Skip to content

Hide Navigation Hide TOC

Aoqin Dragon - G1007 (64d5f96a-f121-4d19-89f6-6709f5c49faa)

Aoqin Dragon is a suspected Chinese cyber espionage threat group that has been active since at least 2013. Aoqin Dragon has primarily targeted government, education, and telecommunication organizations in Australia, Cambodia, Hong Kong, Singapore, and Vietnam. Security researchers noted a potential association between Aoqin Dragon and UNC94, based on malware, infrastructure, and targets.(Citation: SentinelOne Aoqin Dragon June 2022)

Cluster A Galaxy A Cluster B Galaxy B Level
Replication Through Removable Media - T1091 (3b744087-9945-4a6f-91e8-9dbceda417a4) Attack Pattern Aoqin Dragon - G1007 (64d5f96a-f121-4d19-89f6-6709f5c49faa) Intrusion Set 1
Exploitation for Client Execution - T1203 (be2dcee9-a7a7-4e38-afd6-21b31ecc3d63) Attack Pattern Aoqin Dragon - G1007 (64d5f96a-f121-4d19-89f6-6709f5c49faa) Intrusion Set 1
Aoqin Dragon - G1007 (64d5f96a-f121-4d19-89f6-6709f5c49faa) Intrusion Set File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 1
Heyoka Backdoor - S1027 (dff90475-9f72-41a6-84ed-1fbefd3874c0) Malware Aoqin Dragon - G1007 (64d5f96a-f121-4d19-89f6-6709f5c49faa) Intrusion Set 1
Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern Aoqin Dragon - G1007 (64d5f96a-f121-4d19-89f6-6709f5c49faa) Intrusion Set 1
Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0) Attack Pattern Aoqin Dragon - G1007 (64d5f96a-f121-4d19-89f6-6709f5c49faa) Intrusion Set 1
Mongall - S1026 (6fb36c6f-bb3d-4ed6-9471-cb9933e5c154) Malware Aoqin Dragon - G1007 (64d5f96a-f121-4d19-89f6-6709f5c49faa) Intrusion Set 1
Malware - T1587.001 (212306d8-efa4-44c9-8c2d-ed3d2e224aa0) Attack Pattern Aoqin Dragon - G1007 (64d5f96a-f121-4d19-89f6-6709f5c49faa) Intrusion Set 1
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern Aoqin Dragon - G1007 (64d5f96a-f121-4d19-89f6-6709f5c49faa) Intrusion Set 1
Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern Aoqin Dragon - G1007 (64d5f96a-f121-4d19-89f6-6709f5c49faa) Intrusion Set 1
Aoqin Dragon - G1007 (64d5f96a-f121-4d19-89f6-6709f5c49faa) Intrusion Set Lateral Tool Transfer - T1570 (bf90d72c-c00b-45e3-b3aa-68560560d4c5) Attack Pattern 1
Peripheral Device Discovery - T1120 (348f1eef-964b-4eb6-bb53-69b3dcb0c643) Attack Pattern Heyoka Backdoor - S1027 (dff90475-9f72-41a6-84ed-1fbefd3874c0) Malware 2
Heyoka Backdoor - S1027 (dff90475-9f72-41a6-84ed-1fbefd3874c0) Malware Protocol Tunneling - T1572 (4fe28b27-b13c-453e-a386-c2ef362a573b) Attack Pattern 2
Heyoka Backdoor - S1027 (dff90475-9f72-41a6-84ed-1fbefd3874c0) Malware Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 2
Heyoka Backdoor - S1027 (dff90475-9f72-41a6-84ed-1fbefd3874c0) Malware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 2
Heyoka Backdoor - S1027 (dff90475-9f72-41a6-84ed-1fbefd3874c0) Malware Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 2
Heyoka Backdoor - S1027 (dff90475-9f72-41a6-84ed-1fbefd3874c0) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 2
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern Heyoka Backdoor - S1027 (dff90475-9f72-41a6-84ed-1fbefd3874c0) Malware 2
Heyoka Backdoor - S1027 (dff90475-9f72-41a6-84ed-1fbefd3874c0) Malware DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72) Attack Pattern 2
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern Heyoka Backdoor - S1027 (dff90475-9f72-41a6-84ed-1fbefd3874c0) Malware 2
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c) Attack Pattern Heyoka Backdoor - S1027 (dff90475-9f72-41a6-84ed-1fbefd3874c0) Malware 2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern Heyoka Backdoor - S1027 (dff90475-9f72-41a6-84ed-1fbefd3874c0) Malware 2
Heyoka Backdoor - S1027 (dff90475-9f72-41a6-84ed-1fbefd3874c0) Malware Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern 2
Heyoka Backdoor - S1027 (dff90475-9f72-41a6-84ed-1fbefd3874c0) Malware Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 2
Heyoka Backdoor - S1027 (dff90475-9f72-41a6-84ed-1fbefd3874c0) Malware Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern 2
Heyoka Backdoor - S1027 (dff90475-9f72-41a6-84ed-1fbefd3874c0) Malware System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa) Attack Pattern 2
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 2
Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1) Attack Pattern Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0) Attack Pattern 2
Mongall - S1026 (6fb36c6f-bb3d-4ed6-9471-cb9933e5c154) Malware Peripheral Device Discovery - T1120 (348f1eef-964b-4eb6-bb53-69b3dcb0c643) Attack Pattern 2
Mongall - S1026 (6fb36c6f-bb3d-4ed6-9471-cb9933e5c154) Malware Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern 2
Mongall - S1026 (6fb36c6f-bb3d-4ed6-9471-cb9933e5c154) Malware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 2
Mongall - S1026 (6fb36c6f-bb3d-4ed6-9471-cb9933e5c154) Malware Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 2
Mongall - S1026 (6fb36c6f-bb3d-4ed6-9471-cb9933e5c154) Malware Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 2
Mongall - S1026 (6fb36c6f-bb3d-4ed6-9471-cb9933e5c154) Malware Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern 2
Mongall - S1026 (6fb36c6f-bb3d-4ed6-9471-cb9933e5c154) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 2
Mongall - S1026 (6fb36c6f-bb3d-4ed6-9471-cb9933e5c154) Malware Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern 2
Mongall - S1026 (6fb36c6f-bb3d-4ed6-9471-cb9933e5c154) Malware Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern 2
Mongall - S1026 (6fb36c6f-bb3d-4ed6-9471-cb9933e5c154) Malware Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 2
Mongall - S1026 (6fb36c6f-bb3d-4ed6-9471-cb9933e5c154) Malware Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern 2
Mongall - S1026 (6fb36c6f-bb3d-4ed6-9471-cb9933e5c154) Malware Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern 2
Mongall - S1026 (6fb36c6f-bb3d-4ed6-9471-cb9933e5c154) Malware Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern 2
Mongall - S1026 (6fb36c6f-bb3d-4ed6-9471-cb9933e5c154) Malware Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 2
Malware - T1587.001 (212306d8-efa4-44c9-8c2d-ed3d2e224aa0) Attack Pattern Develop Capabilities - T1587 (edadea33-549c-4ed1-9783-8f5a5853cbdf) Attack Pattern 2
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern 2
Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 2
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 3
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72) Attack Pattern 3
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 3
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c) Attack Pattern Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 3
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 3
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern 3
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f) Attack Pattern 3
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 3
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern 3