Operation Dragon Breath

Operation Dragon Breath, also referred to as APT-Q-27 and Golden Eye Dog, is a threat actor associated by Sophos with multi-stage DLL sideloading campaigns targeting Chinese-speaking Windows users involved in the online-gambling ecosystem. Observed targeting included users in the Philippines, Japan, Taiwan, Singapore, Hong Kong, and China. The actor is described as specializing in the online-gambling space and its participants. The documented campaigns used trojanized installers and fake software delivery, including Telegram, LetsVPN, and WhatsApp-themed packages, with infrastructure such as telegramos[.]org impersonating Telegram downloads. A characteristic tradecraft element is a modified DLL sideloading chain that adds an extra clean-application stage: an initial trojanized installer drops a first-stage package, which launches a second legitimate application that sideloads a malicious DLL loader and decrypts the final payload. Observed second-stage variations used renamed legitimate binaries from Shenzhen Thunder Networking Technologies, Beijing Baidu Netcom Science and Technology Co., Ltd., HP Inc., and KingdomTwoCrowns, while preserving the same payload chain. The malicious loader decrypted shellcode from templateX.txt or template.txt using a bytewise SUB 122 and XOR 0x19 routine, then used RtlDecompressBuffer to load a final payload DLL named ServerDll.dll into memory. The payload established registry-based configuration under HKCU\SOFTWARE%COMPUTERNAME% or HKCU\SOFTWARE\UnkNow and supported commands including shutdown or logoff, clearing event logs, downloading and executing files, running commands visibly or hidden, and reading or setting clipboard contents. The payload also checked for the MetaMask Chrome extension ID nkbihfbeogaeaoehlefnkodbefgpgknn, indicating a focus on cryptowallet theft; Sophos assessed that the observed attack paths ultimately led to cryptowallet theft. Sophos linked the activity to Operation Dragon Breath through shared C2 infrastructure, including nsjdhmdjs[.]com, use of the ServerDll.dll naming convention, and characteristic sideloading tradecraft. Sophos also identified related debug-style payload samples containing gh0st RAT source code, suggesting tooling overlap or code reuse within the actor’s malware development.