An evasive China-linked advanced persistent threat has been lurking since 2013, wreaking havoc on SE Asian and Australia victims: researchers.

An active China-linked cyber-espionage group has been operating stealthily for nearly a decade, and only now have threat researchers caught onto their existence.

With its nefarious activity beginning at least as far back as 2013 and continuing to the present day, the group—named “Aoqin Dragon” by researchers from SentinelLabs—primarily targets governmental, education, and telecommunication organizations in South-east Asia (Cambodia, Hong Kong, Singapore, and Vietnam) and Australia.

The threat group’s TTP involves seeking initial access primarily through document exploits and the use of fake removable (USB) devices (via a shortcut link named Removable Disk), as well as DLL hijacking, Themida-packed files, and DNS tunneling to evade post-compromise detection. Also:

  • They are known to mask malicious executable files with document file icons such as Windows folders and anti-virus vendor icons. Combined with “interesting” email content and a catchy file name, the APT group tricks users into double clicking malicious executables.
  • Aoqin Dragon also has a history of using document lures with pornographic themes to infect users and makes heavy use of USB shortcut techniques to spread the malware and infect additional targets.
  • Attacks attributable to Aoqin Dragon typically drop one of two backdoors, Mongall and a modified version of the open source Heyoka project. Mongall is a small backdoor going back to 2013, first described in a report by ESET where the threat actor was trying to target the Vietnamese government and Telecommunications Department. More recently, Aoqin Dragon has been targeting South-east Asia with an upgraded Mongall encryption protocol and Themida packer.
  • The code injection logic used by the APT is identical to that in the book WINDOWS黑客编程技术详解 (Windows Hacking Programming Techniques Explained), Chapter 4, Section 3, which describes how to use memory to directly execute a DLL file.

In attributing the group to various regional cyberattacks, SentinelLabs researchers have also observed that the group’s agenda closely aligns with the political interests of the Chinese government, and are likely to continue advancing their tradecraft and evasion techniques.