>samit_hota
Back to adversary profiles
G0017MediumActive

DragonOK: China-Linked APT Group Targeting Asian & European Organizations

Samit Hota·
Suspected Origin
China
Motivation
Espionage, Information Theft, Competitive Advantage
Aliases
None documented
Target Sectors
High-Tech, Manufacturing, Energy, Higher Education, Semiconductor, Government
Associated Malware
Sysget/HelloBridge, PlugX, PoisonIvy, FormerFirstRat, NFlog, NewCT, IsSpace, TidePool, HTran, KHRAT, Mongall, Rambo
#threat-actor#g0017

Overview

DragonOK, identified by MITRE ATT&CK as G0017, is a sophisticated, China-linked Advanced Persistent Threat (APT) group primarily focused on corporate espionage and information theft. First brought to light by FireEye in September 2014, the group’s operations are believed to originate from China’s Jiangsu Province. Their motivation centers on acquiring trade secrets and sensitive intelligence, ultimately providing a competitive economic advantage to their sponsors.

While DragonOK has historically targeted Japanese organizations with notable intensity, particularly within the high-tech and manufacturing sectors, their operational scope has expanded over time. Beyond Japan, the group has been observed targeting entities in Taiwan, Tibet, Russia, and political organizations in Cambodia. Specific Japanese industries victimized include manufacturing, technology, energy, higher education, and semiconductor firms.

DragonOK maintains a direct or indirect relationship with another China-linked APT group, Moafee (G0002), due to significant overlaps in their tactics, techniques, and custom tools. Although they are thought to operate in parallel, Moafee typically focuses on military and government organizations tied to the South China Sea disputes and the U.S. defense industrial base, differentiating their primary target profiles from DragonOK’s corporate espionage objectives.

Tactics & Techniques

DragonOK relies heavily on tailored social engineering to gain initial access, predominantly through spear phishing campaigns. These emails often contain malicious attachments, either executable files or Rich Text Format (RTF) documents designed to exploit vulnerabilities. A notable exploit utilized by the group is CVE-2015-1641, a memory corruption vulnerability in Microsoft Office, leveraged via unique shellcode embedded in RTF documents.

To evade detection and complicate analysis, DragonOK employs several defense evasion techniques. They have been observed using password-protected documents and unusually large files to mask their malicious content. Furthermore, the group continuously updates its toolset and tactics to counter evolving security measures. For execution, they frequently use built-in Windows applications and launch legitimate programs like regsvr32.exe to bypass operating system protections and execute additional payloads.

Their command and control (C2) infrastructure often incorporates proxy tools like HUC Packet Transmit Tool (HTRAN) to obscure their geographical location. They have also been known to set up expansive infrastructure designed to mimic legitimate services, such as cloud-based file hosting, to blend their malicious communications with normal network traffic. Once a foothold is established, DragonOK aims for persistence by creating new scheduled tasks or manipulating registry run keys. For data collection, their malware is equipped with capabilities like keylogging, screenshot capture, and file transfer, enabling comprehensive espionage.

Notable Campaigns

DragonOK’s activity was first formally identified in September 2014. One significant campaign took place between January and March 2015, targeting Japanese manufacturing and high-tech firms. This campaign involved at least five distinct phishing attacks, each deploying different variants of the Sysget malware, also known as HelloBridge, and introducing the new FormerFirstRAT backdoor.

In early 2017, the group resurfaced with updated tools and tactics, targeting a broader range of Japanese industries including manufacturing, technology, energy, higher education, and semiconductor companies. During this period, they also expanded their geographical focus to include Taiwan, Tibet, and Russia, employing malware families such as Sysget, IsSpace, and the previously unobserved TidePool. Around the same time, Palo Alto Networks’ Unit 42 documented a campaign featuring the KHRAT remote access Trojan (RAT) targeting political organizations in Cambodia, with decoy documents referencing the Mekong Integrated Water Resources Management Project.

Associated Malware & Tools

DragonOK’s arsenal is diverse, featuring a mix of custom-developed tools and commercially available or widely used malware. Key malware families and tools associated with the group include:

  • Sysget/HelloBridge: This custom backdoor is a primary first-stage payload, often delivered via phishing. Multiple updated versions have been observed, featuring improvements to evade detection and analysis.
  • PlugX: A well-known remote access Trojan frequently used by Chinese APT groups, providing extensive backdoor capabilities.
  • PoisonIvy: Another common RAT, known for keylogging, screen capture, and file transfer functionalities.
  • FormerFirstRAT (FFRat): A custom backdoor identified in 2015 campaigns. Code similarities between FFRat and the MulCom backdoor were noted in “Operation Dragon Castling” in 2022, suggesting code sharing among Chinese-speaking APT groups.
  • NFlog: A backdoor also shared with the Moafee group.
  • NewCT: A highly customized RAT, often referred to as CT/NewCT/NewCT2.
  • IsSpace: An evolved variant of the NFlog backdoor, observed in attacks since at least 2017.
  • TidePool: A malware family first observed being used by DragonOK in 2017 campaigns, although it has also been linked to the Operation Ke3chang group.
  • HUC Packet Transmit Tool (HTRAN): A proxy tool used to obscure the attackers’ geographical location.
  • KHRAT: A remote access Trojan used in campaigns targeting Cambodia.
  • Mongall and Rambo: Other RATs noted in the group’s historical toolkit.

Current Status

While DragonOK was particularly active between 2014 and 2017 with clearly documented campaigns and toolset updates, the direct attribution of recent, specific campaigns under the “DragonOK” name has become less frequent in public reporting. The MITRE ATT&CK entry for G0017 was last modified in November 2024, indicating continued relevance in the threat landscape.

Reports from 2017 highlighted the group’s ongoing efforts to update their tools and tactics, indicating a persistent and evolving threat. More recent analyses, such as the 2022 “Operation Dragon Castling,” noted code similarities between FFRat (a DragonOK-associated malware) and other backdoors used by Chinese-speaking APT groups, although this particular campaign was not directly attributed to DragonOK itself. This suggests that while the explicit “DragonOK” moniker might appear less frequently in headlines detailing new campaigns, the underlying capabilities, malware, and possibly even personnel may continue to operate or share resources within the broader ecosystem of Chinese state-sponsored cyber espionage. Therefore, it is prudent to consider DragonOK as an active threat, with its activities potentially integrated into or overlapping with other related groups, making their specific attribution in every instance challenging.

Worried this actor targets your sector?

Let's map your exposure before they find it themselves.

Book an advisory call