Aoqin Dragon: Persistent Cyber Espionage Targeting APAC
- Suspected Origin
- China (suspected)
- Motivation
- Espionage
- Aliases
- None documented
- Target Sectors
- Government, Education, Telecommunication
- Associated Malware
- Mongall, Heyoka Backdoor
Overview
Aoqin Dragon (G1007) is a long-standing and persistent cyber espionage threat group, suspected to be operating out of China, that has been active since at least 2013. Its operations are primarily focused on cyber espionage, with motivations closely aligned with the political interests of the Chinese government. The group has consistently targeted government, education, and telecommunication organizations, predominantly in Southeast Asia and Australia. Specific countries frequently impacted include Australia, Cambodia, Hong Kong, Singapore, and Vietnam. Security researchers, including SentinelOne, have assessed with moderate confidence that Aoqin Dragon is a small, Chinese-speaking team, noting potential associations with other threat actors like UNC94 (Mandiant) and the Naikon APT group.
Over its decade-long tenure, Aoqin Dragon has demonstrated a clear evolution in its tactics, techniques, and procedures (TTPs), consistently adapting its infection chains to evade detection and maintain stealth within target networks. Despite the continuous evolution, the group’s core objective remains consistent: long-term intelligence gathering to support geopolitical interests.
Tactics & Techniques
Aoqin Dragon employs a diverse array of tactics to achieve initial access and maintain persistence within target environments, constantly refining its methods. Their infection strategies can be broadly categorized into three evolving phases.
Early campaigns, spanning from approximately 2012 to 2015, heavily relied on document exploits to compromise targets. Specifically, they exploited known, albeit older, vulnerabilities such as CVE-2012-0158 and CVE-2010-3333 in weaponized Microsoft Word documents. These lure documents often contained themes designed to pique the interest of their targets, including content related to Asia-Pacific political affairs or, notably, pornographic themes.
In a later phase, Aoqin Dragon shifted to luring users into executing malicious payloads disguised as legitimate applications. They achieved this by tricking victims into double-clicking fake anti-virus programs, often spoofing brands like McAfee or Bkav. This method leverages social engineering to bypass initial defenses and execute malware on the victim’s host.
Since at least 2018, the group has increasingly favored the use of fake removable devices as an initial infection vector. This involves deploying malicious USB shortcut files (.LNK) that masquerade as legitimate external drives or popular applications like Evernote Tray Application. When clicked, these shortcut files initiate a sequence that leverages DLL hijacking to load malicious loaders, leading to system compromise. This technique also facilitates lateral movement and widespread infection by copying malicious files to other removable devices connected to the compromised system.
Beyond initial access, Aoqin Dragon employs several techniques for execution and defense evasion. They utilize DLL hijacking to run their chosen malware and pack their payloads with Themida to obfuscate code and hinder analysis. For command and control (C2) communication, the group has been observed using DNS tunneling, a method that can help evade traditional network monitoring.
Notable Campaigns
Aoqin Dragon’s operational history is marked by a continuous string of espionage campaigns dating back to 2013. One notable instance in 2014 involved using lure documents themed around the disappearance of Malaysia Airlines Flight MH370, an activity also associated with the Naikon APT group. This highlights the group’s opportunistic approach to current events for their social engineering efforts.
Throughout its campaigns, Aoqin Dragon has consistently demonstrated an ability to evolve its TTPs. From relying on older document exploits in the early years to adopting fake anti-virus executables and, more recently, sophisticated fake removable device lures, the group has proven its adaptability. This iterative refinement of their attack chain underscores their commitment to long-term espionage operations and their efforts to stay ahead of defensive measures.
Associated Malware & Tools
Aoqin Dragon primarily leverages a distinct set of custom and modified malware tools in its operations. The two most prominent backdoors associated with the group are Mongall and a modified version of Heyoka.
Mongall is a custom-built backdoor that has been in use since at least 2013. While not overly feature-rich, it provides essential backdoor functionalities, including establishing a remote shell, uploading and downloading arbitrary files, and exfiltrating system information to command and control (C2) servers via encrypted channels. More recent iterations of Mongall have shown upgraded encryption protocols and are often packed with Themida to enhance their evasiveness against reverse engineering and detection.
The group also utilizes a modified version of the open-source Heyoka exfiltration tool. Heyoka, in its original form, is designed for data exfiltration via DNS tunneling. Aoqin Dragon’s adaptation of this tool likely serves similar purposes, enabling stealthy data egress from compromised networks. These backdoors often function as DLLs injected into memory, decrypted, and then executed, further complicating analysis and detection.
In addition to these backdoors, Aoqin Dragon employs various custom loaders and spreaders as part of its infection chains. These components are designed to deliver the primary backdoors, copy malicious files to removable devices, and establish initial persistence.
Current Status
Aoqin Dragon remains an Active threat group. Security researchers continue to track their activities, noting that the group consistently evolves its TTPs to avoid detection and maintain a foothold in targeted networks. Given their history of persistent cyber espionage and continuous adaptation, it is highly probable that Aoqin Dragon will continue to conduct operations, further advancing their tradecraft to achieve their long-term intelligence objectives against organizations in Southeast Asia and Australia. The group’s sustained activity since 2013 underscores its commitment and capability to conduct covert operations for extended periods.
Related content
Worried this actor targets your sector?
Let's map your exposure before they find it themselves.
Book an advisory call