- 5 easy ways to transfer photos from your Android device to your Windows PC
- How to get Google's new Pixel 9a for free
- Just installed iOS 18.4? Changing these 3 features made my iPhone much better to use
- 7 strategic insights business and IT leaders need for AI transformation in 2025
- The most underrated robot vacuum I've ever tested is now 60% off
Southeast Asia and Australia Orgs Targeted by Aoqin Dragon Hackers for Ten Years
A new advanced persistent threat (APT) actor dubbed Aoqin Dragon and reportedly based in China, has been linked to several hacking attacks against government, education and telecom entities mainly in Southeast Asia and Australia since 2013.
The news comes from threat researchers Sentinel Labs, who published a blog post on Thursday describing the decade-long events.
“We assess that the threat actor’s primary focus is espionage and relates to targets in Australia, Cambodia, Hong Kong, Singapore, and Vietnam,” wrote Joey Chen, threat intelligence researcher at SentinelOne.
According to Sentinel Labs, Aoqin Dragon heavily relies on using document lures to infect users.
“There are three interesting points that we discovered from these decoy documents,” Chen wrote.
“First, most decoy content is themed around targets who are interested in APAC political affairs. Second, the actors made use of lure documents themed to pornographic topics to entice the targets. Third, in many cases, the documents are not specific to one country but rather the entirety of Southeast Asia.”
From a technical standpoint, the malware uses a document exploit, tricking the user into opening a weaponized Word document to install a backdoor. Alternatively, users are lured into double-clicking a fake antivirus program that executes malware in the victim’s host.
The malware also regularly uses USB shortcut techniques to install itself onto external devices and infect additional targets. Once in the system, the malware has been observed to operate through two main backdoors.
“Attacks attributable to Aoqin Dragon typically drop one of two backdoors, Mongall and a modified version of the open source Heyoka project,” Chen explained.
In terms of attribution, Sentinel Labs said they came across several artifacts linking the activity to a Chinese-speaking APT group, including overlapping infrastructure with a hacking attack targeting Myanmar’s presidential website in 2014.
“The targeting of Aoqin Dragon closely aligns with the Chinese government’s political interests,” Chen said.
“Considering this long-term effort and continuous targeted attacks for the past few years, we assess the threat actor’s motives are espionage-oriented.”
The Sentinel Labs advisory concludes by warning the global cybersecurity about Aoqin Dragon further.
“We have observed the Aoqin Dragon group evolve TTPs several times in order to stay under the radar. We fully expect that Aoqin Dragon will continue conducting espionage operations. In addition, we assess it is likely they will also continue to advance their tradecraft, finding new methods of evading detection and stay longer in their target network.”
