infection strategy using a removable device to breach a secure network environment.[1]

Enterprise T1204 .002 User Execution: Malicious File

Aoqin Dragon has lured victims into opening weaponized documents, fake external drives, and fake antivirus to execute malicious payloads.[1]