Connect with us

Hi, what are you looking for?



Chinese Cyberspy Group ‘Aoqin Dragon’ Targeting Southeast Asia, Australia Since 2013

SentinelOne security researchers have analyzed the operations of a Chinese cyberespionage group that has been actively targeting education, government, and telecommunication organizations in Australia and Southeast Asia since at least 2013.

SentinelOne security researchers have analyzed the operations of a Chinese cyberespionage group that has been actively targeting education, government, and telecommunication organizations in Australia and Southeast Asia since at least 2013.

Dubbed Aoqin Dragon, the group was observed switching from the use of malicious documents to employing a fake antivirus, and more recently using a fake removable drive to lure intended victims into installing malware on their systems.

The threat actor heavily relies on the USB shortcut technique to infect additional targets, SentinelOne says. The group typically drops one of two backdoors on a compromised system, namely Mongall or a modified variant of Heyoka.

According to SentinelOne, the ongoing Aoqin Dragon activity has been mainly focused on spying on organizations in Australia, Cambodia, Hong Kong, Singapore, and Vietnam.

Between 2012 and 2015, it mainly targeted victims with malicious documents exploiting CVE-2012-0158 and CVE-2010-3333. While patches for these bugs had been released before Aoqin Dragon’s exploitation attempts, “this kind of RTF-handling vulnerability decoy was very common in that period,” SentinelOne notes.

The attackers used pornographic themes to lure victims into opening the malicious documents, they included in most documents decoy content themed around APAC political affairs, and used documents that are specific to the entirety of Southeast Asia.

Aoqin Dragon also employed executable files that featured modified file icons to pose as Windows folders or antivirus applications, but which instead dropped a backdoor on the victim’s system.

Advertisement. Scroll to continue reading.

The executable dropper typically contained a script that was designed to search the system for Microsoft Word documents. The dropper also acted as a worm, abusing removable devices to spread the malware to additional hosts.

In recent campaigns, the attack chain features a removable disk shortcut file that leads to malware execution. DLL hijacking is employed to execute a malicious loader as explorer.exe.

The loader then checks for attached removable devices, copies malware modules to the AppData folder, and then sets the auto start function to the location of the malicious files, so that the loader is executed at system reboot.

The loader then decrypts two payloads, namely a spreader designed to copy all malicious files to removable drives, and an encrypted backdoor that injects itself into the rundll32 process.

The security researchers have identified several versions of Mongall, a small backdoor that the threat actor has been using since 2013. The threat was designed to create a remote shell and to download and upload files, and uses the GET protocol for data transmission.

Aoqin Dragon was also observed using a modified version of Heyoka, an open source project designed to exfiltrate data through spoofed DNS requests that create a bidirectional tunnel. The cyberspies deploy this tool on the victim’s system using DLL injection.

The malware authors also expanded the project’s capabilities and added two hardcoded command and control (C&C) servers to it. Featuring the same capabilities as Mongall, the backdoor also checks if it runs as a service or not, to ensure it has privileges to be persistent.

“The targeting of Aoqin Dragon closely aligns with the Chinese government’s political interests. Considering this long-term effort and continuous targeted attacks for the past few years, we assess the threat actor’s motives are espionage-oriented,” SentinelOne notes.

Related: Chinese Threat Actors Exploiting ‘Follina’ Vulnerability

Related: Chinese Hackers Abuse Cybersecurity Products for Malware Execution

Related: Chinese Cyberspies Seen Using macOS Variant of ‘Gimmick’ Malware

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...