{
	"id": "325b61be-ca13-4151-90a3-072988084280",
	"created_at": "2026-04-06T00:11:19.93794Z",
	"updated_at": "2026-04-10T13:11:55.249823Z",
	"deleted_at": null,
	"sha1_hash": "7ee6452a133b5eca97ab8d7d73a4516195bc87c4",
	"title": "Onion Dog, A 3 Year Old APT Focused On the Energy and Transportation Industries in Korean-language Countries Is Exposed by 360",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 52714,
	"plain_text": "Onion Dog, A 3 Year Old APT Focused On the Energy and\r\nTransportation Industries in Korean-language Countries Is\r\nExposed by 360\r\nBy 360 SkyEye Labs\r\nPublished: 2016-03-08 · Archived: 2026-04-05 23:14:00 UTC\r\nBEIJING, March 8, 2016 /PRNewswire/ -- The Helios Team at 360 SkyEye Labs recently revealed that a hacker\r\ngroup named OnionDog has been infiltrating and stealing information from the energy, transportation and other\r\ninfrastructure industries of Korean-language countries through the Internet. According to big data correlation\r\nanalysis, OnionDog's first activity can be traced back to October, 2013 and in the following two years it was only\r\nactive between late July and early September. The self-set life cycle of a Trojan attack is 15 days on average and is\r\ndistinctly organizational and objective-oriented.\r\nOnionDog malware is transmitted by taking advantage of the vulnerability of the popular office software Hangul\r\nin Korean-language countries, and it attacked network-isolated targets through a USB Worm. In addition,\r\nOnionDog also used darkweb (\"Onion City\") communications tools, with which it can visit the domain without\r\nthe Onion browser, making its real identity hidden in the completely anonymous Tor network.\r\nOnionDog APT targets the infrastructure industry.\r\nOnionDog concentrated its efforts on infrastructure industries in Korean-language countries. In 2015 this\r\norganization mainly attacked harbors, VTS, subways, public transportation and other transportation systems. In\r\n2014 it attacked many electric power and water resources corporations as well as other energy enterprises.\r\n360's Threat Intelligence Center has found 96 groups of malicious code, 14 C\u0026C domain names and IP related to\r\nOnionDog. It first surfaced in October 2013, and then was most active in the summers of the following years. The\r\nTrojan set its own \"active state\" time and the shortest was be three days and maximum twenty nine days, from\r\ncompilation to the end of activity. The average life cycle is 15 days, which makes it more difficult for the victim\r\nenterprises to notice and take actions than those active for longer period of time.\r\nDeadline Compilation time Activate state (days)\r\nSep 8th, 2015 Aug 27th, 2015 12\r\nAug 8th, 2015 Aug 5th, 2015 3\r\nhttps://www.prnewswire.com/news-releases/onion-dog-a-3-year-old-apt-focused-on-the-energy-and-transportation-industries-in-korean-language-countries-is-exposed-by-360-300232441.html\r\nPage 1 of 3\n\nAug 8th\r\n, 2015 Aug 3th, 2015 5\r\nAug 8th, 2015 July 23th, 2015 16\r\nAug 8th, 2015 July 10th, 2015 29\r\nJuly 13th, 2014 July 10th, 2015 3\r\nAug 9th, 2014 July 18th, 2014 22\r\nAug 9th, 2014 July 15th, 2014 25\r\nJuly 13th, 2014 July 13th, 2014 18\r\nOct 25, 2013 Oct 10th\r\n, 2013 15\r\nThe life cycle of Trojan malware\r\nOnionDog's attacks are mainly carried out in the form of spear phishing emails. The early Trojan used icons and\r\nfile numbers to create a fake HWP file (Hangul's file format). Later on, the Trojan used a vulnerability in an\r\nupgraded version of Hangul, which imbeds malicious code in a real HWP file. Once the file is opened, the\r\nvulnerability will be triggered to download and activate the Trojan.\r\nSince most infrastructure industries, such as the energy industry, generally adopt intranet isolation measures,\r\nOnionDog uses the USB disk drive ferry to break the false sense of security of physical isolation. In the classic\r\nAPT case of the Stuxnet virus, which broke into an Iranian nuclear power plant, the virus used an employee's USB\r\ndisk to circumvent network isolation. OnionDog also used this channel and generated USB worms to infiltrate the\r\ntarget internal network.\r\n\"OCD-type\" intensive organization\r\nIn the Malicious Code activities of OnionDog, there are strict regulations:\r\nFirst, the Malicious Code has strict naming rules starting from the path of created PDB (symbol file). For\r\nexample, the path for USB worm is APT-USB, and the path for spear mail file is APT-WebServer;\r\nhttps://www.prnewswire.com/news-releases/onion-dog-a-3-year-old-apt-focused-on-the-energy-and-transportation-industries-in-korean-language-countries-is-exposed-by-360-300232441.html\r\nPage 2 of 3\n\nWhen the OnionDog Trojan is successfully released, it will communicate to a C\u0026C (Trojan server), download\r\nother malware and save them in the %temp% folder and use \"XXX_YYY.jpg\" uniformly as the file name. These\r\nnames have their special meaning and usually point to the target.\r\nAll signs show that OnionDog has strict organization and arrangement across its attack time, target, vulnerability\r\nexploration and utilization, and malicious code. At the same time, it is very cautious about covering up its tracks.\r\nIn 2014, OnionDog used many fixed IPs in South Korea as its C\u0026C sites. Of course, this does not mean that the\r\nattacker is located in South Korea. These IPs could be used as puppets and jumping boards. By 2015, OnionDog\r\nwebsite communications were upgraded to Onion City across the board. This is so far a relatively more advanced\r\nand covert method of network communication among APT hacker attacks.\r\nOnion City means that the deep web searching engine uses Tor2web agent technology to visit the anonymous Tor\r\nnetwork deeply without using the Onion Brower specifically. And OnionDog uses the Onion City to hide the\r\nTrojan-controlling server in the Tor network.\r\nIn recent years, APT attacks on infrastructure facilities and large-scale enterprises have frequently emerged. Some\r\nthat attack an industrial control system, such as Stuxnet, Black Energy and so on, can have devastating results.\r\nSome attacks are for the purpose of stealing information, such as the Lazarus hacker organization jointly revealed\r\nby Kaspersky, AlienVault lab and Novetta, and OnionDog which was recently exposed by the 360 Helios team.\r\nThese secret cybercrimes can cause similarly serious losses as well.\r\nIn view of OnionDog's pattern of activity, we are likely to observe a new round of attacks this summer. The\r\nrelevant threat intelligence and technical analysis report will be updated by 360's Intelligence Center\r\n(https://ti.360.com).\r\nAbout Helios Team\r\nHelios Team is a senior threat research team at Qihoo 360 that is engaged in detecting and tracing APT attacks,\r\ninternet security incident response, hacker industrial chain exploration and study. The team was established in\r\nDecember 2014. Within a year, it integrated the enormous security data at Qihoo 360 and realized the rapid\r\ncorrelation traceability of threat intelligence, and for the first time found and traced 10 APT organizations and\r\nhacker industrial chains. It broadened its horizon to the study of the hacker industry, filled the void of APT study\r\ndomestically and has offered security threat evaluation and solutions output for many enterprises and government\r\nagencies.\r\nSOURCE 360 SkyEye Labs\r\nSource: https://www.prnewswire.com/news-releases/onion-dog-a-3-year-old-apt-focused-on-the-energy-and-transportation-industries-in-korea\r\nn-language-countries-is-exposed-by-360-300232441.html\r\nhttps://www.prnewswire.com/news-releases/onion-dog-a-3-year-old-apt-focused-on-the-energy-and-transportation-industries-in-korean-language-countries-is-exposed-by-360-300232441.html\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.prnewswire.com/news-releases/onion-dog-a-3-year-old-apt-focused-on-the-energy-and-transportation-industries-in-korean-language-countries-is-exposed-by-360-300232441.html"
	],
	"report_names": [
		"onion-dog-a-3-year-old-apt-focused-on-the-energy-and-transportation-industries-in-korean-language-countries-is-exposed-by-360-300232441.html"
	],
	"threat_actors": [
		{
			"id": "747b4660-9b3a-42cf-a773-6b1deea49184",
			"created_at": "2023-01-06T13:46:38.684133Z",
			"updated_at": "2026-04-10T02:00:03.067236Z",
			"deleted_at": null,
			"main_name": "OnionDog",
			"aliases": [],
			"source_name": "MISPGALAXY:OnionDog",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "77966817-8b8c-4098-bbba-2b157fbe41ea",
			"created_at": "2022-10-25T16:07:23.923066Z",
			"updated_at": "2026-04-10T02:00:04.791458Z",
			"deleted_at": null,
			"main_name": "OnionDog",
			"aliases": [],
			"source_name": "ETDA:OnionDog",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434279,
	"ts_updated_at": 1775826715,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7ee6452a133b5eca97ab8d7d73a4516195bc87c4.pdf",
		"text": "https://archive.orkl.eu/7ee6452a133b5eca97ab8d7d73a4516195bc87c4.txt",
		"img": "https://archive.orkl.eu/7ee6452a133b5eca97ab8d7d73a4516195bc87c4.jpg"
	}
}