G0017: DragonOK
DragonOK is a threat group that has targeted Japanese organizations with phishing emails. Due to overlapping TTPs, including similar custom tools, DragonOK is thought to have a direct or indirect relationship with the threat group Moafee. [1] It is known to use a variety of malware, including Sysget/HelloBridge, PlugX, PoisonIvy, FormerFirstRat, NFlog, and NewCT. [2]
Analyst context for executives and security teams
DragonOK matters as a phishing-linked intrusion set documented against Japanese organizations, with reported use of multiple malware families and ATT&CK relationships to the Windows RATs PoisonIvy and PlugX. For leaders, the value is not assuming this group is currently targeting them, but using the profile to test whether phishing response, malware triage, Windows endpoint visibility, and threat-intelligence workflows can recognize and investigate similar tradecraft.
Executive priority
Prioritize this object as a readiness check for phishing-led intrusion response and RAT detection, especially for organizations with Japan exposure or operations that could be affected by targeted email compromise. Because ATT&CK provides no official detection guidance, executives should ask whether SOC coverage is evidence-based: email security logs, endpoint telemetry, malware analysis capability, and incident response playbooks should be able to connect a suspicious phish to possible remote access tooling and containment decisions.
Technical view
ATT&CK lists no tactics or platforms for DragonOK itself, so teams should avoid over-scoping coverage claims. The strongest technical anchors in the supplied data are the official description and relationships: phishing emails, use of malware including Sysget/HelloBridge, PlugX, PoisonIvy, FormerFirstRat, NFlog, and NewCT, plus explicit use relationships to PoisonIvy and PlugX, both described as Windows remote access tools. SOC and IR teams should validate alert paths from inbound phishing evidence through attachment/link detonation, endpoint process/network activity, malware family triage, and host containment for Windows systems where PlugX or PoisonIvy-like behavior is relevant.
Likely telemetry
- Email gateway and mail security logs for phishing delivery, sender, recipient, attachment, and URL evidence
- User-reported phishing submissions and mailbox investigation artifacts
- Endpoint detection and response telemetry from Windows hosts, especially process execution, persistence-related findings, file creation, and suspicious child processes
- Network telemetry showing outbound command-and-control-like connections from endpoints under investigation
- Malware analysis and sandbox results for suspicious attachments, downloads, or payloads
Detection direction
- Do not treat the group name alone as a detection strategy; validate detections around the observable behaviors and related software named in the ATT&CK data.
- Tune phishing investigations to preserve the full chain: message headers, URLs, attachments, detonation results, endpoint execution, and follow-on network activity.
- For Windows environments, confirm that telemetry can support investigation of RAT activity associated with PlugX and PoisonIvy, while accounting for the fact that both tools are used by multiple groups and are not uniquely attributable to DragonOK.
- Use relationship-driven context carefully: overlapping TTPs and similar custom tools suggest a reported relationship with Moafee, but this should inform threat-intelligence enrichment rather than drive attribution without local evidence.
- Document false-positive handling for generic RAT, remote access, and suspicious email alerts, since common malware-family labels may be noisy or shared across intrusion sets.
Mitigation priorities
- Strengthen phishing resilience first: user reporting, mail filtering, attachment and URL analysis, and rapid mailbox containment procedures.
- Ensure Windows endpoint monitoring and response controls are deployed where business-critical users and systems may receive targeted email.
- Maintain incident response playbooks that connect phishing triage to endpoint isolation, credential review, malware analysis, and evidence preservation.
- Use threat intelligence to enrich detections for malware families named in the ATT&CK description, but require corroborating telemetry before making group-level judgments.
- Review compliance and audit evidence for phishing response, endpoint logging, and malware containment to prove readiness rather than relying on undocumented assumptions.
Analyst notes and limits
The supplied ATT&CK object is a group profile with sparse structured fields: no tactics, no platforms, and no official detection text. The practical defensive value comes from the description, external references, and use relationships to PoisonIvy and PlugX. The profile supports readiness planning for phishing and RAT investigation, not claims of current activity or confirmed exposure.
This take is limited to the supplied ATT&CK fields, references, and relationships. It does not assert active exploitation, specific victim exposure beyond the official description of Japanese targeting, or guaranteed detection coverage. Local telemetry, incident evidence, and validated intelligence are required for prioritization and attribution.
DragonOK
DragonOK is a threat group that has targeted Japanese organizations with phishing emails. Due to overlapping TTPs, including similar custom tools, DragonOK is thought to have a direct or indirect relationship with the threat group Moafee. [1] It is known to use a variety of malware, including Sysget/HelloBridge, PlugX, PoisonIvy, FormerFirstRat, NFlog, and NewCT. [2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Groups, software, and campaigns
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 1e7f3fd04c38… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Operation Quantum Entanglement
Haq, T., Moran, N., Vashisht, S., Scott, M. (2014, September). OPERATION QUANTUM ENTANGLEMENT. Retrieved November 17, 2024.
Open source URL -
[2]
New DragonOK
Miller-Osborn, J., Grunzweig, J.. (2015, April). Unit 42 Identifies New DragonOK Backdoor Malware Deployed Against Japanese Targets. Retrieved November 4, 2015.
Open source URL -
[3]
DragonOK
(Citation: Operation Quantum Entanglement) (Citation: New DragonOK)
-
[4]
mitre-attack G0017Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.