Mongall
Mongall is a DLL-based backdoor associated with the Aoqin Dragon espionage group and has reportedly been in use and under continuous maintenance since at least 2013. It has been described as one of Aoqin Dragon’s primary custom malware families, alongside a modified version of the open-source Heyoka project. Reporting links Mongall activity to targeting of government, education, and telecommunications organizations, particularly in Southeast Asia and Australia, including prior targeting of the Vietnamese government and a telecommunications department.
The malware has relied on user execution for initial compromise, including victims opening malicious documents. In Aoqin Dragon operations, loaders also used fake removable-drive lures and DLL hijacking, after which payloads were decrypted and a Mongall backdoor was injected into memory. Mongall itself is described as a DLL injected into memory, and it can inject a DLL into rundll32.exe for execution or otherwise use rundll32.exe for execution.
Mongall supports remote shell access, file upload, and file download, and can upload files and host information from a compromised machine to its command-and-control server. It profiles infected hosts, can identify removable media attached to compromised hosts, and communicates with embedded C2 servers over HTTP GET. Victim data sent to C2 has been encoded or protected using Base64, modified Base64, or RC4 depending on the variant or mutex. Newer variants were reported to include upgraded encryption and to be packed with Themida for obfuscation.
Additional reporting noted overlapping Mongall infrastructure in a 2014 watering-hole attack involving the president of Myanmar’s website and exploitation of CVE-2014-6332 to deliver malware.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
During 2012 to 2015, Aoqin Dragon relied heavily on CVE-2012-0158 and CVE-2010-3333 to compromise their targets.
During 2012 to 2015, Aoqin Dragon relied heavily on CVE-2012-0158 and CVE-2010-3333 to compromise their targets.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Attacks attributable to Aoqin Dragon typically drop one of two backdoors, Mongall and a modified version of the open source Heyoka project.
Techniques & procedures
24 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
From 2018 to present, this actor has also been observed using a fake removable device as an initial infection vector... The spreader component will try to find the removable device in the victim’s environment. This malware component will copy all the malicious modules to any removable device to spread the malware in the target’s network environment
Execution
3 techniques
Execution
Using a document exploit and tricking the user into opening a weaponized Word document to install a backdoor. Luring users into double-clicking a fake Anti-Virus to execute malware in the victim’s host.
Sandworm Team leveraged Microsoft Office attachments which contained malicious macros that were automatically executed once the user permitted them... APT29 has used various forms of spearphishing attempting to get a user to open attachments... DarkGate is distributed through phishing links to VBS or MSI objects requiring user interaction for execution.
Persistence
2 techniques
Persistence
The malware sets the auto start function with the value “EverNoteTrayUService”. When the user restarts the computer, it will execute the “Evernote Tray Application” and use DLL hijacking to load the malicious loader.
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.
Privilege Escalation
4 techniques
Privilege Escalation
After decrypting the encrypted payload, DLL-test.dll will execute rundll32.exe and run specific export functions. The loader injects the decrypted payload into memory and runs it persistently.
There are two payloads in this attack chain... the second one is an encrypted backdoor which injects itself into rundll32’s memory.
The malware sets the auto start function with the value “EverNoteTrayUService”. When the user restarts the computer, it will execute the “Evernote Tray Application” and use DLL hijacking to load the malicious loader.
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.
Stealth
7 techniques
Stealth
Other techniques the attacker has been observed using include DLL hijacking, Themida-packed files, and DNS tunneling to evade post-compromise detection... Actors using Thimda packer to pack the malwares
"Sandworm Team used UPX to pack a copy of Mimikatz"; "APT38 has used several code packing methods such as Themida, Enigma, VMProtect, and Obsidium"; "Lazarus Group packed malicious .db files with Themida to evade detection."
After decrypting the encrypted payload, DLL-test.dll will execute rundll32.exe and run specific export functions. The loader injects the decrypted payload into memory and runs it persistently.
There are two payloads in this attack chain... the second one is an encrypted backdoor which injects itself into rundll32’s memory.
Discovery
3 techniques
Discovery
MITRE ATT&CK TTPs ... Discovery T1033 – System Owner/User Discovery Collecting user account and send back to C2
MITRE ATT&CK TTPs ... Discovery T1082 – System Information Discovery Collecting OS system version and MAC address
The content repeatedly describes malware and threat actors identifying, monitoring, or enumerating connected peripheral devices such as USB mass storage, Bluetooth devices, printers, smart card readers, cameras, Apple devices, VGA/display devices, and removable drives.
Lateral Movement
1 technique
Lateral Movement
From 2018 to present, this actor has also been observed using a fake removable device as an initial infection vector... The spreader component will try to find the removable device in the victim’s environment. This malware component will copy all the malicious modules to any removable device to spread the malware in the target’s network environment
Command and Control
6 techniques
Command and Control
The content repeatedly describes threat actors and malware using HTTP and HTTPS for command and control, such as: "Sandworm Team used BlackEnergy to communicate between compromised hosts and their command-and-control servers via HTTP post requests."
Mongall uses base64 or RC4 to encode or encrypt data to make the content of command and control traffic more difficult to detect
IOCs tracked for this family
211 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
25 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
... Mongall ... (v1.0→v1.1) ...
Mongall (v1.0→v1.1)
A small backdoor active since at least 2013. It provides remote shell access, file upload/download capability, embeds multiple C2 servers, and communicates over HTTP using RC4 and/or Base64-obfuscated data in newer variants.
A backdoor used by Aoqin Dragon that is injected into memory as a DLL, protected with encryption, profiles the host, and sends system details to command-and-control over an encrypted channel.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.