{
	"id": "95fa2c15-56ce-42d0-b35f-65b8c43a2f64",
	"created_at": "2026-04-06T00:21:04.127672Z",
	"updated_at": "2026-04-10T13:12:59.584141Z",
	"deleted_at": null,
	"sha1_hash": "5256682daa02879a66949086d11b302d1f60ee8d",
	"title": "Aoqin Dragon - Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 51103,
	"plain_text": "Aoqin Dragon - Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 17:52:24 UTC\n APT group: Aoqin Dragon\nNames\nAoqin Dragon (SentinelLabs)\nUNC94 (Mandiant)\nG1007 (MITRE)\nCountry China\nMotivation Information theft and espionage\nFirst seen 2013\nDescription\n(SentinelLabs) SentinelLabs has uncovered a cluster of activity beginning at least as far\nback as 2013 and continuing to the present day, primarily targeting organizations in\nSoutheast Asia and Australia. We assess that the threat actor’s primary focus is\nespionage and relates to targets in Australia, Cambodia, Hong Kong, Singapore, and\nVietnam. We track this activity as ‘Aoqin Dragon’.\nThe threat actor has a history of using document lures with pornographic themes to\ninfect users and makes heavy use of USB shortcut techniques to spread the malware and\ninfect additional targets. Attacks attributable to Aoqin Dragon typically drop one of two\nbackdoors, Mongall and a modified version of the open source Heyoka project.\nObserved\nSectors: Education, Government, Telecommunications.\nCountries: Australia, Cambodia, Hong Kong, Singapore, Vietnam.\nTools used Mongall.\nInformation\nMITRE ATT\u0026CK Last change to this card: 16 August 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=b7569cec-8a82-4a0f-80d3-a4659ba2161d\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=b7569cec-8a82-4a0f-80d3-a4659ba2161d\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=b7569cec-8a82-4a0f-80d3-a4659ba2161d"
	],
	"report_names": [
		"showcard.cgi?u=b7569cec-8a82-4a0f-80d3-a4659ba2161d"
	],
	"threat_actors": [
		{
			"id": "5cd2e600-e100-4159-88ce-bda7b98d6bb4",
			"created_at": "2022-10-27T08:27:13.089186Z",
			"updated_at": "2026-04-10T02:00:05.284285Z",
			"deleted_at": null,
			"main_name": "Aoqin Dragon",
			"aliases": [
				"Aoqin Dragon"
			],
			"source_name": "MITRE:Aoqin Dragon",
			"tools": [
				"Mongall",
				"Heyoka Backdoor"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "5a07c7a3-f12a-4518-b078-de7da2fb6b5e",
			"created_at": "2022-10-25T16:07:23.312387Z",
			"updated_at": "2026-04-10T02:00:04.536656Z",
			"deleted_at": null,
			"main_name": "Aoqin Dragon",
			"aliases": [
				"G1007",
				"UNC94"
			],
			"source_name": "ETDA:Aoqin Dragon",
			"tools": [
				"Mongall"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "abe60a4d-d2a5-4c13-97ff-8625a68b205b",
			"created_at": "2023-01-06T13:46:39.457794Z",
			"updated_at": "2026-04-10T02:00:03.335805Z",
			"deleted_at": null,
			"main_name": "Aoqin Dragon",
			"aliases": [
				"UNC94"
			],
			"source_name": "MISPGALAXY:Aoqin Dragon",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434864,
	"ts_updated_at": 1775826779,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5256682daa02879a66949086d11b302d1f60ee8d.pdf",
		"text": "https://archive.orkl.eu/5256682daa02879a66949086d11b302d1f60ee8d.txt",
		"img": "https://archive.orkl.eu/5256682daa02879a66949086d11b302d1f60ee8d.jpg"
	}
}