analyst@ nohacky:~/threat-actors $
cat/ threat-actors/ aoqin-dragon
analyst@nohacky:~/aoqin-dragon.html
active profile
type Nation-State
threat_level High
status Active
origin China — state-suspected (Chinese-speaking team)
last_updated 2026-03-26
AD
aoqin-dragon

Aoqin Dragon

also known as: UNC94 (potential association) Naikon (tactical overlap)

A quietly operating Chinese-speaking espionage group that ran undetected for nearly a decade before SentinelOne's 2022 disclosure. Active since at least 2013, Aoqin Dragon focuses on government, education, and telecom targets in Southeast Asia and Australia — nations of direct interest to Chinese foreign policy. The group has continuously evolved its infection strategy across three distinct phases, transitioning from document exploits through fake antivirus droppers to fake removable device lures, while maintaining consistent use of DNS tunneling C2 to stay below detection thresholds. SentinelLabs assessed it to be a small, tightly focused Chinese-speaking team.

attributed origin China — Chinese-speaking team
attribution confidence Moderate — Chinese state-suspected (SentinelOne)
active since 2013
disclosed June 9, 2022 — SentinelLabs (Joey Chen)
primary targets Govt, education, telecom — SE Asia + Australia
signature technique Fake removable device LNK + DNS tunneling C2
primary backdoors Mongall + modified Heyoka (DNS tunnel)
target countries Australia, Cambodia, Hong Kong, Singapore, Vietnam
c2 server location Beijing (police investigation, 2013 news reports)
mitre att&ck group G1007

Overview

Aoqin Dragon is a Chinese-speaking advanced persistent threat group discovered and publicly disclosed by SentinelLabs researcher Joey Chen in June 2022. The disclosure was notable precisely for what it revealed about the duration of undetected operation: the group had been conducting espionage against government, education, and telecommunications organizations in Southeast Asia and Australia since at least 2013 — nearly a decade before being formally documented. During that time, fragments of the group's activity appeared in reports from ESET (2013, noting the Mongall backdoor targeting the Vietnamese government and Telecommunications Department) and FireEye (2014, covering lure documents themed around the disappearance of Malaysia Airlines Flight MH370), but the full operational picture was not assembled until SentinelLabs pieced together the complete decade-long cluster.

SentinelLabs assessed Aoqin Dragon with moderate confidence as a small Chinese-speaking team with potential association to UNC94, a cluster tracked by Mandiant. The group's targeting closely aligns with Chinese government political interests in Southeast Asia — Cambodia, Singapore, Vietnam, Hong Kong, and Australia are all countries where China has significant diplomatic, territorial, or strategic interests. A 2013 police investigation mentioned in news reporting recovered information from C2 servers and phishing mail servers attributed to operators located in Beijing, China, providing geographic corroboration for the state-association assessment.

What distinguishes Aoqin Dragon from peer Chinese APT groups is the combination of consistent geographic and sector focus with a documented evolution of infection tactics designed to stay below detection thresholds. The group has pivoted its initial access method three times across its documented operational lifetime — from Office document exploits, to fake antivirus droppers, to fake removable device LNK files — with each pivot occurring after the previous technique attracted researcher attention. This pattern of adaptation reflects a group that monitors security research publications and responds to exposure by changing the visible surface of its operations while maintaining consistent back-end infrastructure and backdoors.

Aoqin Dragon also demonstrates a distinct preference for DNS tunneling as its C2 communication channel — implemented through a heavily modified version of the open-source Heyoka project that converts spoofed DNS requests into a bidirectional covert tunnel. This choice reflects the same operational logic seen in APT18's Pisloader: DNS traffic is often not inspected at the content level by enterprise security controls, making it a reliable long-duration covert channel even in reasonably well-defended environments.

attribution note

SentinelLabs assessed with moderate confidence that Aoqin Dragon is a small Chinese-speaking team. Attribution to the Chinese state (as opposed to a non-state Chinese-speaking actor) is supported by: consistent alignment of targets with Chinese government political interests; C2 infrastructure attributed to Beijing-based operators in a 2013 police investigation; and tactical association noted with both Naikon (a China-linked group targeting Southeast Asian government agencies) and UNC94 (Mandiant's Chinese APT cluster), based on malware, infrastructure, and targeting overlap. A full-confidence state attribution was not claimed. The group has not been formally linked to a specific PLA unit or MSS bureau in public reporting. The Naikon association specifically is described in SentinelLabs' report as tactical overlap — not as evidence that Aoqin Dragon is Naikon or a sub-unit of it.

Target Profile

Aoqin Dragon's targeting is geographically concentrated and sector-consistent across its entire documented operational lifetime. The focus on Southeast Asia and Australia reflects the specific set of countries involved in China's most active foreign policy concerns: the South China Sea territorial disputes, ASEAN diplomatic dynamics, China-Australia diplomatic tensions, and Hong Kong's political status.

  • Government Organizations: Central government ministries, agencies, and departments across the target countries are the primary focus. Government entities hold diplomatic communications, policy documents, and strategic planning materials directly relevant to Chinese foreign policy intelligence requirements. The 2014 MH370-themed lure documents specifically targeted APAC political affairs audiences — indicating the group was fishing for government and policy analysts rather than general populations.
  • Telecommunications Companies: The earliest documented Mongall activity (ESET 2013) specifically targeted the Vietnamese Telecommunications Department and Vietnamese government organizations. Telecom providers are targeted both as intelligence targets in their own right and as network access vectors to government and corporate clients.
  • Educational Institutions: Universities and research institutions in Southeast Asia and Australia are targeted for the policy research, geopolitical analysis, and government-adjacent intellectual work they produce. Academic institutions studying China-related topics, Southeast Asian political dynamics, or Australian foreign policy are of particular interest.
  • Cambodia: A primary target country. China has a strong and documented diplomatic relationship with Cambodia — one of ASEAN's most China-aligned members. Intelligence on Cambodian government positions and communications is valuable both for confirming ally alignment and for understanding ASEAN internal dynamics from a friendly perspective.
  • Singapore: A documented target and a diplomatically significant one — Singapore is a major financial hub, an ASEAN founding member, and a country with complex relationships with both China and the United States. Intelligence on Singapore's diplomatic and economic positions is consistently valuable to Chinese state intelligence.
  • Vietnam: An original and persistent target since Mongall's earliest documented deployment. Vietnam has ongoing South China Sea territorial disputes with China and is one of the most diplomatically active ASEAN members on issues directly affecting Chinese interests. The Vietnamese government and telecommunications sector have been documented Aoqin Dragon targets since 2013.
  • Hong Kong: Targeted both for the unique status of Hong Kong's institutions and for the diaspora and activist communities based there. The 2019–2020 civic protest period would have generated significant intelligence interest in Hong Kong-based civil society organizations from a state entity tasked with monitoring political opposition.
  • Australia: A consistent target across the entire documented operational period. Australia's Five Eyes intelligence relationship with the United States, its military alliance commitments, its ongoing diplomatic tensions with China over a range of issues, and its significant Chinese-Australian diaspora community all make it a priority target for Chinese state-aligned espionage.

The Three-Phase Infection Evolution

One of Aoqin Dragon's most analytically interesting characteristics is its documented history of pivoting its initial access technique in response to changing detection capability — cycling through three distinct approaches over its operational lifetime while keeping consistent back-end infrastructure and backdoors.

  • Phase 1 — Document Exploits (2012–2015): The earliest documented phase relied heavily on known Microsoft Office vulnerabilities — CVE-2012-0158 (Windows Common Controls RCE) and CVE-2010-3333 (RTF stack buffer overflow). These vulnerabilities were patched before Aoqin Dragon deployed them, but remained effective against unpatched systems common in the target region. Lure documents used three themes: APAC political affairs content, pornographic material to entice targets into opening files, and region-wide Southeast Asia content rather than country-specific materials — suggesting the same lures were distributed broadly across target countries simultaneously. FireEye's 2014 reporting on MH370-themed lure documents captured this phase.
  • Phase 2 — Fake Antivirus Droppers (2015–2018): After the document exploit technique attracted documentation, Aoqin Dragon shifted to executable files disguised with icons from security vendor products — McAfee and Bkav (a Vietnamese antivirus vendor) — to trick targets into running malware droppers. The use of Bkav iconography specifically demonstrates knowledge of the Vietnamese security software ecosystem: Bkav is a trusted Vietnamese brand, making a file with its icon appear locally legitimate to Vietnamese targets in a way a Western security vendor's branding would not. The executable dropper typically contained a script designed to search for Microsoft Word documents on the victim system, as well as a worm-style removable device infection component.
  • Phase 3 — Fake Removable Device LNK (2018–present): The current and most sophisticated phase, using a shortcut file (.LNK) designed to appear as a removable drive in Windows Explorer. When clicked, the shortcut runs RemovableDisc.exe — displayed with the Evernote application icon rather than a security product icon, likely reflecting an awareness that security product masquerading had become a known technique. The malware runs under the name "Evernote Tray Application" and sets up auto-start persistence as "EverNoteTrayService." The DLL-test.dll loader checks whether the current drive is removable media, opens a Removable Disk folder to simulate normal USB behavior, copies all malicious modules from the drive to an "EverNoteService" folder, and then uses DLL hijacking to load the encrypted backdoor (encrashrep.dll) via explorer.exe. The worm component copies all payloads to any other removable devices detected — spreading infection when the compromised USB is inserted into other machines.

Tactics, Techniques & Procedures

mitre id technique description
T1204.002 Malicious File — Fake Removable Device The current (Phase 3) primary initial access technique. An .LNK shortcut file is crafted to appear as a USB removable drive in Windows Explorer. When the target clicks what appears to be a legitimate drive icon, RemovableDisc.exe executes — disguised with the Evernote application icon to appear as the Evernote system tray utility. The malware establishes persistence as "EverNoteTrayService" under the "EverNoteService" folder. The approach exploits the tendency of Windows users to interact with apparent removable drives without suspicion, particularly in environments where USB drives are common data-sharing vectors.
T1574.001 DLL Search Order Hijacking DLL hijacking is the central technique in Aoqin Dragon's current infection chain and is used consistently across all three malware families — the malware loader, Mongall, and modified Heyoka. The DLL-test.dll loader uses DLL hijacking to load encrashrep.dll (a malicious DLL named after a legitimate component) via explorer.exe. The malicious DLL is loaded in place of the expected legitimate DLL, executing the backdoor payload within the context of a trusted Windows process. This technique allows Aoqin Dragon's payloads to run under legitimate process names, reducing their visibility to process-monitoring security tools.
T1091 Replication Through Removable Media A worm component embedded in the infection chain copies all malicious files from the infected system to any removable devices subsequently inserted into the machine. This spreading capability turns each victim machine into a potential infection vector for air-gapped or network-segmented systems that the USB drive might subsequently be inserted into. The technique is particularly valuable in Southeast Asian government environments where USB drives are commonly used to transfer documents between systems, including between networked and non-networked workstations.
T1071.004 DNS C2 — Modified Heyoka (DNS Tunnel) The modified Heyoka backdoor uses spoofed DNS requests to create a bidirectional covert command-and-control tunnel. DNS tunneling encodes C2 commands and data exfiltration in DNS query and response traffic — which is generally permitted through firewalls, often not inspected at the content level, and generates minimal alerts in environments tuned for HTTP/HTTPS threat detection. The modified Heyoka backdoor adds two hardcoded C2 servers for redundancy alongside the DNS tunnel, and the debug PDB paths in Heyoka samples contain simplified Chinese characters — confirming Chinese-language developers.
T1027.002 Software Packing — Themida Aoqin Dragon packs its tools using Themida — a commercial software protection product that applies virtualization and anti-analysis obfuscation to executables, making static reverse engineering significantly more difficult. The use of Themida is specifically noted in the updated Mongall variants used in more recent campaigns, providing protection against signature-based detection and slowing forensic analysis of captured samples.
T1547.001 Registry Run Keys / Startup Folder The EverNoteTrayService auto-start mechanism establishes persistence via Windows startup mechanisms. The loader sets up the "EverNoteTrayService" registry run entry or startup folder entry to ensure Aoqin Dragon's backdoor restarts on system reboot, maintaining access across reboots without requiring re-exploitation of the victim.
T1057 Process Discovery The modified Heyoka backdoor includes process enumeration and management capabilities — creating, terminating, and gathering information about running processes on the compromised host. This allows operators to identify security products, understand what applications are running, and selectively kill security tools or competing malware.
T1555 Credentials from Password Stores The executable dropper in Phase 1-2 operations contained a script designed to search the system for Microsoft Word documents and retrieve stored credential material. The dropper employs a RAR command embedded in the script to archive collected documents for staging and exfiltration — primarily targeting .doc and .docx files as the most likely containers for sensitive government and diplomatic communications.

Known Campaigns

Vietnamese Government and Telecom Targeting — Mongall Phase 1 2013 – 2015

The earliest documented Aoqin Dragon activity, first captured by ESET in 2013. The group used the Mongall backdoor (HJ-client.dll) to target the Vietnamese Telecommunications Department and Vietnamese government organizations — establishing the group's characteristic sector focus from its very first documented operations. During this same period, Aoqin Dragon leveraged CVE-2012-0158 and CVE-2010-3333 in malicious RTF documents distributed with APAC political affairs lures and pornographic-theme decoys to maximize victim open rates. A 2013 police investigation reportedly recovered information from C2 servers and phishing mail servers attributed to Beijing-based operators — the earliest corroborating evidence for the group's China location.

MH370 Lure Campaign — APAC Government Targeting 2014

FireEye documented Aoqin Dragon activity in 2014 using lure documents themed around the disappearance of Malaysia Airlines Flight MH370 — a major APAC news event that dominated regional media and political attention throughout 2014. The MH370 disappearance generated intense interest from APAC government officials, defense analysts, and regional policy researchers — exactly the audience Aoqin Dragon was targeting. Weaponized Word documents exploiting CVE-2012-0158 were distributed with MH370-themed content, installing Mongall on systems whose operators opened the decoy. FireEye's blog about this activity was one of the partial disclosures that preceded SentinelLabs' 2022 full attribution.

Myanmar President Website Watering Hole December 2014

Unit 42 (Palo Alto Networks) observed one of Aoqin Dragon's Mongall backdoor variants being deployed via a watering-hole attack on the Myanmar President's official website on December 24, 2014. This campaign demonstrates Aoqin Dragon's willingness to compromise high-profile government web properties as delivery platforms — serving malicious content to visitors interested in official Myanmar government communications during a politically significant period for Myanmar's transition process. The watering-hole corroborates the government-targeting focus and demonstrates initial access capabilities beyond malicious document distribution.

Fake Antivirus Dropper Campaign — McAfee and Bkav 2015 – 2018

Following the document exploit phase, Aoqin Dragon shifted to executable files disguised with McAfee and Bkav security vendor icons — tricking targets into running malware droppers that appeared to be legitimate antivirus utilities. The Bkav icon choice is particularly notable: Bkav is a Vietnamese antivirus product that is a familiar, trusted brand in Vietnamese government and enterprise environments. Using Bkav iconography for targets in Vietnam specifically demonstrates targeted social engineering based on knowledge of the Vietnamese security software ecosystem. The executable dropper searched victim systems for Microsoft Word documents and used a worm-style infection to spread to connected removable devices.

Fake Evernote Removable Device — Current Phase 2018 – present

Aoqin Dragon's current infection method, active from 2018 through the time of SentinelLabs' 2022 disclosure and assessed as likely continuing post-disclosure with adaptations. The fake removable device shortcut (.LNK) triggers the "Evernote Tray Application" when clicked, using DLL hijacking to load encrashrep.dll via explorer.exe and deploying either Mongall or modified Heyoka. The worm component spreads to any removable media detected on the system. Both Mongall (three hardcoded C2 servers) and the modified Heyoka DNS tunnel are deployed as dual persistence channels. The modified Heyoka backdoor provides comprehensive access: file operations, process management, network information collection, and the DNS-tunneled C2 that avoids standard network monitoring detection. Simplified Chinese characters in Heyoka's debug PDB strings confirmed the Chinese-language development team.

Tools & Malware

  • Mongall (HJ-client.dll): Aoqin Dragon's primary and oldest backdoor, dating to at least 2013 — the same year as the group's first documented operations. Named by ESET from its original discovery. Not particularly feature-rich by design, but effective: creates a remote shell and supports arbitrary file upload and download to and from the C2 server. Embeds three hardcoded C2 server addresses for redundancy. Has been progressively upgraded across campaigns with improved encryption protocols and Themida packing for anti-analysis protection. The backdoor name "HJ-client.dll" and associated notes in samples allow SentinelLabs to estimate malware creation times and intended target regions from embedded strings.
  • Modified Heyoka Backdoor (srvdll.dll / DnsControl): A substantially modified and expanded version of the open-source Heyoka proof-of-concept exfiltration tool. The original Heyoka uses spoofed DNS requests to create a bidirectional data tunnel — Aoqin Dragon's developers took this concept and rebuilt it as a full custom backdoor using DLL injection for deployment. Capabilities include: file creation, deletion, and searching; process creation and termination; process information enumeration; network information collection; command execution; and the core DNS tunneling C2 channel. Hardcoded with two redundant C2 servers alongside the DNS tunnel. Checks execution privileges and maintains persistence if running as a system service. Debug PDB strings in samples contain simplified Chinese characters confirming Chinese-language developers. The debug paths reveal development directory structures and timestamps that allowed SentinelLabs to date different generations of the tool.
  • DLL-test.dll Loader: The infection chain initiator in Aoqin Dragon's current Phase 3 deployment. Checks that the host drive is not drive A, tests whether the current drive is removable media, opens a Removable Disk folder to simulate normal drive-opening behavior, copies all malicious modules from the removable drive to the EverNoteService folder, sets up EverNoteTrayService persistence, decrypts the encrypted backdoor payload, and injects it into rundll32.exe memory via specific export function calls. The loader's file check and folder simulation behavior is specifically designed to make the victim's interaction appear normal while the infection proceeds invisibly.
  • Worm Spreader Component: A separate module in the infection chain responsible for removable media propagation. When the loader detects inserted removable devices, the spreader copies all malicious files to the newly inserted drive — ensuring that any USB drive subsequently inserted into the infected machine carries the infection to the next system it is plugged into. This worm behavior extends the infection's reach beyond network-connected systems into air-gapped environments and network-segmented workstations accessible via USB.
  • Document Lures (Phase 1): Malicious Word documents exploiting CVE-2012-0158 and CVE-2010-3333, distributed with APAC political affairs content, pornographic themes, and MH370-themed material. The dropper in Phase 1-2 documents contained a RAR-based script to collect and archive Microsoft Word documents found on the victim system.

Indicators of Compromise

IOCs drawn from SentinelLabs' June 2022 Aoqin Dragon report. The group has adapted its tooling in response to detection events historically — current operational infrastructure will differ from 2022 disclosures, but behavioral and code-level indicators are more durable.

behavioral and technical indicators
filename HJ-client.dll — Mongall backdoor filename (developer-assigned internal name)
filename srvdll.dll — modified Heyoka backdoor developer filename
filename RemovableDisc.exe — fake removable device payload launcher
filename encrashrep.dll — malicious DLL loaded by DLL hijacking in current phase infection chain
service EverNoteTrayService — Windows service/startup entry created by Aoqin Dragon loader for persistence; EverNoteService — folder used for module staging
process Evernote Tray Application — process name used by Aoqin Dragon malware to masquerade as legitimate Evernote system tray utility
technique DNS TXT/A record anomalies from non-DNS-client processes — modified Heyoka DNS tunneling; high-frequency DNS queries with high-entropy subdomains from non-browser processes
pdb string Simplified Chinese characters in PDB path strings within Heyoka samples — confirms Chinese-language development environment
cve CVE-2012-0158 (Windows Common Controls RCE) and CVE-2010-3333 (RTF stack overflow) — Phase 1 document exploit CVEs; any unpatched systems remain vulnerable
mutex Four distinct Mongall mutex patterns per version documented in SentinelLabs IOC tables — see full SentinelLabs report for specific values per backdoor version

Mitigation & Defense

Aoqin Dragon is assessed as active. SentinelLabs explicitly stated that following the 2022 disclosure the group was expected to continue operations and evolve tradecraft. Organizations in the target countries — Australia, Cambodia, Singapore, Vietnam, Hong Kong — in the target sectors (government, education, telecoms) should treat this as a persistent, ongoing threat that will adapt to any detection signature changes published in response to the 2022 disclosure.

  • USB and Removable Media Controls: Aoqin Dragon's current Phase 3 technique and its persistent worm spreading component both depend on removable media interaction. Implement Group Policy controls restricting USB drive autorun and execution of files from removable media. Enforce removable media scanning before any file access. Consider hardware-level USB port restrictions for high-sensitivity government workstations that handle classified communications. Any system that has been connected to USB drives that originated from Aoqin Dragon-exposed environments should be treated as potentially compromised. The worm spreading component means a single infected drive can propagate the infection to every system it subsequently touches.
  • DNS Traffic Inspection: The modified Heyoka backdoor uses DNS tunneling as its primary C2 channel. Deploy DNS security monitoring that baselines normal DNS query patterns per endpoint, detects high-frequency or high-entropy subdomain queries from non-DNS-client processes, and alerts on DNS TXT record responses with unusual payload sizes or encoded content. Particularly watch for non-browser, non-system processes making DNS queries — the Heyoka backdoor operates as a background DLL-injected service, and DNS queries from rundll32.exe or explorer.exe hosting unexpected DLLs should be treated as highly suspicious.
  • LNK File Execution Monitoring: Aoqin Dragon's Phase 3 infection vector is a .LNK shortcut file that triggers DLL hijacking when clicked. Implement monitoring that alerts on .LNK files created in or distributed to unusual locations (email attachments, downloaded files, removable media) that execute unusual targets — particularly .exe files in non-standard locations or with names matching known Aoqin Dragon patterns (RemovableDisc.exe, EvernoteTrayService paths). Enable attack surface reduction rules that block LNK files from executing code outside of expected application contexts.
  • DLL Hijacking Detection: DLL hijacking is described by SentinelLabs as the technique Aoqin Dragon relies on "heavily." Deploy EDR with DLL load monitoring that alerts on legitimate processes (explorer.exe, rundll32.exe) loading DLLs from unexpected directories or DLLs with names that match legitimate system DLLs but are located in application or user data directories. Particular attention should be given to DLL loads from the EverNoteService folder path and any folder named after legitimate applications in the ProgramData directory.
  • Patch Management for Office Vulnerabilities: CVE-2012-0158 and CVE-2010-3333 are patched vulnerabilities that Aoqin Dragon continued to use against unpatched systems years after patches were available. Verify that all Windows and Office systems in the target environment have these patches applied. In regions with older infrastructure common in government and educational institutions in Southeast Asia, unpatched systems with these known vulnerabilities may still be present. Run authenticated vulnerability scans specifically checking for CVE-2012-0158 and CVE-2010-3333 patch status on all Windows endpoints.
  • Awareness Training Specific to Regional Lure Themes: Aoqin Dragon's document lures are targeted at APAC political affairs themes — not generic phishing. Security awareness training for government and education sector staff in the target countries should include specific examples of Aoqin Dragon's documented lure types: politically-themed APAC documents, content referencing regional events (previous lures included MH370 content), and pornographic-theme documents. Train staff to report unexpected documents with these themes rather than opening them, and implement email filtering for document attachments with these topic patterns.
analyst note

Aoqin Dragon's decade of undetected operation reflects a reality that is easy to state but difficult to internalize: the absence of detection evidence is not evidence of absence. ESET saw Mongall in 2013 and reported it. FireEye saw MH370-themed lures in 2014. Unit 42 saw a Myanmar presidential website watering hole in 2014. None of these partial sightings triggered a full actor investigation until SentinelLabs assembled the complete picture in 2022. The reason is structural: partial disclosures of a small group's activity — without attribution infrastructure or code overlap analysis connecting incidents across years — leave the full operation invisible. For defenders, this means that a group actively targeting Southeast Asian government and education institutions could be operating in your network right now and appear in the historical record as a single isolated incident rather than a decade-long campaign. The behavioral signatures — DNS tunneling from non-browser processes, EverNoteTrayService persistence entries, DLL loads from EverNoteService folders — are specific and detectable. The question is whether detection capability is deployed at a level that would surface them in environments where this group specifically focuses its effort.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile