{
	"id": "53cb0988-b8af-4e55-be9b-b8e0a5ec2509",
	"created_at": "2026-04-06T00:14:57.281366Z",
	"updated_at": "2026-04-10T13:11:41.095803Z",
	"deleted_at": null,
	"sha1_hash": "181819269b8ab845e783402bc9604441bbd14d9a",
	"title": "Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 7218045,
	"plain_text": "Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been\r\nQuietly Spying On Organizations For 10 Years\r\nBy Joey Chen\r\nPublished: 2022-06-09 · Archived: 2026-04-05 14:47:15 UTC\r\nExecutive Summary\r\nAoqin Dragon, a threat actor SentinelLABS has been extensively tracking, has operated since 2013\r\ntargeting government, education, and telecommunication organizations in Southeast Asia and Australia.\r\nAoqin Dragon seeks initial access primarily through document exploits and the use of fake removable\r\ndevices.\r\nOther techniques the attacker has been observed using include DLL hijacking, Themida-packed files, and\r\nDNS tunneling to evade post-compromise detection.\r\nBased on our analysis of the targets, infrastructure and malware structure of Aoqin Dragon campaigns, we\r\nassess with moderate confidence the threat actor is a small Chinese-speaking team with potential\r\nassociation to UNC94 (Mandiant).\r\nOverview\r\nSentinelLABS has uncovered a cluster of activity beginning at least as far back as 2013 and continuing to the\r\npresent day, primarily targeting organizations in Southeast Asia and Australia. We assess that the threat actor’s\r\nprimary focus is espionage and relates to targets in Australia, Cambodia, Hong Kong, Singapore, and Vietnam. We\r\ntrack this activity as ‘Aoqin Dragon’.\r\nThe threat actor has a history of using document lures with pornographic themes to infect users and makes heavy\r\nuse of USB shortcut techniques to spread the malware and infect additional targets. Attacks attributable to Aoqin\r\nDragon typically drop one of two backdoors, Mongall and a modified version of the open source Heyoka project.\r\nThreat Actor Infection Chain\r\nThroughout our analysis of Aoqin Dragon campaigns, we observed a clear evolution in their infection chain and\r\nTTPs. We divide their infection strategy into three parts.\r\n1. Using a document exploit and tricking the user into opening a weaponized Word document to install a\r\nbackdoor.\r\n2. Luring users into double-clicking a fake Anti-Virus to execute malware in the victim’s host.\r\n3. Forging a fake removable device to lure users into opening the wrong folder and installing the malware\r\nsuccessfully on their system.\r\nInitial Access via Exploitation of Old and Unpatched Vulnerabilities\r\nhttps://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/\r\nPage 1 of 22\n\nDuring 2012 to 2015, Aoqin Dragon relied heavily on CVE-2012-0158 and CVE-2010-3333 to compromise their\r\ntargets. In 2014, FireEye published a blog detailing related activity using lure documents themed around the\r\ndisappearance of Malaysia Airlines Flight MH370 to conduct their attacks. Although those vulnerabilities are very\r\nold and were patched before being deployed by Aoqin Dragon, this kind of RTF-handling vulnerability decoy was\r\nvery common in that period.\r\nThere are three interesting points that we discovered from these decoy documents. First, most decoy content is\r\nthemed around targets who are interested in APAC political affairs. Second, the actors made use of lure documents\r\nthemed to pornographic topics to entice the targets. Third, in many cases, the documents are not specific to one\r\ncountry but rather the entirety of Southeast Asia.\r\nAPAC Themed Lure Document\r\nPornographic-themed Lure Document\r\nhttps://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/\r\nPage 2 of 22\n\nExecutables Masked With Fake Icons\r\nThe threat actor developed executable files masked with document file icons such as Windows folders and Anti-Virus vendor icons, acting as droppers to execute a backdoor and connect to the C2 server. Although executable\r\nfiles with fake file icons have been in use by a variety of actors, it remains an effective tool especially for APT\r\ntargets. Combined with “interesting” email content and a catchy file name, users can be socially engineered into\r\nclicking on the file.\r\nExecutable dropper with different fake security product icons\r\nTypically, a script containing a rar command is embedded in the executable dropper with different fake security\r\nproduct icons. Based on the script contained in the executable, we can identify the main target type of document\r\nformats they were trying to find, such as Microsoft Word documents.\r\nrar.exe a -apC -r -ed -tk -m5 -dh -tl -hpThis0nePiece -ta20180704 C:\\DOCUME~1\\ALLUSE~1\\DRM\\Media\\B9CC\r\nMoreover, the dropper employs a worm infection strategy using a removable device to carry the malware into the\r\ntarget’s host and facilitate a breach into the secure network environment. We also found the same dropper\r\ndeploying different backdoors including the Mongall backdoor and a modified Heyoka backdoor.\r\nRemovable Device as an Initial Vector\r\nFrom 2018 to present, this actor has also been observed using a fake removable device as an initial infection\r\nvector. Over time, the actor upgraded the malware to protect it from being detected and removed by security\r\nproducts.\r\nHere’s a summary of the attack chain of recent campaigns:\r\n1. A Removable Disk shortcut file is made which contains a specific path to initiate the malware.\r\n2. When a user clicks the fake device, it will execute the “Evernote Tray Application” and use DLL hijacking\r\nto load the malicious encrashrep.dll loader as explorer.exe .\r\n3. After executing the loader, it will check if it is in any attached removable devices.\r\n4. If the loader is not in the removable disk, it will copy all the modules under\r\n\"%USERPROFILE%\\AppData\\Roaming\\EverNoteService\\\" , which includes normal files, the backdoor loader\r\nand an encrypted backdoor payload.\r\nhttps://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/\r\nPage 3 of 22\n\n5. The malware sets the auto start function with the value “EverNoteTrayUService”. When the user restarts\r\nthe computer, it will execute the “Evernote Tray Application” and use DLL hijacking to load the malicious\r\nloader.\r\n6. The loader will check the file path first and decrypt the payloads. There are two payloads in this attack\r\nchain: the first payload is the spreader, which copies all malicious files to removable devices; the second\r\none is an encrypted backdoor which injects itself into rundll32’s memory.\r\nNewest infection chain flow\r\nUsing USB shortcut techniques to spread the malware and infect target victims\r\nhttps://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/\r\nPage 4 of 22\n\nUse a shortcut file to fake removable disc icon and change Evernote application name to\r\nRemovableDisc.exe\r\nThe spreader component will try to find the removable device in the victim’s environment. This malware\r\ncomponent will copy all the malicious modules to any removable device to spread the malware in the target’s\r\nnetwork environment, excluding Drive A. The threat actor names this component “upan”, which we observe in the\r\nmalware’s PDB strings.\r\nC:\\Users\\john\\Documents\\Visual Studio 2010\\Projects\\upan_dll_test\\Debug\\upan.pdb\r\nMalware Analysis\r\nAoqin Dragon rely heavily on the DLL hijacking technique to compromise targets and run their malware of\r\nchoice. This includes their newest malware loader, Mongall backdoor, and a modified Heyoka backdoor.\r\nDLL-test.dll Loader\r\nThe DLL-test.dll loader is notable because it is used to initiate the infection chain. When a victim has been\r\ncompromised, DLL-test.dll will check that the host drive is not A and test whether the drive is removable\r\nmedia or not. After these checks are complete, the loader opens the Removable Disk folder to simulate normal\r\nbehavior. It then copies all modules from the removable drive to the “EverNoteService” folder. The loader will set\r\nup an auto start for “EverNoteTrayService” as a form of persistence following reboots.\r\nAfter decrypting the encrypted payload, DLL-test.dll will execute rundll32.exe and run specific export\r\nfunctions. The loader injects the decrypted payload into memory and runs it persistently. The payload we found in\r\nthis operation included a Mongall backdoor and a modified Heyoka backdoor.\r\nhttps://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/\r\nPage 5 of 22\n\nWe found that the code injection logic is identical to that in the book WINDOWS黑客编程技术详解 (Windows\r\nHacking Programming Techniques Explained), Chapter 4, Section 3, which describes how to use memory to\r\ndirectly execute a DLL file. We also found the same code on GitHub. A debug string inside the DLL-test loader\r\nprovides further evidence that this is the source of the code in the malware.\r\nC:\\users\\john\\desktop\\af\\dll_test_hj3\\dll_test\\memloaddll.cpp\r\nC:\\users\\john\\desktop\\af\\dll_test_hj3 -不过uac 不写注册表\\dll_test\\memloaddll.cpp\r\nC:\\users\\john\\desktop\\af\\dll_test - upan -单独 - 老黑的版本\\dll_test\\memloaddll.cpp\r\nAs stated above, the debug strings inside DLL-test.dll loader provide interesting information about Aoqin\r\nDragon TTPs. The loaders contain both debug strings and embedded PDB strings that give us further information\r\nof this loader’s features and which backdoor will be decrypted. For instance, “DLL_test loader for Mongall”,\r\n“DLL_test loader for Mongall but can’t bypass UAC and can’t add itself to registry”, “DLL-test loader for upan\r\ncomponent” and “DLL-test for DnsControl”, which is a modified Heyoka backdoor.\r\nC:\\Documents and Settings\\Owner\\桌面\\DLL_test\\Release\\DLL_test.pdb\r\nC:\\Users\\john\\Desktop\\af\\DLL_test_hj3\\Debug\\DLL_test.pdb\r\nC:\\Users\\john\\Desktop\\af\\DLL_test - upan -单独 - 老黑的版本\\Debug\\DLL_test.pdb\r\nC:\\Users\\john\\Desktop\\af\\DLL_test - upan -单独 - 老黑的版本\\Release\\DLL_test.pdb\r\nC:\\Users\\john\\Desktop\\af\\DLL_test_hj3 -不过UAC 不写注册表\\Debug\\DLL_test.pdb\r\nD:\\2018\\DnsControl\\DNS20180108\\DLL_test\\Release\\DLL_test.pdb\r\nMongall Backdoor\r\nMongall is a small backdoor going back to 2013, first described in a report by ESET. According to the report, the\r\nthreat actor was trying to target the Telecommunications Department and the Vietnamese government. More\r\nrecently, Aoqin Dragon has been reported targeting Southeast Asia with an upgraded Mongall encryption protocol\r\nand Themida packer.\r\nMongall backdoor has four different mutexes and different notes in each backdoors – notes are shown in the IOC\r\ntable. Based on the notes, we can estimate malware creation time, intended targets, Mongall backdoor versions\r\nand related C2 domain name.\r\nhttps://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/\r\nPage 6 of 22\n\nThe backdoor mutex and information collection\r\nThe actors name this backdoor HJ-client.dll , and the backdoor name matches the PDB strings mentioned\r\nearlier. In addition, there are some notes containing “HJ” strings inside the backdoor.\r\nAlthough Mongall is not particularly feature rich, it is still an effective backdoor. It can create a remote shell,\r\nupload files to the victim’s machine and download files to the attacker’s C2. Most important of all, this backdoor\r\nembedded three C2 servers for communication. Below is the Mongall backdoor function description and\r\ncommand code.\r\nhttps://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/\r\nPage 7 of 22\n\nMongall backdoor function capability\r\nWe discovered that the Mongall backdoor’s network transmission logic could be found on the Chinese Software\r\nDeveloper Network (CSDN). Compared to the old Mongall backdoor, the new version upgrades the encryption\r\nmechanism. However, new versions of Mongall still use GET protocol to send the information back with RC4 to\r\nencrypt or base64 to encode the victim machine’s information. There is another interesting finding when we\r\nanalyze Mongall backdoor: the encryption or encode logic is compared to the mutex of Mongall. Here is the table\r\nof mutex and transform data logic.\r\nMutex Algorithm\r\nFlag_Running Base64 (type 3)\r\nDownload_Flag Base64 (type 3)\r\nRunning_Flag Base64 (type 3)\r\nFlag_Runnimg_2810 Modify base64 (type 2)\r\nFlag_Running_2016 Modify base64 (type 2)\r\nFlag_Running_2014RC4 RC4+base64 (type 1)\r\nFaking a C2 server allowed us to capture Mongall beacon messages and develop a Python decryption script to\r\nreveal each version of the message. Alongside this report, we are publicly releasing the script here. Below shows\r\nthe encrypted strings and description beacon information.\r\nhttps://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/\r\nPage 8 of 22\n\nDecrypting the embedded beacon information\r\nModified Heyoka Backdoor\r\nWe also observed another backdoor used by this threat actor. This backdoor is totally different from Mongall, as\r\nwe found it is based on the Heyoka open source project. Heyoka is a proof-of-concept of an exfiltration tool which\r\nuses spoofed DNS requests to create a bidirectional tunnel. The threat actors modified and redesigned this tool to\r\nbe a custom backdoor using DLL injection technique to deploy it in the victim’s environment. Simplified Chinese\r\ncharacters can be found in its debug log.\r\nLeft:the modified backdoor information; Right: the Heyoka source code\r\nDebug information with simplified Chinese characters\r\nThis backdoor was named srvdll.dll by its developers. They not only expanded its functionality but also added\r\ntwo hardcoded C2s. The backdoor checks if it is run as system service or not, to make sure it has sufficient\r\nprivileges and to keep itself persistent. The modified Heyoka backdoor is much more powerful than Mongall.\r\nAlthough both have shell ability, the modified Heyoka backdoor is generally closer to a complete backdoor\r\nproduct. The commands available in the modified Heyoka backdoor are tabulated below.\r\nCommand code Description\r\n0x5 open a shell\r\nhttps://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/\r\nPage 9 of 22\n\n0x51 get host drive information\r\n0x3 search file function\r\n0x4 input data in an exit file\r\n0x6 create a file\r\n0x7 create a process\r\n0x9 get all process information in this host\r\n0x10 kill process\r\n0x11 create a folder\r\n0x12 delete file or folder\r\nHardcoded command and control server in modified Heyoka backdoor\r\nhttps://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/\r\nPage 10 of 22\n\nBackdoor with the DNS tunneling connection\r\nAttribution\r\nThroughout the analysis of Aoqin Dragon operations, we came across several artifacts linking the activity to a\r\nChinese-speaking APT group as detailed in the following sections.\r\nInfrastructure\r\nOne of Mongall’s backdoors was observed by Unit42 in 2015. They claim the president of Myanmar’s website\r\nhad been used in a watering hole attack on December 24, 2014. The attacker injected a JavaScript file with a\r\nmalicious iframe to exploit the browsers of website visitors. In addition, they were also aware that another\r\nmalicious script had been injected into the same website in November 2014, leveraging CVE-2014-6332 to\r\ndownload a trojan horse to the target’s host.\r\nIn 2013, there was a News talk about this group and the results of a police investigation. Police retrieved\r\ninformation from the C2 server and phishing mail server operators located in Beijing, China. The two primary\r\nbackdoors used in this operation have overlapping C2 infrastructure, and most of the C2 servers can be attributed\r\nto Chinese-speaking users.\r\nhttps://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/\r\nPage 11 of 22\n\nTwo major backdoor C2s overlap\r\nC2 attributed to Chinese-speaking users\r\nTargeting and Motives\r\nThe targeting of Aoqin Dragon closely aligns with the Chinese government’s political interests. We primarily\r\nobserved Aoqin Dragon targeting government, education, and telecommunication organizations in Southeast Asia\r\nand Australia.\r\nConsidering this long-term effort and continuous targeted attacks for the past few years, we assess the threat\r\nactor’s motives are espionage-oriented.\r\nhttps://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/\r\nPage 12 of 22\n\nConclusion\r\nAoqin Dragon is an active cyberespionage group that has been operating for nearly a decade. We have observed\r\nthe Aoqin Dragon group evolve TTPs several times in order to stay under the radar. We fully expect that Aoqin\r\nDragon will continue conducting espionage operations. In addition, we assess it is likely they will also continue to\r\nadvance their tradecraft, finding new methods of evading detection and stay longer in their target network.\r\nSentinelLABS continues to track this activity cluster to provide insight into their evolution.\r\nIndicators of Compromise\r\nSHA1 Malware Family\r\na96caf60c50e7c589fefc62d89c27e6ac60cdf2c Mongall\r\nccccf5e131abe74066b75e8a49c82373414f5d95 Mongall\r\n5408f6281aa32c02e17003e0118de82dfa82081e Mongall\r\na37bb5caa546bc4d58e264fe55e9e9155f36d9d8 Mongall\r\n779fa3ebfa1af49419be4ae80b54096b5abedbf9 Mongall\r\n2748cbafc7f3c9a3752dc1446ee838c5c5506b23 Mongall\r\neaf9fbddf357bdcf9a5c7f4ad2b9e5f81f96b6a1 Mongall\r\n6380b7cf83722044558512202634c2ef4bc5e786 Mongall\r\n31cddf48ee612d1d5ba2a7929750dee0408b19c7 Mongall\r\n677cdfd2d686f7148a49897b9f6c377c7d26c5e0 Mongall\r\n911e4e76f3e56c9eccf57e2da7350ce18b488a7f Mongall\r\nc6b061b0a4d725357d5753c48dda8f272c0cf2ae Mongall\r\ndc7436e9bc83deea01e44db3d5dac0eec566b28c Mongall\r\n5cd555b2c5c6f6c6c8ec5a2f79330ec64fab2bb0 Mongall\r\n668180ed487bd3ef984d1b009a89510c42c35d06 Mongall\r\n28a23f1bc69143c224826962f8c50a3cf6df3130 Mongall\r\nab81f911b1e0d05645e979c82f78d92b0616b111 Mongall\r\n47215f0f4223c1ecf8cdeb847317014dec3450fb Mongall\r\n061439a3c70d7b5c3aed48b342dda9c4ce559ea6 Mongall\r\nhttps://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/\r\nPage 13 of 22\n\naa83d81ab543a576b45c824a3051c04c18d0716a Mongall\r\n43d9d286a38e9703c1154e56bd37c5c399497620 Mongall\r\n435f943d20ab7b3ecc292e5b16683a94e50c617e Mongall\r\n94b486d650f5ca1761ee79cdff36544c0cc07fe9 Mongall\r\n1bef29f2ab38f0219b1dceb5d37b9bda0e9288f5 Mongall\r\n01fb97fbb0b864c62d3a59a10e785592bb26c716 Mongall\r\n03a5bee9e9686c18a4f673aadd1e279f53e1c68f Mongall\r\n1270af048aadcc7a9fc0fd4a82b9864ace0b6fb6 Mongall\r\ne2e7b7ba7cbd96c9eec1bcb16639dec87d06b8dd Mongall\r\n08d22a045f4b16a2939afe029232c6a8f74dcde2 Mongall\r\n96bd0d29c319286afaf35ceece236328109cb660 Mongall\r\n6cd9886fcb0bd3243011a1f6a2d1dc2da9721aec Mongall\r\n271bd3922eafac4199322177c1ae24b1265885e8 Mongall\r\ne966bdb1489256538422a9eb54b94441ddf92efc Mongall\r\n134d5662f909734c1814a5c0b4550e39a99f524b Mongall\r\n93eb2e93972f03d043b6cf0127812fd150ca5ec5 Mongall\r\na8e7722fba8a82749540392e97a021f7da11a15a Mongall\r\n436a4f88a5c48c9ee977c6fbcc8a6b1cae35d609 Mongall\r\nab4cd6a3a4c1a89d70077f84f79d5937b31ebe16 Mongall\r\n8340a9bbae0ff573a2ea103d7cbbb34c20b6027d Mongall\r\n31b37127440193b9c8ecabedc214ef51a41b833c Mongall\r\ned441509380e72961b263d07409ee5987820d7ae Mongall\r\n45d156d2b696338bf557a509eaaca9d4bc34ba4a Mongall\r\nbac8248bb6f4a303d5c4e4ce0cd410dc447951ea Mongall\r\n15350967659da8a57e4d8e19368d785776268a0e Mongall\r\n008dd0c161a0d4042bdeb1f1bd62039a9224b7f0 Mongall\r\n7e1f5f74c1bf2790c8931f578e94c02e791a6f5f Mongall\r\nhttps://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/\r\nPage 14 of 22\n\n16a59d124acc977559b3126f9ec93084ca9b76c7 Mongall\r\n38ba46a18669918dea27574da0e0941228427598 Mongall\r\n38ba46a18669918dea27574da0e0941228427598 Mongall\r\n19814580d3a3a87950fbe5a0be226f9610d459ed Mongall\r\nd82ebb851db68bce949ba6151a7063dab26a4d54 Mongall\r\n0b2956ad5695b115b330388a60e53fb13b1d48c3 Mongall\r\n7fb2838b197981fbc6b5b219d115a288831c684c Mongall\r\naf8209bad7a42871b143ad4c024ed421ea355766 Mongall\r\n72d563fdc04390ba6e7c3df058709c652c193f9c Mongall\r\ndb4b1507f8902c95d10b1ed601b56e03499718c5 Mongall\r\nf5cc1819c4792df19f8154c88ff466b725a695f6 Mongall\r\n86e04e6a149fd818869721df9712789d04c84182 Mongall\r\na64fbd2e5e47fea174dd739053eec021e13667f8 Mongall\r\nd36c3d857d23c89bbdfefd6c395516a68ffa6b82 Mongall\r\nd15947ba6d65a22dcf8eff917678e2b386c5f662 Mongall\r\n5fa90cb49d0829410505b78d4037461b67935371 Mongall\r\nf2bf467a5e222a46cd8072043ce29b4b72f6a060 Mongall\r\ne061de5ce7fa02a90bbebf375bb510158c54a045 Mongall\r\n4e0b42591b71e35dd1edd2e27c94542f64cfa22f Mongall\r\n330402c612dc9fafffca5c7f4e97d2e227f0b6d4 Mongall\r\n5f4cd9cd3d72c52881af6b08e58611a0fe1b35bf Mongall\r\n2de1184557622fa34417d2356388e776246e748a Mongall\r\n9a9aff027ad62323bdcca34f898dbcefe4df629b Mongall\r\n9cd48fddd536f2c2e28f622170e2527a9ca84ee0 Mongall\r\n2c99022b592d2d8e4a905bacd25ce7e1ec3ed3bb Mongall\r\n69e0fcdc24fe17e41ebaee71f09d390b45f9e5c2 Mongall\r\na2ea8a9abf749e3968a317b5dc5b95c88edc5b6f Mongall\r\nhttps://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/\r\nPage 15 of 22\n\n0a8e432f63cc8955e2725684602714ab710e8b0a Mongall\r\n309accad8345f92eb19bd257cfc7dd8d0c00b910 Mongall\r\n89937567c575d38778b08289876b938a0e766f14 Mongall\r\n19bd1573564fe2c73e08dce4c4ad08b2161e0556 Mongall\r\na1d0c96db49f1eef7fd71cbed13f2fb6d521ab6a Mongall\r\n936748b63b1c9775cef17c8cdbba9f45ceba3389 Mongall\r\n46d54a3de7e139b191b999118972ea394c48a97f Mongall\r\n4786066b29066986b35db0bfce1f58ec8051ba6b Mongall\r\nb1d84d33d37526c042f5d241b94f8b77e1aa8b98 Mongall\r\n7bb500f0c17014dd0d5e7179c52134b849982465 Mongall\r\nd1d3219006fdfd4654c52e84051fb2551de2373a Mongall\r\n0ffa5e49f17bc722c37a08041e6d80ee073d0d8f Mongall\r\ndceecf543f15344b875418ad086d9706bfef1447 Mongall\r\nfa177d9bd5334d8e4d981a5a9ab09b41141e9dcc Mongall\r\n07aab5761d56159622970a0213038a62d53743c2 Mongall\r\nd83dde58a510bdd3243038b1f1873e7da3114bcf Mongall\r\na0da713ee28a17371691aaa901149745f965eb90 Mongall\r\nc5b644a33fb027900111d5d4912e28b7dcce88ff Mongall\r\ndb5437fec902cc1bcbad4bef4d055651e9926a89 Mongall\r\nff42d2819c1a73e0032df6c430f0c67582adba74 Mongall\r\n3b2d858c682342127769202a806e8ab7f1e43173 Mongall\r\nc08bf3ae164e8e9d1d9f51dffcbe7039dce4c643 Mongall\r\nf41d1966285667e74a419e404f43c7693f3b0383 Mongall\r\n3ccb546f12d9ed6ad7736c581e7a00c86592e5dd Mongall\r\n904556fed1aa00250eee1a69d68f78c4ce66a8dc Mongall\r\nbd9dec094c349a5b7d9690ab1e58877a9f001acf Mongall\r\n87e6ab15f16b1ed3db9cc63d738bf9d0b739a220 Mongall\r\nhttps://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/\r\nPage 16 of 22\n\nf8fc307f7d53b2991dea3805f1eebf3417a7082b Mongall\r\nece4c9fc15acd96909deab3ff207359037012fd5 Mongall\r\n7fdfec70c8daae07a29a2c9077062e6636029806 Mongall\r\n17d548b2dca6625271649dc93293fdf998813b21 Mongall\r\n6a7ac7ebab65c7d8394d187aafb5d8b3f7994d21 Mongall\r\nfee78ccadb727797ddf51d76ff43bf459bfa8e89 Mongall\r\n4bf58addcd01ab6eebca355a5dda819d78631b44 Mongall\r\nfd9f0e40bf4f7f975385f58d120d07cdd91df330 Mongall\r\na76c21af39b0cc3f7557de645e4aaeccaf244c1e Mongall\r\n7ff9511ebe6f95fc73bc0fa94458f18ee0fb395d Mongall\r\n97c5003e5eacbc8f5258b88493f148f148305df5 Mongall\r\nf92edf91407ab2c22f2246a028e81cf1c99ce89e Mongall\r\nd932f7d11f8681a635e70849b9c8181406675930 Mongall\r\nb0b13e9445b94ed2b69448044fbfd569589f8586 Mongall\r\nb194b26de8c1f31b0c075ceb0ab1e80d9c110efc Mongall\r\ndf26b43439c02b8cd4bff78b0ea01035df221f68 Mongall\r\n60bd17aa94531b89f80d7158458494b279be62b4 Mongall\r\n33abee43acfe25b295a4b2accfaf33e2aaf2b879 Mongall\r\nc87a8492de90a415d1fbe32becbafef5d5d8eabb Mongall\r\n68b731fcb6d1a88adf30af079bea8efdb0c2ee6e Mongall\r\ncf7c5d32d73fb90475e58597044e7f20f77728af Mongall\r\n1ab85632e63a1e4944128619a9dafb6405558863 Mongall\r\n1f0d3c8e373c529a0c3e0172f5f0fb37e1cdd290 Mongall\r\nf69050c8bdcbb1b5f16ca069e231b66d52c0a652 Mongall\r\n6ff079e886cbc6be0f745b044ee324120de3dab2 Mongall\r\n8c90aa0a521992d57035f00d3fbdfd0fa7067574 Mongall\r\n5e32a5a5ca270f69a3bf4e7dd3889b0d10d90ec2 Mongall\r\nhttps://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/\r\nPage 17 of 22\n\n0db3626a8800d421c8b16298916a7655a73460de Mongall\r\n01751ea8ac4963e40c42acfa465936cbe3eed6c2 Mongall\r\n6b3032252b1f883cbe817fd846181f596260935b Dropper\r\n741168d01e7ea8a2079ee108c32893da7662bb63 Dropper\r\nb9cc2f913c4d2d9a602f2c05594af0148ab1fb03 Dropper\r\nc7e6f7131eb71d2f0e7120b11abfaa3a50e2b19e Dropper\r\nae0fdf2ab73e06c0cd04cf79b9c5a9283815bacb Dropper\r\n67f2cd4f1a60e1b940494812cdf38cd7c0290050 Dropper\r\naca99cfd074ed79c13f6349bd016d5b65e73c324 Dropper\r\nba7142e016d0e5920249f2e6d0f92c4fadfc7244 Dropper\r\n98a907b18095672f92407d92bfd600d9a0037f93 Dropper\r\nafaffef28d8b6983ada574a4319d16c688c2cb38 Dropper\r\n98e2afed718649a38d9daf10ac792415081191fe Dropper\r\nbc32e66a6346907f4417dc4a81d569368594f4ae Dropper\r\n8d569ac92f1ca8437397765d351302c75c20525b Document exploit\r\n5c32a4e4c3d69a95e00a981a67f5ae36c7aae05e Document exploit\r\nd807a2c01686132f5f1c359c30c9c5a7ab4d31c2 Document exploit\r\n155db617c6cf661507c24df2d248645427de492c Modified Heyoka\r\n7e6870a527ffb5235ee2b4235cd8e74eb0f69d0e Modified Heyoka\r\n2f0ea0a0a2ffe204ec78a0bdf1f5dee372ec4d42 DLL-test\r\n041d9b089a9c8408c99073c9953ab59bd3447878 DLL-test\r\n1edada1bb87b35458d7e059b5ca78c70cd64fd3f DLL-test\r\n4033c313497c898001a9f06a35318bb8ed621dfb DLL-test\r\n683a3e0d464c7dcbe5f959f8fd82d738f4039b38 DLL-test\r\n97d30b904e7b521a9b7a629fdd1e0ae8a5bf8238 DLL-test\r\n53525da91e87326cea124955cbc075f8e8f3276b DLL-test\r\n73ac8512035536ffa2531ee9580ef21085511dc5 DLL-test\r\nhttps://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/\r\nPage 18 of 22\n\n28b8843e3e2a385da312fd937752cd5b529f9483 Installer\r\ncd59c14d46daaf874dc720be140129d94ee68e39 Upan component\r\nMongall C2 Servers: IP Addresses\r\n10[.]100[.]0[.]34 (Internal IPs)\r\n10[.]100[.]27[.]4 (Internal IPs)\r\n172[.]111[.]192[.]233\r\n59[.]188[.]234[.]233\r\n64[.]27[.]4[.]157\r\n64[.]27[.]4[.]19\r\n67[.]210[.]114[.]99\r\nMongall C2 Servers: Domains\r\nback[.]satunusa[.]org\r\nbaomoi[.]vnptnet[.]info\r\nbbw[.]fushing[.]org\r\nbca[.]zdungk[.]com\r\nbkav[.]manlish[.]net\r\nbkav[.]welikejack[.]com\r\nbkavonline[.]vnptnet[.]info\r\nbush2015[.]net\r\ncl[.]weststations[.]com\r\ncloundvietnam[.]com\r\ncpt[.]vnptnet[.]inf\r\ndns[.]lioncity[.]top\r\ndns[.]satunusa[.]org\r\ndns[.]zdungk[.]com\r\nds[.]vdcvn[.]com\r\nds[.]xrayccc[.]top\r\nfacebookmap[.]top\r\nfbcl2[.]adsoft[.]name\r\nfbcl2[.]softad[.]net\r\nflower2[.]yyppmm[.]com\r\ngame[.]vietnamflash[.]com\r\nhello[.]bluesky1234[.]com\r\nipad[.]vnptnet[.]info\r\nks[.]manlish[.]net\r\nlepad[.]fushing[.]org\r\nlllyyy[.]adsoft[.]name\r\nlucky[.]manlish[.]net\r\nma550[.]adsoft[.]name\r\nma550[.]softad[.]net\r\nhttps://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/\r\nPage 19 of 22\n\nmail[.]comnnet[.]net\r\nmail[.]tiger1234[.]com\r\nmail[.]vdcvn[.]com\r\nmass[.]longvn[.]net\r\nmcafee[.]bluesky1234[.]com\r\nmedia[.]vietnamflash[.]com\r\nmil[.]dungk[.]com\r\nmil[.]zdungk[.]com\r\nmmchj2[.]telorg[.]net\r\nmmslsh[.]tiger1234[.]com\r\nmobile[.]vdcvn[.]com\r\nmoit[.]longvn[.]net\r\nmovie[.]vdcvn[.]com\r\nnews[.]philstar2[.]com\r\nnews[.]welikejack[.]com\r\nnpt[.]vnptnet[.]info\r\nns[.]fushing[.]org\r\nnycl[.]neverdropd[.]com\r\nphcl[.]followag[.]org\r\nphcl[.]neverdropd[.]com\r\npna[.]adsoft[.]name\r\npnavy3[.]neverdropd[.]com\r\nsky[.]bush2015[.]net\r\nsky[.]vietnamflash[.]com\r\ntcv[.]tiger1234[.]com\r\ntelecom[.]longvn[.]net\r\ntelecom[.]manlish[.]net\r\nth-y3[.]adsoft[.]name\r\nth550[.]adsoft[.]name\r\nth550[.]softad[.]net\r\nthree[.]welikejack[.]com\r\nthy3[.]softad[.]net\r\nvdcvn[.]com\r\nvideo[.]philstar2[.]com\r\nviet[.]vnptnet[.]info\r\nviet[.]zdungk[.]com\r\nvietnam[.]vnptnet[.]info\r\nvietnamflash[.]com\r\nvnet[.]fushing[.]org\r\nvnn[.]bush2015[.]net\r\nvnn[.]phung123[.]com\r\nwebmail[.]philstar2[.]com\r\nhttps://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/\r\nPage 20 of 22\n\nwww[.]bush2015[.]net\r\nyok[.]fushing[.]org\r\nyote[.]dellyou[.]com\r\nzing[.]vietnamflash[.]com\r\nzingme[.]dungk[.]com\r\nzingme[.]longvn[.]net\r\nzw[.]dinhk[.]net\r\nzw[.]phung123[.]com\r\nModified Heyoka C2 Server: IP Address\r\n45[.]77[.]11[.]148\r\nModified Heyoka C2 Server: Domain\r\ncvb[.]hotcup[.]pw\r\ndns[.]foodforthought1[.]com\r\ntest[.]facebookmap[.]top\r\nMITRE ATT\u0026CK TTPs\r\nTactic Techniques Procedure/Comments\r\nInitial Access T1566 – Phishing\r\nThreat actor use fake icon executable and document exploit\r\nas a decoy\r\nInitial Access\r\nT1091 – Replication\r\nThrough Removable Media\r\nCopies malware to removable media and infects other\r\nmachines\r\nExecution T1569 – System Service Modified Heyoka will set itself as a service permission\r\nExecution T1204 – User Execution Lures victims to double-click on decoy files\r\nPersistence\r\nT1547 – Boot or Logon\r\nAutostart Execution\r\nSettings to automatically execute a program during logon\r\nPrivilege\r\nEscalation\r\nT1055 – Process Injection\r\nMongall has injected an install module into a newly created\r\nprocess.\r\nPrivilege\r\nEscalation\r\nT1055.001 – Dynamic-link\r\nLibrary Injection\r\nMongall has injected a DLL into rundll32.exe\r\nDefense\r\nEvasion\r\nT1211 – Exploitation for\r\nDefense Evasion\r\nUses document exploits to bypass security features.\r\nDefense\r\nEvasion\r\nT1027 – Obfuscated Files\r\nor Information\r\nActors using Thimda packer to pack the malwares\r\nhttps://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/\r\nPage 21 of 22\n\nDefense\r\nEvasion\r\nT1055 – Process Injection Using DLL hijacking to to evade process-based defenses\r\nDiscovery\r\nT1033 – System\r\nOwner/User Discovery\r\nCollecting user account and send back to C2\r\nDiscovery\r\nT1082 – System\r\nInformation Discovery\r\nCollecting OS system version and MAC address\r\nCollection\r\nT1560 – Archive Collected\r\nData\r\nDropper uses rar to archive specific file format\r\nCommand and\r\nControl\r\nT1071.001 – Application\r\nLayer Protocol: Web\r\nProtocols\r\nMongall communicates over HTTP\r\nCommand and\r\nControl\r\nT1071.004 – Application\r\nLayer Protocol: DNS\r\nModified Heyoka has used DNS tunneling for C2\r\ncommunications.\r\nCommand and\r\nControl\r\nT1571 – Non-Standard\r\nPort\r\nMongall uses port 5050,1352, etc. to communicates with C2\r\nCommand and\r\nControl\r\nT1132 – Data Encoding\r\nMongall uses base64 or RC4 to encode or encrypt data to\r\nmake the content of command and control traffic more\r\ndifficult to detect\r\nSource: https://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10\r\n-years/\r\nhttps://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/\r\nPage 22 of 22",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"Malpedia",
		"MISPGALAXY",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/"
	],
	"report_names": [
		"aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years"
	],
	"threat_actors": [
		{
			"id": "5cd2e600-e100-4159-88ce-bda7b98d6bb4",
			"created_at": "2022-10-27T08:27:13.089186Z",
			"updated_at": "2026-04-10T02:00:05.284285Z",
			"deleted_at": null,
			"main_name": "Aoqin Dragon",
			"aliases": [
				"Aoqin Dragon"
			],
			"source_name": "MITRE:Aoqin Dragon",
			"tools": [
				"Mongall",
				"Heyoka Backdoor"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "5a07c7a3-f12a-4518-b078-de7da2fb6b5e",
			"created_at": "2022-10-25T16:07:23.312387Z",
			"updated_at": "2026-04-10T02:00:04.536656Z",
			"deleted_at": null,
			"main_name": "Aoqin Dragon",
			"aliases": [
				"G1007",
				"UNC94"
			],
			"source_name": "ETDA:Aoqin Dragon",
			"tools": [
				"Mongall"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "abe60a4d-d2a5-4c13-97ff-8625a68b205b",
			"created_at": "2023-01-06T13:46:39.457794Z",
			"updated_at": "2026-04-10T02:00:03.335805Z",
			"deleted_at": null,
			"main_name": "Aoqin Dragon",
			"aliases": [
				"UNC94"
			],
			"source_name": "MISPGALAXY:Aoqin Dragon",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434497,
	"ts_updated_at": 1775826701,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/181819269b8ab845e783402bc9604441bbd14d9a.pdf",
		"text": "https://archive.orkl.eu/181819269b8ab845e783402bc9604441bbd14d9a.txt",
		"img": "https://archive.orkl.eu/181819269b8ab845e783402bc9604441bbd14d9a.jpg"
	}
}