Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to malware
MalwareUsed by 1 actor

Heyoka

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Aoqin Dragon

We also observed another backdoor used by this threat actor. This backdoor is totally different from Mongall, as we found it is based on the Heyoka open source project.

via sentinelone labssentinelone.com
MITRE ATT&CK

Techniques & procedures

12 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

1 technique
T1588.002ToolEvidence2

The content repeatedly states that threat actors 'obtained,' 'acquired,' or 'used' publicly available, open-source, legitimate, or modified tools such as Mimikatz, Cobalt Strike, PsExec, Empire, Impacket, and many others.

Initial Access

2 techniques
T1091Replication Through Removable MediaEvidence1

From 2018 to present, this actor has also been observed using a fake removable device as an initial infection vector... The spreader component will try to find the removable device in the victim’s environment. This malware component will copy all the malicious modules to any removable device to spread the malware in the target’s network environment

T1566PhishingEvidence1

MITRE ATT&CK TTPs ... Initial Access T1566 – Phishing Threat actor use fake icon executable and document exploit as a decoy

Execution

2 techniques
T1204User ExecutionEvidence1

Using a document exploit and tricking the user into opening a weaponized Word document to install a backdoor. Luring users into double-clicking a fake Anti-Virus to execute malware in the victim’s host.

T1569System ServicesEvidence1

MITRE ATT&CK TTPs ... Execution T1569 – System Service Modified Heyoka will set itself as a service permission

Persistence

1 technique
T1547Boot or Logon Autostart ExecutionEvidence1

The malware sets the auto start function with the value “EverNoteTrayUService”. When the user restarts the computer, it will execute the “Evernote Tray Application” and use DLL hijacking to load the malicious loader.

Privilege Escalation

3 techniques
T1055Process InjectionEvidence1

After decrypting the encrypted payload, DLL-test.dll will execute rundll32.exe and run specific export functions. The loader injects the decrypted payload into memory and runs it persistently.

T1055.001Dynamic-link Library InjectionEvidence1

There are two payloads in this attack chain... the second one is an encrypted backdoor which injects itself into rundll32’s memory.

T1547Boot or Logon Autostart ExecutionEvidence1

The malware sets the auto start function with the value “EverNoteTrayUService”. When the user restarts the computer, it will execute the “Evernote Tray Application” and use DLL hijacking to load the malicious loader.

Stealth

2 techniques
T1055Process InjectionEvidence1

After decrypting the encrypted payload, DLL-test.dll will execute rundll32.exe and run specific export functions. The loader injects the decrypted payload into memory and runs it persistently.

T1055.001Dynamic-link Library InjectionEvidence1

There are two payloads in this attack chain... the second one is an encrypted backdoor which injects itself into rundll32’s memory.

Lateral Movement

1 technique
T1091Replication Through Removable MediaEvidence1

From 2018 to present, this actor has also been observed using a fake removable device as an initial infection vector... The spreader component will try to find the removable device in the victim’s environment. This malware component will copy all the malicious modules to any removable device to spread the malware in the target’s network environment

Command and Control

1 technique
T1071.004DNSEvidence2

Heyoka is a proof-of-concept of an exfiltration tool which uses spoofed DNS requests to create a bidirectional tunnel... Modified Heyoka has used DNS tunneling for C2 communications.

Exfiltration

3 techniques
T1041Exfiltration Over C2 ChannelEvidence1

Aoqin Dragon “obtained the Heyoka open source exfiltration tool and subsequently modified it for their operations.”

T1048Exfiltration Over Alternative ProtocolEvidence1

Heyoka is an open source exfiltration tool that uses spoofed DNS requests to create a two-way communication tunnel. Hackers employ Heyoka by copying files from compromised devices

T1567Exfiltration Over Web ServiceEvidence1

Aoqin Dragon modified the Heyoka open source exfiltration tool; Cinnamon Tempest used a keylogger that uploads data to Alibaba cloud storage; Salesforce Data Exfiltration relied on the legitimate Salesforce Data Loader app for data exfiltration.

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app
sentinelone labsNews
Oct 9, 2025
Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years | SentinelOne

Originally an open-source proof-of-concept exfiltration tool using spoofed DNS requests for bidirectional tunneling. Aoqin Dragon modified it into a more capable custom backdoor with shell access, file/process management, persistence checks, DLL injection deployment, and hardcoded C2s.

Read more
iicybersecurity wordpressNews
Jun 10, 2022
EDUCATION AND TELECOMMUNICATION ORGANIZATIONS BASED IN SINGAPORE, HONG KONG, VIETNAM, CAMBODIA, AND AUSTRALIA WERE BEING SPIED ON SINCE 2013 " Cyber Security

An open-source exfiltration tool used to copy files from compromised devices via spoofed DNS requests that establish a two-way communication tunnel.

Read more
mitre attack websiteNews
Mar 8, 2018
Obtain Capabilities: Tool, Sub-technique T1588.002 - Enterprise | MITRE ATT&CK®

Open source exfiltration tool used to steal data and modified by Aoqin Dragon for operational use.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping12

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.