Skip to content

Hide Navigation Hide TOC

Aoqin Dragon - G1007 (64d5f96a-f121-4d19-89f6-6709f5c49faa)

Aoqin Dragon is a suspected Chinese cyber espionage threat group that has been active since at least 2013. Aoqin Dragon has primarily targeted government, education, and telecommunication organizations in Australia, Cambodia, Hong Kong, Singapore, and Vietnam. Security researchers noted a potential association between Aoqin Dragon and UNC94, based on malware, infrastructure, and targets.(Citation: SentinelOne Aoqin Dragon June 2022)

Cluster A Galaxy A Cluster B Galaxy B Level
Aoqin Dragon - G1007 (64d5f96a-f121-4d19-89f6-6709f5c49faa) Intrusion Set Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0) Attack Pattern 1
Aoqin Dragon - G1007 (64d5f96a-f121-4d19-89f6-6709f5c49faa) Intrusion Set Replication Through Removable Media - T1091 (3b744087-9945-4a6f-91e8-9dbceda417a4) Attack Pattern 1
Aoqin Dragon - G1007 (64d5f96a-f121-4d19-89f6-6709f5c49faa) Intrusion Set Malware - T1587.001 (212306d8-efa4-44c9-8c2d-ed3d2e224aa0) Attack Pattern 1
Aoqin Dragon - G1007 (64d5f96a-f121-4d19-89f6-6709f5c49faa) Intrusion Set Exploitation for Client Execution - T1203 (be2dcee9-a7a7-4e38-afd6-21b31ecc3d63) Attack Pattern 1
Aoqin Dragon - G1007 (64d5f96a-f121-4d19-89f6-6709f5c49faa) Intrusion Set Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern 1
Aoqin Dragon - G1007 (64d5f96a-f121-4d19-89f6-6709f5c49faa) Intrusion Set File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 1
Aoqin Dragon - G1007 (64d5f96a-f121-4d19-89f6-6709f5c49faa) Intrusion Set Heyoka Backdoor - S1027 (dff90475-9f72-41a6-84ed-1fbefd3874c0) Malware 1
Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern Aoqin Dragon - G1007 (64d5f96a-f121-4d19-89f6-6709f5c49faa) Intrusion Set 1
Aoqin Dragon - G1007 (64d5f96a-f121-4d19-89f6-6709f5c49faa) Intrusion Set Mongall - S1026 (6fb36c6f-bb3d-4ed6-9471-cb9933e5c154) Malware 1
Aoqin Dragon - G1007 (64d5f96a-f121-4d19-89f6-6709f5c49faa) Intrusion Set Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 1
Aoqin Dragon - G1007 (64d5f96a-f121-4d19-89f6-6709f5c49faa) Intrusion Set Lateral Tool Transfer - T1570 (bf90d72c-c00b-45e3-b3aa-68560560d4c5) Attack Pattern 1
Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0) Attack Pattern Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1) Attack Pattern 2
Develop Capabilities - T1587 (edadea33-549c-4ed1-9783-8f5a5853cbdf) Attack Pattern Malware - T1587.001 (212306d8-efa4-44c9-8c2d-ed3d2e224aa0) Attack Pattern 2
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern 2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern Heyoka Backdoor - S1027 (dff90475-9f72-41a6-84ed-1fbefd3874c0) Malware 2
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern Heyoka Backdoor - S1027 (dff90475-9f72-41a6-84ed-1fbefd3874c0) Malware 2
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern Heyoka Backdoor - S1027 (dff90475-9f72-41a6-84ed-1fbefd3874c0) Malware 2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern Heyoka Backdoor - S1027 (dff90475-9f72-41a6-84ed-1fbefd3874c0) Malware 2
Heyoka Backdoor - S1027 (dff90475-9f72-41a6-84ed-1fbefd3874c0) Malware Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern 2
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern Heyoka Backdoor - S1027 (dff90475-9f72-41a6-84ed-1fbefd3874c0) Malware 2
DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72) Attack Pattern Heyoka Backdoor - S1027 (dff90475-9f72-41a6-84ed-1fbefd3874c0) Malware 2
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern Heyoka Backdoor - S1027 (dff90475-9f72-41a6-84ed-1fbefd3874c0) Malware 2
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern Heyoka Backdoor - S1027 (dff90475-9f72-41a6-84ed-1fbefd3874c0) Malware 2
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern Heyoka Backdoor - S1027 (dff90475-9f72-41a6-84ed-1fbefd3874c0) Malware 2
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c) Attack Pattern Heyoka Backdoor - S1027 (dff90475-9f72-41a6-84ed-1fbefd3874c0) Malware 2
System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa) Attack Pattern Heyoka Backdoor - S1027 (dff90475-9f72-41a6-84ed-1fbefd3874c0) Malware 2
Protocol Tunneling - T1572 (4fe28b27-b13c-453e-a386-c2ef362a573b) Attack Pattern Heyoka Backdoor - S1027 (dff90475-9f72-41a6-84ed-1fbefd3874c0) Malware 2
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern Heyoka Backdoor - S1027 (dff90475-9f72-41a6-84ed-1fbefd3874c0) Malware 2
Peripheral Device Discovery - T1120 (348f1eef-964b-4eb6-bb53-69b3dcb0c643) Attack Pattern Heyoka Backdoor - S1027 (dff90475-9f72-41a6-84ed-1fbefd3874c0) Malware 2
Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern Mongall - S1026 (6fb36c6f-bb3d-4ed6-9471-cb9933e5c154) Malware 2
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern Mongall - S1026 (6fb36c6f-bb3d-4ed6-9471-cb9933e5c154) Malware 2
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern Mongall - S1026 (6fb36c6f-bb3d-4ed6-9471-cb9933e5c154) Malware 2
Mongall - S1026 (6fb36c6f-bb3d-4ed6-9471-cb9933e5c154) Malware Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern 2
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern Mongall - S1026 (6fb36c6f-bb3d-4ed6-9471-cb9933e5c154) Malware 2
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern Mongall - S1026 (6fb36c6f-bb3d-4ed6-9471-cb9933e5c154) Malware 2
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern Mongall - S1026 (6fb36c6f-bb3d-4ed6-9471-cb9933e5c154) Malware 2
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern Mongall - S1026 (6fb36c6f-bb3d-4ed6-9471-cb9933e5c154) Malware 2
Mongall - S1026 (6fb36c6f-bb3d-4ed6-9471-cb9933e5c154) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 2
Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern Mongall - S1026 (6fb36c6f-bb3d-4ed6-9471-cb9933e5c154) Malware 2
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern Mongall - S1026 (6fb36c6f-bb3d-4ed6-9471-cb9933e5c154) Malware 2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Mongall - S1026 (6fb36c6f-bb3d-4ed6-9471-cb9933e5c154) Malware 2
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern Mongall - S1026 (6fb36c6f-bb3d-4ed6-9471-cb9933e5c154) Malware 2
Peripheral Device Discovery - T1120 (348f1eef-964b-4eb6-bb53-69b3dcb0c643) Attack Pattern Mongall - S1026 (6fb36c6f-bb3d-4ed6-9471-cb9933e5c154) Malware 2
Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 3
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 3
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern 3
DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 3
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 3
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c) Attack Pattern Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 3
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern 3
Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f) Attack Pattern Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern 3
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 3