S1026: Mongall
Mongall is a backdoor that has been used since at least 2013, including by Aoqin Dragon.[1]
Analyst context for executives and security teams
Mongall matters because ATT&CK describes it as a Windows backdoor with relationships to behaviors that support persistence, discovery, command-and-control, tool transfer, local data collection, and exfiltration over the C2 channel. For leaders, the decision value is not the malware name alone; it is whether Windows endpoint, network, and identity-adjacent telemetry can show when a backdoor is launched, persists, blends into web traffic, and stages or moves sensitive data.
Executive priority
Treat this as a validation case for Windows backdoor readiness: can the organization prove it collects enough endpoint and network evidence to support containment, scoping, and regulatory/audit questions after suspected espionage-style intrusion activity? Priority should go to controls and telemetry around user-executed malicious files, rundll32/DLL abuse, registry persistence, encoded or encrypted web-based C2, ingress tool transfer, and data leaving through existing C2 channels.
Technical view
ATT&CK provides no official detection text for Mongall, so SOC and detection engineering should pivot from the supplied relationships. Validate coverage for Windows execution from malicious files, rundll32-based proxy execution, DLL injection indicators, Registry Run Keys or Startup Folder persistence, system/local storage/peripheral discovery, packed or decoded payload artifacts, tool transfer, and HTTP/S-like C2 with standard encoding or symmetric cryptography. IR playbooks should assume that backdoor activity may combine endpoint artifacts with network sessions and data access evidence, rather than relying on a single malware signature.
Likely telemetry
- Windows process creation and command-line telemetry, especially rundll32.exe and unusual child/parent process chains
- DLL load, memory injection, and cross-process access events where available
- Windows registry and Startup Folder modification events for persistence validation
- File creation/modification events for downloaded tools, packed executables, decoded payloads, and user-opened malicious files
- Endpoint evidence of system information, local storage, peripheral, and local data discovery
Detection direction
- Build detections around behavior chains rather than the Mongall name: malicious file execution followed by rundll32/DLL activity, registry persistence, discovery, and outbound web traffic is more defensible than a single indicator.
- Tune rundll32 and DLL-injection analytics carefully because legitimate software may use similar mechanisms; prioritize rare DLL paths, suspicious parent processes, unsigned or newly written DLLs, and execution from user-writable locations.
- Correlate endpoint discovery activity with network egress and tool-transfer evidence to reduce false positives and improve incident scoping.
- Review blind spots in encrypted or encoded web traffic: ATT&CK relationships include Web Protocols, Standard Encoding, Symmetric Cryptography, and Exfiltration Over C2 Channel, which can limit payload visibility.
- Because official detection guidance is not supplied, require local baselining and test data before declaring coverage.
Mitigation priorities
- Prioritize endpoint hardening and monitoring for Windows execution paths commonly abused by backdoors, including user-writable directories, rundll32 execution, DLL loading, and Run Key or Startup Folder persistence.
- Reduce initial execution risk through user-focused controls for malicious files and attachment handling, without assuming this alone prevents compromise.
- Restrict and monitor outbound web traffic so C2 and tool transfer are more likely to be logged, inspected, or blocked according to business policy.
- Strengthen least-privilege and application control where feasible to limit persistence, DLL abuse, and unauthorized tool execution.
- Ensure incident response procedures preserve endpoint, registry, file, and network evidence needed to determine collection and exfiltration scope.
Analyst notes and limits
The relationship to Aoqin Dragon provides threat-intelligence context: ATT&CK states that Mongall has been used since at least 2013, including by that group. The supplied relationships are the strongest source of defensive direction and map the malware to execution, persistence, stealth, discovery, command-and-control, collection, and exfiltration behaviors. Use this as a coverage-mapping object for managed detection, IR readiness, and security control validation on Windows environments.
ATT&CK supplies no official detection text, no aliases, no labels, and no explicit malware tactic list for Mongall. The provided object states Windows as the malware platform, while several related techniques have broader platform listings; this take does not infer non-Windows Mongall activity. No indicators of compromise, procedures, active exploitation claims, or customer exposure details are supplied, so local telemetry and threat intelligence are required for operational conclusions.
Mongall
Mongall is a backdoor that has been used since at least 2013, including by Aoqin Dragon.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1071.001 | Web Protocols Sub-technique | Mongall can use HTTP for C2 communication.CitationSentinelOne Aoqin Dragon June 2022 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Mongall has the ability to decrypt its payload prior to execution.CitationSentinelOne Aoqin Dragon June 2022 |
| Enterprise | T1204.002 | Malicious File Sub-technique | Mongall has relied on a user opening a malicious document for execution.CitationSentinelOne Aoqin Dragon June 2022 |
| Enterprise | T1120 | Peripheral Device Discovery | Mongall can identify removable media attached to compromised hosts.CitationSentinelOne Aoqin Dragon June 2022 |
| Enterprise | T1680 | Local Storage Discovery | Mongall can identify drives on compromised hosts.CitationSentinelOne Aoqin Dragon June 2022 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | Mongall has the ability to RC4 encrypt C2 communications.CitationSentinelOne Aoqin Dragon June 2022 |
| Enterprise | T1218.011 | Rundll32 Sub-technique | Mongall can use `rundll32.exe` for execution.CitationSentinelOne Aoqin Dragon June 2022 |
| Enterprise | T1005 | Data from Local System | Mongall has the ability to upload files from victim's machines.CitationSentinelOne Aoqin Dragon June 2022 |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | Mongall can use Base64 to encode information sent to its C2.CitationSentinelOne Aoqin Dragon June 2022 |
| Enterprise | T1105 | Ingress Tool Transfer | Mongall can download files to targeted systems.CitationSentinelOne Aoqin Dragon June 2022 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | Mongall can upload files and information from a compromised host to its C2 server.CitationSentinelOne Aoqin Dragon June 2022 |
| Enterprise | T1055.001 | Dynamic-link Library Injection Sub-technique | Mongall can inject a DLL into `rundll32.exe` for execution.CitationSentinelOne Aoqin Dragon June 2022 |
| Enterprise | T1082 | System Information Discovery | Mongall can retrieve the hostname via `gethostbyname`.CitationSentinelOne Aoqin Dragon June 2022 |
| Enterprise | T1027.002 | Software Packing Sub-technique | Mongall has been packed with Themida.CitationSentinelOne Aoqin Dragon June 2022 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Mongall can establish persistence with the auto start function including using the value `EverNoteTrayUService`.CitationSentinelOne Aoqin Dragon June 2022 |
Groups, software, and campaigns
G1007: Aoqin Dragon
Aoqin Dragon is a suspected Chinese cyber espionage threat group that has been active since at least 2013. Aoqin Dragon has primarily targeted government, education, and telecommunication organizations in Australia, Cambodia, Hong Kong, Singapore, and Vietnam. Security researchers noted a potential association between Aoqin Dragon and UNC94, based on malware, infrastructure, and targets.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | d64e7df41bb5… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
SentinelOne Aoqin Dragon June 2022
Chen, Joey. (2022, June 9). Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years. Retrieved July 14, 2022.
Open source URL -
[2]
mitre-attack S1026Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.