Connect with us

Hi, what are you looking for?



China-Linked “DragonOK” Group Expands Operations

A China-linked threat group known as DragonOK has updated its toolset, and the decoy documents it has used in attacks suggest that its list of targets may have been expanded to include Russia and Tibet.

A China-linked threat group known as DragonOK has updated its toolset, and the decoy documents it has used in attacks suggest that its list of targets may have been expanded to include Russia and Tibet.

The first report on DragonOK’s activities was published by FireEye in September 2014. At the time, the security firm said the threat actor focused on high-tech and manufacturing companies in Japan and Taiwan, and noted that its goal appeared to be economic espionage.

In Japan, considered DragonOK’s main target, the group has recently attacked organizations in several industries, including manufacturing, higher education, technology, energy and semiconductor, Palo Alto Networks said in a blog post published on Thursday.

One of the pieces of malware known to be used by the actor, dubbed “Sysget,” has been delivered to targets in Taiwan. The security firm has observed three new versions of Sysget and they have all been improved with features that make them more difficult to detect and analyze.

Sysget has been delivered via phishing emails and specially crafted documents set up to exploit CVE-2015-1641, one of the most widely used Microsoft Office vulnerabilities. CVE-2015-1641 is known to have been exploited by APT actors that focus on East Asia.

The group also targeted Taiwan with a piece of malware named “IsSpace.” This Trojan is believed to be an evolution of the NFlog backdoor, which has been used by both DragonOK and a different China-based threat group tracked as Moafee. IsSpace was previously seen in a watering hole attack targeting an aerospace company, but the samples spotted recently appear to have been updated.

Palo Alto Networks said recent DragonOK attacks also involved a piece of malware known as TidePool. Researchers observed this Trojan earlier this year in attacks launched by a different China-linked group against Indian embassies, but it had not been used by DragonOK in earlier campaigns. DragonOK appears to have leveraged TidePool in attacks aimed at entities in Russia and Tibet.

The Russian-language decoy document used by the attackers referenced GOST, a block cipher developed by the Russian government in the 1970s. The malicious document believed to be aimed at Tibet, or individuals interested in Tibetan affairs, contained an internal newsletter from the Central Tibetan Ministry.

Advertisement. Scroll to continue reading.

Researchers only discovered a handful of links between the C&C domains of TidePool, IsSpace and Sysget, including a registrant email address associated with domains used by Sysget and TidePool.

Additional technical details on the malware and infrastructure observed in these DragonOK attacks are available in Palo Alto Networks’ blog post.

Related: Chinese Attackers Conduct Cyberespionage for Economic Gain

Related: China-Linked APT3 Group Focuses Attacks on Hong Kong

Related: Chinese Cyberspies Target European Drone Maker, Energy Firm

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...


Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.


On the first anniversary of Russia’s invasion of Ukraine, cybersecurity companies summarize the cyber operations they have seen and their impact.