{ "id": "e5235f41-c225-4cf0-bf9b-3739b90007e3", "created_at": "2026-04-06T00:06:15.857147Z", "updated_at": "2026-04-10T03:31:24.632507Z", "deleted_at": null, "sha1_hash": "280fea4359150321870354a806eca4290cf917a2", "title": "OnionDog is not a Targeted Attack—It’s a Cyber Drill", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 73346, "plain_text": "OnionDog is not a Targeted Attack—It’s a Cyber Drill\r\nPublished: 2017-08-09 · Archived: 2026-04-05 13:55:11 UTC\r\nAlleged attacks from North Korean actors are a hot security research topic. The infamous Sony Pictures hack in\r\n2014open on a new tab, for instance, was reported by some to be the work of North Korean threat actors. There is a lot of\r\ninterest in Lazarus too, which is purportedly a North Korea-linked groupopen on a new tab responsible for a couple of\r\nglobal bank heists that attempted to steal staggering amounts of money.\r\nIn this blog post, we will look into smaller scale attacks in which an actor group allegedly attacked high profile targets\r\nworking in the energy and transportation sector of South Korea for more than three years in a row. These attacks, which\r\nare known as OnionDog,  received some publicity in the media. A perfunctory look into these actors' activities might\r\neasily lead to hasty conclusions on attribution. We had a more thorough look, in which we reached an interesting\r\nconclusion: OnionDog is not a targeted attack. OnionDog is a cyber drill.\r\nOnionDog is a Cyber Drill\r\nOnionDog was first observed in 2013. When it was reported in 2016, it was attributed to be behind attacks on South\r\nKorean energy and transportation companies that went as far back as 2013. We know of about 200 unique OnionDog\r\nsamples. At first sight, it looked like the work of a small but still-significant threat actor group. A reportopen on a new tab\r\nfrom the Qihoo 360’s Helios Team has the most detailed analysis of OnionDog. It included indicators of compromise\r\n(IoCs) such as hashes of malicious files along with eight specific command-and-control (C\u0026C) IP addresses. The IP\r\naddresses are indeed callback addresses for malware-infected computers. Their purpose doesn’t look malicious but\r\nmerely meant to record which targets fell victim to a cybersecurity drill. We looked up historical domain resolutions of\r\nthese eight IP addresses and found these:\r\nIP Domain Active\r\n221[.]149[.]223[.]209 korea[.]kr[.]ncsc[.]go[.]kr June 2011—August 2011\r\n112[.]169[.]154[.]65 cyber[.]ncsc[.]go[.]kr June 2011—August 2011\r\n221[.]149[.]32[.]213 drill12[.]ncsc[.]go[.]kr July 2012—August 2012\r\n220[.]85[.]160[.]3 dril113[.]ncsc[.]go[.]kr August 2013\r\n222[.]107[.]13[.]113 drill12[.]ncsc[.]go[.]kr August 2013\r\nTable 1: Historic passive DNS data of hardcoded OnionDog C\u0026C IP addresses\r\nIP1 Domain IP1 IP2 Domain IP2\r\n218[.]145[.]131[.]130 None 220[.]85[.]160[.]3 dril113[.]ncsc[.]go[.]kr\r\n218[.]153[.]172[.]53 None 221[.]149[.]223[.]209 korea[.]kr[.]ncsc[.]go[.]kr\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/oniondog-not-targeted-attack-cyber-drill/\r\nPage 1 of 5\n\nTable 2: Two pairs of OnionDog C\u0026C IP addresses with the same HTTP response in July and August 2014. These\r\nresponses were unique in historical Internet-wide HTTP scans by Rapid7.\r\nThe ncsc.go.kr domain belongs to the National Cyber Security Center (NCSC) of South Korea, indicating the five IP\r\naddresses in table 1 belonged to the NCSC of South Korea. Two more C\u0026C IP addresses cited in the report had virtually\r\nunique digital fingerprints based on their response to basic HTTP requests. This convinced us that these were controlled\r\nby the South Korean NCSC in 2014 too. So seven out of the 8 IPs listed in the report clearly linked back to NCSC at\r\nsome point in the past. This alone already made us think that the OnionDog samples were related to cyber drills.\r\nWe found about 200 files in the wild related to OnionDog, which means the cyber drills’ tools were not contained in a\r\ncontrolled environment. This potentially poses problems—after all, no one wants these methods and tools to become\r\npublic, especially when they were specifically intended for the drill.\r\nBelow are some of the samples belonging to OnionDog:\r\nSHA256\r\nCompile\r\nTime\r\nHardcoded C\u0026C\r\ndbb0878701b8512daa057c93d9653f954dde24a25306dcee014adf7ffff0bdb4\r\n13/08/13\r\n07:47\r\ndril113[.]ncsc[.]go[.]kr\r\nf8c71f34a6cfdc9e3c4a0061d5e395ffe11d9d9e77abe1a5d4b6f335d08da130\r\n13/08/13\r\n07:47\r\ndril113[.]ncsc[.]go[.]kr\r\n7564990506f59660c1a434ce1526b2aea35a51f97b8a490353eece18ec10b910\r\n10/10/13\r\n11:35\r\n221[.]149[.]223[.]209\r\n8b91cfd40529b5667bbdab970d8dba05fca0952fffba8ccbb1ad9549d204ba85\r\n10/10/13\r\n11:58\r\n221[.]149[.]223[.]209\r\ne20d0a8e1dec96ed20bd476323409f8f5c09531777207cfeda6b7f3573426104\r\n13/07/14\r\n11:43\r\ndril113[.]ncsc[.]go[.]kr\r\n7461e8b7416bf8878d20a696a27ccf378c93afc6c8f120840c3738b9508839d2\r\n15/07/14\r\n04:43\r\n221[.]149[.]223[.]209\r\n04e87e473d34974874dd0a5289433c95ef27a3405ba9ad933800b1b855e6e21a\r\n15/07/14\r\n04:45\r\n221[.]149[.]223[.]209\r\ncaf4b03118e5c5580c67b094d58389ade565d5ae82c392bb61fc0166063e845a\r\n12/08/14\r\n06:52\r\ndrill14[.]kr[.]ncsc[.]go[.]kr\r\n46fb5bcea417d7ff38edff7e39982aa9f89f890a97d8a0218b6c0f96a5e9bad2\r\n12/08/14\r\n06:52\r\ndrill14[.]kr[.]ncsc[.]go[.]kr\r\n1ffa34f88855991bdc9a153e01c9e18074ba52a773f4da390c4b798df6e6dc4e\r\n12/08/14\r\n06:52\r\ndrill14[.]kr[.]ncsc[.]go[.]kr\r\nfa5799c25b5ea2ecb24ee982a202e68aad77db7e6b18f37151fa744010f69979\r\n12/08/14\r\n06:52\r\ndrill14[.]kr[.]ncsc[.]go[.]kr\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/oniondog-not-targeted-attack-cyber-drill/\r\nPage 2 of 5\n\n1e926d83c25320bcc1f9497898deac05dff096b22789f1ac1f63c46d2c1c16a7\r\n12/08/14\r\n06:52\r\ndrill14[.]kr[.]ncsc[.]go[.]kr\r\n65d226469d6bdb1e7056864fe6d3866c8c72613b6b61a59547ef9c36eda177dd\r\n10/07/15\r\n11:51\r\n .onion.city domains\r\n0ea456fd1274a784924d27beddc1a5caa4aa2f8c5abdf86eb40637fe42b43a7f\r\n10/07/15\r\n11:51\r\n .onion.city domains\r\nb35b7a1b437d5998b77e10fdbf166862381358250cf2d1b34b61cf682157ff19\r\n26/07/16\r\n01:27\r\n .onion.city domains\r\n1e926d83c25320bcc1f9497898deac05dff096b22789f1ac1f63c46d2c1c16a7\r\n27/07/16\r\n04:46\r\n .onion.city domains\r\nTable 3: Hashes and C\u0026C domains of typical OnionDog samples\r\nThe oldest samples from 2013 did not hide ownership of the C\u0026C domains at all. From 2015 onwards, the cyber drills\r\nstarted to use .onion.city domains. This means that the actual callback addresses of the malware are hosted on Tor hidden\r\nservers.  The compile dates of the samples are mostly in the summer and fall of 2013, 2014, 2015 and 2016.\r\nAnalyzing OnionDog Samples\r\nThere have been different sets of OnionDog samples throughout the years, but they are all related. The latest ones using\r\n.onion.city C\u0026C domains go deep inside the affected system. They install a Windows service that sends basic information\r\nto the Tor hidden C\u0026C domains. It can also download second-stage payloads from there.\r\nThe file with SHA256 hash \"65d226469d6bdb1e7056864fe6d3866c8c72613b6b61a59547ef9c36eda177dd\" is one of the\r\nOnionDog files from 2015 that connects to a .onion.city C\u0026C domain. When executed it will open an HWP document as\r\nshown below:\r\nintel\r\nFigure 1: Decoy document displayed by an OnionDog sample.\r\nThe title page of the decoy HWP document roughly translates to “Plan to check the performance of public discipline and\r\ncode of conduct during summer vacation in 2015”. This hints that the malware is being used as part of a cyber drill that\r\nwas held in the summer of 2015.\r\nAfter displaying the HWP document it extracts and executes its first resource named 101\r\n(SHA256:6dd79b5b9778dc0b0abefa26193321444236a1525d03227f150e6e968999fea5) in a temporary folder. Two other\r\nresources are then extracted: 103 and 111. For Windows versions prior to Vista (dwMajorVersion \u003c 6), it injects its code\r\ninto the explorer.exe process. For newer versions, it extracts the resources to temporary folders and executes then deletes\r\nthem.\r\nintel\r\nFigure 2: The three binaries within .rsrc section of the main dropper\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/oniondog-not-targeted-attack-cyber-drill/\r\nPage 3 of 5\n\nIt’s uncommon for real malware to print error messages, and the main dropper includes debug messages in case it doesn’t\r\nget the code injected into explorer.exe process:\r\nintel\r\nFigure 3: Debug messages\r\n101 (SHA256: 6dd79b5b9778dc0b0abefa26193321444236a1525d03227f150e6e968999fea5) is a dynamic-link library\r\n(DLL) that can bypass User Account Control (UAC) in order to execute the two other binaries created in the temporary\r\nfolder.\r\n103 (SHA256: 999c1d4c070e6817c3d447cf9b9869b63e82c21c6e01c6ea740fbed38b730e6e ) installs a Windows service\r\ncalled either “Microsoft Display Agent” or “Windows 10 Upgrader”. All traces left are deleted using a batch file script.\r\nThis Windows service (SHA256: 19e3aa92bc16915d9f3ff17731caf43519169fddda4910ad5becb71ef87a29d5) will\r\nexecute at a certain date (July 13, 2015) and download another executable from the C\u0026C server. It also drops and runs\r\nanother executable file (SHA256: fd03f3f65979ec7b8b6055f92f023b08f57c3095557d1f00d88f01f4d4cb46b7), which\r\nhappens to be a cleaner program that uninstalls the service and removes all files created by the program, regardless of the\r\ncurrent date. Though the OnionDog malware doesn’t do any real harm to the systems, it uses tricks of real malware and it\r\nis not clear why they're necessary for a cyber drill.\r\nThe 2013 samples with the hardcoded drill C\u0026C servers, highlighted in the screenshot below, clearly convey they are\r\npart of a drill. These samples include a MessageBox that would present itself if it's run within a specific time range.\r\nintel\r\nFigure 4: Older OnionDog samples show a pop-up when the sample is run within a certain time range\r\nintel\r\nFigure 5: An OnionDog-related pop-up message showing the target is a victim of an Ulchi cyber drill\r\nThe pop-up roughly translates to: “[2013 Ulchi drill cyber threat response training] Please let your administrator know\r\nyou are infected with malicious code.” Ulchi appears to refer to the Ulchi Freedom Guardian Drills, a joint military\r\nexercise between South Korea and the United States that dates back to 1976. The exercise is annually held from August\r\nto September. We have listed the specific dates they were conducted from 2010 to 2016.  \r\nStart End\r\nAugust 22, 2016 September 2, 2016\r\nAugust 17, 2015 August 28, 2015\r\nAugust 18, 2014 August 29, 2014\r\nAugust 19, 2013 August 30, 2013\r\nAugust 20, 2012 August 31, 2012\r\nAugust 16, 2011 August 26, 2011\r\nAugust 16, 2010 August 26, 2010\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/oniondog-not-targeted-attack-cyber-drill/\r\nPage 4 of 5\n\nTable 4: Dates of Ulchi Freedom Guardian drills\r\nThese dates correspond with the time ranges where the OnionDog samples were active. According to the United States\r\nArmy’s websiteopen on a new tab, the Ulchi Freedom Guardian Exercise helps guard cyber networks for\r\ncommunications. This shows that during the months of August and September, it is likely that some of the alerts,\r\nmessages, and other indicators may be part of an exercise to help prepare high-profile South Korean targets for a real\r\ncyberattack. In military terms, what went on is a live-fire exercise—with malware as munitions that go deep and\r\ndownload additional malware components into computer systems that serve as a practice area or battleground.\r\nDangers of using real malware in exercises\r\nBased on the data we have collected, the malware samples referred to as OnionDog have all been part of a cyber drill that\r\nis conducted every year. Protections have been put in place to limit the malware from doing anything outside of the time\r\nwindow of the exercises themselves. While the malware really doesn’t do anything nefarious, some of the newer samples\r\nlook like invasive penetration tests into systems—and they use a lot of tricks. There are risks of using real malware\r\nduring security drills.\r\nWe have found 200 unique OnionDog samples in the wild. This means that the specific tools and methodologies used in\r\nthe drill are in the public arena and can be researched by bad actors as well. It's possible that these actors could pick up\r\nsome of the behavior and mimic it, causing Incident Response teams to think that they might be responding to the drill,\r\nand take less care responding to it.\r\nThe dangers and risks of using live malware, or even simulated malware, lie in the ability to contain them. In small\r\nexercises, for instance, if the person responsible for the malware goes out for the day for any reason—there’s nothing to\r\nhelp stop it if things go out of control. Penetration testing tools such as Threatcareopen on a new tab, which is based off\r\nvSploit from Metasploit, can help with testing the capabilities of your incident response team to see their effectiveness\r\nvia simulated communications of known threats.\r\nThis is not limited to large-scale, multi-country exercises like the Ulchi Freedom Guardian. These kinds of exercises are\r\nactually conducted by enterprises worldwide to test their preparedness in the event of an actual attack.\r\nAttribution is hard\r\nWhile OnionDog received limited media attention, it still made it to the media. Even limited media exposure on\r\nmistakenly attributed cyberattacks could lead to wrong conclusions and escalate tensions. While it is very easy to get\r\ncaught up in the need to identify the country behind an attack, shown here are some of the reasons why Trend Micro did\r\nnot go to that level of attribution. In this case, what looked to be a very targeted attack against specific sectors was an\r\nexercise to test the response of the nation, and that of the specific sectors being targeted.\r\nThe list of SHA256 is in this appendixopen on a new tab.  \r\nSource: https://blog.trendmicro.com/trendlabs-security-intelligence/oniondog-not-targeted-attack-cyber-drill/\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/oniondog-not-targeted-attack-cyber-drill/\r\nPage 5 of 5\n\nto September. Start We have listed the specific dates they were conducted End from 2010 to 2016.\nAugust 22, 2016 September 2, 2016\nAugust 17, 2015 August 28, 2015\nAugust 18, 2014 August 29, 2014\nAugust 19, 2013 August 30, 2013\nAugust 20, 2012 August 31, 2012\nAugust 16, 2011 August 26, 2011\nAugust 16, 2010 August 26, 2010\n Page 4 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://blog.trendmicro.com/trendlabs-security-intelligence/oniondog-not-targeted-attack-cyber-drill/" ], "report_names": [ "oniondog-not-targeted-attack-cyber-drill" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "747b4660-9b3a-42cf-a773-6b1deea49184", "created_at": "2023-01-06T13:46:38.684133Z", "updated_at": "2026-04-10T02:00:03.067236Z", "deleted_at": null, "main_name": "OnionDog", "aliases": [], "source_name": "MISPGALAXY:OnionDog", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "77966817-8b8c-4098-bbba-2b157fbe41ea", "created_at": "2022-10-25T16:07:23.923066Z", "updated_at": "2026-04-10T02:00:04.791458Z", "deleted_at": null, "main_name": "OnionDog", "aliases": [], "source_name": "ETDA:OnionDog", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775433975, "ts_updated_at": 1775791884, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/280fea4359150321870354a806eca4290cf917a2.pdf", "text": "https://archive.orkl.eu/280fea4359150321870354a806eca4290cf917a2.txt", "img": "https://archive.orkl.eu/280fea4359150321870354a806eca4290cf917a2.jpg" } }