An advanced persistent threat (APT) group linked to China has been spying on Southeast Asian and Australian organizations since early 2013.

SentinelLabs reported on June 9 that the group, known as Aoqin Dragon, is still operating. Its primary victims are organizations in Australia and Southeast Asia, including Cambodia, Hong Kong, Singapore, and Vietnam. However, in most instances, it would target the entire Southeast Asian region rather than just one particular nation.

SentinelLabs stated, “The targeting of Aoqin Dragon closely aligns with the Chinese government’s political interests. We primarily observed Aoqin Dragon targeting government, education, and telecommunication organizations in Southeast Asia and Australia.”

With moderate confidence, the researchers assessed that the personnel behind Aoqin Dragon was a small Chinese-speaking team. The report judged that espionage was the primary purpose behind Aoqin Dragon’s cyberattack efforts. 

Aoqin Dragon mainly infects victims’ computers via three tactics: weaponized Word document, fake Anti-Virus, and fake removable device. Additionally, fake icons were involved to camouflage these problematic materials.

They also use DLL hijacking, Themida-packed files, and DNS tunneling to prevent victims from recognizing that they had been attacked.

Aoqin Dragon relies on pornography and political issues in the Asia-Pacific region to bait its targets. Then, the group would use USB shortcut techniques to spread the malware and infect more targets.

Aoqin Dragon frequently dumps either Mongall or a modified version of the open-source Heyoka project as a backdoor. Some of its most recent attacks used a Removable Disk shortcut file with a specified path to launch the malware.

Aoqin Dragon has evolved over the years regarding offensive and infection tactics and techniques. However, SentinelLabs warned that this hacker group would keep developing its tradecraft and carry out more espionage activities in the future. 

Sign up to receive our latest news!

By submitting this form, I agree to the terms.