Security Experts:

Connect with us

Hi, what are you looking for?



China-Linked “DragonOK” Group Expands Operations

A China-linked threat group known as DragonOK has updated its toolset, and the decoy documents it has used in attacks suggest that its list of targets may have been expanded to include Russia and Tibet.

A China-linked threat group known as DragonOK has updated its toolset, and the decoy documents it has used in attacks suggest that its list of targets may have been expanded to include Russia and Tibet.

The first report on DragonOK’s activities was published by FireEye in September 2014. At the time, the security firm said the threat actor focused on high-tech and manufacturing companies in Japan and Taiwan, and noted that its goal appeared to be economic espionage.

In Japan, considered DragonOK’s main target, the group has recently attacked organizations in several industries, including manufacturing, higher education, technology, energy and semiconductor, Palo Alto Networks said in a blog post published on Thursday.

One of the pieces of malware known to be used by the actor, dubbed “Sysget,” has been delivered to targets in Taiwan. The security firm has observed three new versions of Sysget and they have all been improved with features that make them more difficult to detect and analyze.

Sysget has been delivered via phishing emails and specially crafted documents set up to exploit CVE-2015-1641, one of the most widely used Microsoft Office vulnerabilities. CVE-2015-1641 is known to have been exploited by APT actors that focus on East Asia.

The group also targeted Taiwan with a piece of malware named “IsSpace.” This Trojan is believed to be an evolution of the NFlog backdoor, which has been used by both DragonOK and a different China-based threat group tracked as Moafee. IsSpace was previously seen in a watering hole attack targeting an aerospace company, but the samples spotted recently appear to have been updated.

Palo Alto Networks said recent DragonOK attacks also involved a piece of malware known as TidePool. Researchers observed this Trojan earlier this year in attacks launched by a different China-linked group against Indian embassies, but it had not been used by DragonOK in earlier campaigns. DragonOK appears to have leveraged TidePool in attacks aimed at entities in Russia and Tibet.

The Russian-language decoy document used by the attackers referenced GOST, a block cipher developed by the Russian government in the 1970s. The malicious document believed to be aimed at Tibet, or individuals interested in Tibetan affairs, contained an internal newsletter from the Central Tibetan Ministry.

Researchers only discovered a handful of links between the C&C domains of TidePool, IsSpace and Sysget, including a registrant email address associated with domains used by Sysget and TidePool.

Additional technical details on the malware and infrastructure observed in these DragonOK attacks are available in Palo Alto Networks’ blog post.

Related: Chinese Attackers Conduct Cyberespionage for Economic Gain

Related: China-Linked APT3 Group Focuses Attacks on Hong Kong

Related: Chinese Cyberspies Target European Drone Maker, Energy Firm

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.


The UK’s NCSC has issued a security advisory to warn about spearphishing campaigns conducted by two unrelated Russian and Iranian hacker groups.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...