🇭🇰 🇯🇵 🇺🇸 🇮🇳 HK6 malware families

APT-Q-27

Also known asapt_q_27

APT-Q-27, also known as GoldenEyeDog and Dragon Breath, is a Chinese-nexus threat group that has been active since at least 2022. Reporting in the provided content links the group to campaigns targeting gambling, cryptocurrency, and Web3 organizations, including customer support teams. In one active campaign, the group posed as customers in live support chats and sent fake screenshot shortlinks that delivered a .pif executable disguised as an image. The malware chain used a multi-stage design: retrieval of additional components from an AWS S3 bucket via a manifest, DLL sideloading using a legitimate YY platform binary (updat.exe), decryption and in-memory execution of payloads from files such as yyext.log or updat.log, and a final persistent backdoor. Observed persistence and defense-evasion behaviors included registry Run keys, Windows service creation including the misspelled service name "Windows Eventn.", registry modifications, UAC disabling through three registry keys, obfuscated executables, reflective or in-memory loading, and cleanup activity. The implant communicated over TCP port 15628 with 37 hardcoded command-and-control servers in one campaign. Runtime artifacts associated with the group in the content include the mutex Global\DHGGlobalMutex and registry keys HKCU\offlinekey\open and HKCU\offlinekey\clipboard; the latter are described as settings related to keylogging and clipboard hijacking. Additional reporting ties APT-Q-27 to the long-running sims-4-updater malware campaign, including a 2026 sample signed with a DigiCert EV code-signing certificate issued to MobSoft Co., Ltd, using live infrastructure such as lightindividual.com and dead-drop resolvers on rentry.co, rentry.org, and gist.githubusercontent.com. CyStack also reported a mid-January 2026 intrusion in a corporate customer support environment whose command-and-control infrastructure, modular backdoor design, multi-stage architecture, and use of an encrypted payload container resembled prior APT-Q-27 activity, though that attribution was not definitive.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

Commercial & Professional Services

Where they're from

Attributed origin per open-source reporting.

MITRE ATT&CK

Tradecraft

53 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

13 of 15 tactics76 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0042

Resource Development

1 technique

T1583

Acquire Infrastructure

T1583.001

Domains

T1583.003

Virtual Private Server

TA0001

Initial Access

3 techniques

T1189×3

Drive-by Compromise

T1195

Supply Chain Compromise

T1566

Phishing

T1566.001

Spearphishing Attachment

T1566.002×3

Spearphishing Link

TA0002

Execution

5 techniques

T1059

Command and Scripting Interpreter

T1059.003×2

Windows Command Shell

T1059.007×2

JavaScript

T1129

Shared Modules

T1204

User Execution

T1204.002

Malicious File

T1569

System Services

T1569.002

Service Execution

T1574

Hijack Execution Flow

T1574.001×4

DLL

TA0003

Persistence

3 techniques

T1112×5

Modify Registry

T1543

Create or Modify System Process

T1543.003×3

Windows Service

T1547

Boot or Logon Autostart Execution

T1547.001×3

Registry Run Keys / Startup Folder

T1547.009

Shortcut Modification

TA0004

Privilege Escalation

5 techniques

T1055

Process Injection

T1055.001

Dynamic-link Library Injection

T1134

Access Token Manipulation

T1543

Create or Modify System Process

T1543.003×3

Windows Service

T1547

Boot or Logon Autostart Execution

T1547.001×3

Registry Run Keys / Startup Folder

T1547.009

Shortcut Modification

T1548

Abuse Elevation Control Mechanism

T1548.002×2

Bypass User Account Control

TA0005

Stealth

9 techniques

T1027

Obfuscated Files or Information

T1027.007

Dynamic API Resolution

T1036×6

Masquerading

T1036.004

Masquerade Task or Service

T1055

Process Injection

T1055.001

Dynamic-link Library Injection

T1070

Indicator Removal

T1070.001×3

Clear Windows Event Logs

T1134

Access Token Manipulation

T1140×3

Deobfuscate/Decode Files or Information

T1218

System Binary Proxy Execution

T1218.010

Regsvr32

T1574

Hijack Execution Flow

T1574.001×4

DLL

T1620×3

Reflective Code Loading

TA0112

Defense Impairment

2 techniques

T1112×5

Modify Registry

T1553

Subvert Trust Controls

T1553.002×3

Code Signing

T1553.006

Code Signing Policy Modification

TA0006

Credential Access

2 techniques

T1056

Input Capture

T1056.001×2

Keylogging

T1649

Steal or Forge Authentication Certificates

TA0007

Discovery

4 techniques

T1033

System Owner/User Discovery

T1057

Process Discovery

T1082×2

System Information Discovery

T1518

Software Discovery

T1518.001

Security Software Discovery

TA0009

Collection

2 techniques

T1056

Input Capture

T1056.001×2

Keylogging

T1115×4

Clipboard Data

TA0011

Command and Control

6 techniques

T1071×2

Application Layer Protocol

T1071.001

Web Protocols

T1095

Non-Application Layer Protocol

T1102

Web Service

T1102.001

Dead Drop Resolver

T1105×4

Ingress Tool Transfer

T1568

Dynamic Resolution

T1568.002

Domain Generation Algorithms

T1573

Encrypted Channel

T1573.001

Symmetric Cryptography

TA0010

Exfiltration

1 technique

T1041

Exfiltration Over C2 Channel

TA0040

Impact

1 technique

T1529

System Shutdown/Reboot

ARSENAL

Associated malware families

6 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

gh0st RATElastic Security Labs identified a recent campaign distributing a modified variant of the gh0st RAT, attributed to the Dragon Breath APT (APT-Q-27)... The final payload has not undergone major changes since Sophos’s discovery of a DragonBreath campaign in 2023... It is still a modified version of the open-source gh0st RAT.3Jun 14, 2026

RoningLoaderThrough this report, we hope to raise awareness of new techniques this malware is starting to implement and to shine a light on a unique loader we are naming RoningLoader.2Jun 14, 2026

MetaMaskIt also contains a string related to MetaMask. MetaMask is a crypto (Ethereum) wallet available as, among other things, a Chrome extension.1Jun 14, 2026

sims-4-updaterOn April 7, 2026, a new sample of the long-running malicious sims-4-updater.exe campaign surfaced on MalwareBazaar... The implant is a custom-virtualized PE64 backdoor whose runtime artifacts (mutex Global\DHGGlobalMutex, registry keys HKCU\offlinekey\open / HKCU\offlinekey\clipboard) match documented APT-Q-27 / GoldenEyeDog / Dragon Breath tooling.1Apr 21, 2026

ValleyRATSHA256 Family Relation 2cb5614936ef42e52c44ebb7b758bf57fde6c7b2d68cc21a7ec94d2f0adb3435 SilverFox / Winos4.0 Qt loader (yesterday's sample) Compiled 2026-04-08; lists Alibaba Cloud HK IPs including nodes in this cluster. | A published timeline showing the operator has been running on this namespace continuously since March 2025, and that yesterday's ValleyRAT ZPAQ sample (2cb56149…) is bound to this same infrastructure cluster.1Apr 26, 2026

1 additional family tracked in Mallory.

IOCS

Observables

114 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

114 IOCsView more in app

Domains

42 total

••••••.com•••••••.ru••••••••.com•••••••••.net••••••••••.com•••••••••••.ru••••••••••••.com••••••.ru+34

ip.v4

32 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+24

hash.sha256

31 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+23

hash.md5

7 total

•••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••

hash.sha1

2 total

•••••••••••••••••

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app

breakglass intelNews

Apr 7, 2026

APT-Q-27 Goes Signed: GoldenEyeDog's Sims 4 Updater Lure Now Carries a Brand-New Korean DigiCert EV Certificate - Breakglass Intelligence - Breakglass Intelligence

Linked to the long-running sims-4-updater malware distribution campaign, using a custom PE64 backdoor, EV code-signing abuse, live C2 infrastructure, and dead-drop resolvers via rentry.co/rentry.org/GitHub gist. The group is also described as historically targeting gambling operators and Chinese-speaking gambling players in Southeast Asia, and was tied to a January 2026 corporate intrusion in Vietnam.

cyber security newsNews

Mar 26, 2026

Fake Screenshot Lures Used to Infect Web3 Support Staff With Multi-Stage Malware

Conducting social-engineering-based intrusions against Web3 customer support teams by posing as customers in support chats and delivering a multi-stage backdoor via fake screenshot links. The group has been active since at least 2022 and has a history of targeting the gambling and cryptocurrency sectors.

cyberpressNews

Feb 6, 2026

APT-Q-27 Exploits Weaknesses In Corporate Security To Launch Silent, Undetected Attacks

A sophisticated multi-stage intrusion linked by infrastructure and tradecraft similarities to prior APT-Q-27 activity. The campaign used a phishing-delivered .pif dropper, digitally signed malware, DLL sideloading, persistence via registry and Windows services, in-memory payload execution, and a modular plugin-based backdoor architecture.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping53

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal6

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables114

Domains, IPs, and hashes tied to this actor, refreshed continuously.