Aoqin Dragon, a Chinese-speaking threat actor, has been actively spying on targeted nations for almost a decade.
Researchers from SentinelLabs have uncovered an ongoing campaign that is believed to have started in 2013.
Aoqin Dragon is focused on cyber-espionage, targeting government, education, and telecommunication organizations based in Singapore, Hong Kong, Vietnam, Cambodia, and Australia.
The initial access is obtained via document exploits and fake removable devices.
Other methods include DLL hijacking, DNS tunneling to avoid detection post-compromise, and the use of Themida-packed files.
The researchers claim that the threat actor is a small Chinese-speaking team with a possible association with UNC94.
Use of two backdoors
SentinelLabs observed two different backdoors used by the threat group, Mongall and a modified version of Heyoka. Both are DLLs injected into memory, decrypted, and finally executed.
The Heyoka exfiltration tool comes with two hardcoded C2 server addresses for redundancy, which are used by Mongall.
These tools are used when copying files from compromised devices to avoid detection during data theft.
Aoqin Dragon stayed hidden for a decade by regularly evolving its techniques and changing tactics. Further, in accordance with the state government's political interests, the threat group will continue its espionage operations and may improve its staying hidden capabilities with new evasion tactics.