G1007: Aoqin Dragon
Aoqin Dragon is a suspected Chinese cyber espionage threat group that has been active since at least 2013. Aoqin Dragon has primarily targeted government, education, and telecommunication organizations in Australia, Cambodia, Hong Kong, Singapore, and Vietnam. Security researchers noted a potential association between Aoqin Dragon and UNC94, based on malware, infrastructure, and targets.[1]
Analyst context for executives and security teams
Aoqin Dragon matters because ATT&CK describes it as a long-running suspected cyber espionage group targeting government, education, and telecommunications organizations in parts of Asia-Pacific. For leaders, the practical issue is not attribution certainty; it is whether the organization can detect and investigate quiet, sustained intrusion behavior involving backdoors, malicious files, removable media, masquerading, file discovery, and lateral tool movement.
Executive priority
Prioritize this as an espionage and resilience use case where sensitive data, public-sector missions, telecom operations, education networks, or regional business exposure are material. Executives should ask whether endpoint visibility, removable media controls, client-application patching, malware triage, and incident response evidence are strong enough to prove or disprove similar activity. This object is also useful for audit and board conversations because it maps threat-informed control validation to concrete ATT&CK behaviors rather than broad APT labels.
Technical view
ATT&CK does not provide a detection section for the group, so SOC and IR teams should validate coverage through the related software and techniques. The group is associated with Mongall and Heyoka Backdoor, both described as Windows backdoors, and with behaviors including software packing, masquerading, file and directory discovery, replication through removable media, exploitation for client execution, malicious file execution, lateral tool transfer, malware development, and tool acquisition. Detection engineering should focus on behavior chains: suspicious document or file execution, packed or masqueraded binaries, unusual removable media execution or file writes, host discovery commands or filesystem enumeration, and internal transfer of tools between systems.
Likely telemetry
- Endpoint process creation and command-line telemetry
- File creation, modification, rename, and metadata telemetry
- Endpoint malware/EDR alerts for packed or suspicious executables
- Removable media insertion, file copy, and execution events
- Client application crash, exploit, or child-process activity
Detection direction
- Build detections around behavior rather than group name because ATT&CK provides no official detection guidance for this intrusion set.
- Correlate malicious file execution or client-application exploitation with packed binaries, masqueraded filenames, and follow-on discovery activity.
- Validate whether removable media events are logged and reviewed; this is a common blind spot for environments with disconnected, operational, or restricted networks.
- Tune masquerading analytics carefully because legitimate software often uses similar names and paths; prioritize mismatches between filename, path, signer, metadata, and parent process.
- Hunt for lateral tool transfer patterns, especially newly created executables or archives moving between internal hosts before execution.
Mitigation priorities
- Patch and harden client applications exposed to document or file-based exploitation paths.
- Restrict and monitor removable media use, especially in sensitive, disconnected, or operational environments.
- Strengthen endpoint controls for suspicious executable creation, packed binaries, and malicious file execution.
- Apply least privilege and segmentation to limit lateral tool transfer and follow-on access between hosts.
- Maintain incident response playbooks for suspected backdoor activity, including containment, malware collection, host isolation, and evidence preservation.
Analyst notes and limits
The supplied ATT&CK object identifies Aoqin Dragon as a suspected Chinese cyber espionage group active since at least 2013, with primary targeting in Australia, Cambodia, Hong Kong, Singapore, and Vietnam across government, education, and telecommunications. It also notes a potential association with UNC94 based on malware, infrastructure, and targets. Those details should guide intelligence prioritization, not be treated as proof of attribution in a local incident.
ATT&CK provides no official detection text, no group-level platforms, and no tactics for the intrusion-set object. Platform and behavior guidance here is derived from the supplied relationships to software and techniques. Local asset exposure, telemetry availability, business geography, sector relevance, and incident evidence are required before making risk, attribution, or exposure conclusions.
Aoqin Dragon
Aoqin Dragon is a suspected Chinese cyber espionage threat group that has been active since at least 2013. Aoqin Dragon has primarily targeted government, education, and telecommunication organizations in Australia, Cambodia, Hong Kong, Singapore, and Vietnam. Security researchers noted a potential association between Aoqin Dragon and UNC94, based on malware, infrastructure, and targets.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1204.002 | Malicious File Sub-technique | Aoqin Dragon has lured victims into opening weaponized documents, fake external drives, and fake antivirus to execute malicious payloads.CitationSentinelOne Aoqin Dragon June 2022 |
| Enterprise | T1570 | Lateral Tool Transfer | Aoqin Dragon has spread malware in target networks by copying modules to folders masquerading as removable devices.CitationSentinelOne Aoqin Dragon June 2022 |
| Enterprise | T1091 | Replication Through Removable Media | Aoqin Dragon has used a dropper that employs a worm infection strategy using a removable device to breach a secure network environment.CitationSentinelOne Aoqin Dragon June 2022 |
| Enterprise | T1027.002 | Software Packing Sub-technique | Aoqin Dragon has used the Themida packer to obfuscate malicious payloads.CitationSentinelOne Aoqin Dragon June 2022 |
| Enterprise | T1587.001 | Malware Sub-technique | Aoqin Dragon has used custom malware, including Mongall and Heyoka Backdoor, in their operations.CitationSentinelOne Aoqin Dragon June 2022 |
| Enterprise | T1083 | File and Directory Discovery | Aoqin Dragon has run scripts to identify file formats including Microsoft Word.CitationSentinelOne Aoqin Dragon June 2022 |
| Enterprise | T1036 | Masquerading | Aoqin Dragon has used fake icons including antivirus and external drives to disguise malicious payloads.CitationSentinelOne Aoqin Dragon June 2022 |
| Enterprise | T1588.002 | Tool Sub-technique | Aoqin Dragon obtained the Heyoka open source exfiltration tool and subsequently modified it for their operations.CitationSentinelOne Aoqin Dragon June 2022 |
| Enterprise | T1203 | Exploitation for Client Execution | Aoqin Dragon has exploited CVE-2012-0158 and CVE-2010-3333 for execution against targeted systems.CitationSentinelOne Aoqin Dragon June 2022 |
Groups, software, and campaigns
S1026: Mongall
Mongall is a backdoor that has been used since at least 2013, including by Aoqin Dragon.[1]
S1027: Heyoka Backdoor
Heyoka Backdoor is a custom backdoor--based on the Heyoka open source exfiltration tool--that has been used by Aoqin Dragon since at least 2013.[1][2]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 4a71277222f7… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
SentinelOne Aoqin Dragon June 2022
Chen, Joey. (2022, June 9). Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years. Retrieved July 14, 2022.
Open source URL -
[2]
mitre-attack G1007Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.