Aoqin Dragon

Aoqin Dragon is a cyberespionage threat actor tracked by SentinelLABS that has operated since at least 2013. It primarily targets government, education, and telecommunication organizations in Southeast Asia and Australia, including activity affecting Australia, Cambodia, Hong Kong, Singapore, and Vietnam. SentinelLABS assesses its primary motive as espionage and assesses with moderate confidence that it is a small Chinese-speaking team. SentinelLABS also noted a potential association with UNC94 based on overlapping targeting, malware artifacts, infrastructure, and Chinese-language development traces. The actor has used multiple user-execution and spearphishing-style lures, including weaponized Microsoft Word documents, fake antivirus executables, fake folder or external-drive themed files, and removable-media shortcut lures. Reported exploitation includes CVE-2012-0158 and CVE-2010-3333 in weaponized Word documents. From 2018 onward, it used fake removable-device lures and USB shortcut techniques, including a shortcut impersonating a removable disk that launched an "Evernote Tray Application" to trigger DLL hijacking. Aoqin Dragon relies heavily on DLL hijacking, process injection, obfuscation, and persistence. Its loader used DLL hijacking to load a malicious encrashrep.dll component as explorer.exe, decrypted payloads, and injected a backdoor into rundll32.exe memory. It established persistence via autostart values such as EverNoteTrayUService or EverNoteTrayService after copying modules into %USERPROFILE%\AppData\Roaming\EverNoteService. The group has also used the Themida packer to obfuscate payloads. The actor is associated with the Mongall backdoor and a modified version of the open-source Heyoka tool. Mongall has been used by the group since 2013 and supports remote shell access, file upload, and file download, communicating over HTTP GET with data encoded or encrypted using base64, modified base64, or RC4 depending on the variant. Aoqin Dragon also obtained and modified the open-source Heyoka project for its operations; the modified backdoor added hardcoded command-and-control servers, checked whether it was running as a system service, and supported shell access, file operations, process management, and host discovery. Additional observed behavior includes scripts to identify file formats including Microsoft Word, use of rar commands in droppers to archive targeted document types such as .doc and .docx, and use of a spreader component named "upan" to copy malicious modules to removable devices for propagation. Debug strings and PDB paths contained Simplified Chinese text and references including DLL_test, upan, Mongall, and DnsControl. Known aliases and related tracking in the provided content: aoqin_dragon; potential association with UNC94.