
Aoqin Dragon
Indicators of Compromise
APT Groups1
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1587 | .001 | Develop Capabilities: Malware | Aoqin Dragon has used custom malware, including Mongall and Heyoka Backdoor, in their operations.[1] |
| Enterprise | T1203 | Exploitation for Client Execution | Aoqin Dragon has exploited CVE-2012-0158 and CVE-2010-3333 for execution against targeted systems.[1] | |
| Enterprise | T1083 | File and Directory Discovery | Aoqin Dragon has run scripts to identify file formats including Microsoft Word.[1] | |
| Enterprise | T1570 | Lateral Tool Transfer | Aoqin Dragon has spread malware in target networks by copying modules to folders masquerading as removable devices.[1] | |
| Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location | Aoqin Dragon has used fake icons including antivirus and external drives to disguise malicious payloads.[1] |
| Enterprise | T1027 | .002 | Obfuscated Files or Information: Software Packing | Aoqin Dragon has used the Themida packer to obfuscate malicious payloads.[1] |
| Enterprise | T1588 | .002 | Obtain Capabilities: Tool | Aoqin Dragon obtained the Heyoka open source exfiltration tool and subsequently modified it for their operations.[1] |
| Enterprise | T1091 | Replication Through Removable Media | Aoqin Dragon has used a dropper that employs a worm infection strategy using a removable device to breach a secure network environment.[1] | |
| Enterprise | T1204 | .002 | User Execution: Malicious File | Aoqin Dragon has lured victims into opening weaponized documents, fake external drives, and fake antivirus to execute malicious payloads.[1] |