S1027: Heyoka Backdoor
Heyoka Backdoor is a custom backdoor--based on the Heyoka open source exfiltration tool--that has been used by Aoqin Dragon since at least 2013.[1][2]
Analyst context for executives and security teams
Heyoka Backdoor matters because ATT&CK records it as a Windows backdoor based on an open source exfiltration tool and used by Aoqin Dragon since at least 2013. For leaders, the practical issue is not the malware name alone; it is whether the organization can see Windows persistence, stealthy DLL/rundll32 execution, discovery activity, file cleanup, and DNS or tunneled command-and-control patterns that may otherwise blend into normal operations.
Executive priority
Prioritize this as a validation case for endpoint and network visibility rather than as a standalone signature problem. The related behaviors touch business continuity and incident response readiness: persistence through Run keys or startup folders, discovery of services/processes/files/storage/peripherals, obfuscated files, file deletion, and command-and-control over DNS or protocol tunneling. Executives should ask whether SOC teams can produce evidence for these behaviors on Windows systems, whether DNS logging is usable for investigations, and whether IR playbooks cover long-dwell backdoor scenarios associated in ATT&CK with an espionage group.
Technical view
ATT&CK provides no official detection guidance for S1027, so defenders should build coverage from the relationship set. Validate Windows telemetry for malicious-file execution, rundll32-mediated DLL execution, DLL injection indicators, Registry Run key/startup folder changes, service/task masquerading, process/service/file/directory/storage/peripheral discovery, deobfuscation or decoding activity, file deletion, and DNS/protocol-tunneled C2. Detection should combine endpoint process, registry, file, and module-load evidence with DNS/network analytics; any single indicator is likely to be noisy or incomplete.
Likely telemetry
- Windows endpoint process creation and command-line telemetry, especially rundll32.exe and discovery utilities
- DLL/module load telemetry and process injection-related endpoint events where available
- Registry auditing for Run keys and startup folder file creation or modification
- Service and scheduled task inventory/change events, including suspicious naming or masquerading
- File system events for dropped, encoded/encrypted, decoded, enumerated, or deleted files
Detection direction
- Because ATT&CK lists no official detection, start with behavior-based hypotheses mapped to the related techniques rather than relying only on malware signatures.
- Tune rundll32 and DLL-loading analytics against known-good administrative and software-update activity to reduce false positives.
- Correlate persistence changes with nearby process execution, encoded or decoded file activity, and outbound DNS/network behavior.
- Baseline normal DNS volume, query structure, destinations, and resolver paths so DNS command-and-control or tunneling anomalies are investigable.
- Review blind spots in endpoint logging for process injection, module loads, registry changes, and file deletion; absence of these logs can make this behavior difficult to confirm after the fact.
Mitigation priorities
- Harden Windows execution paths with application control or equivalent policy where feasible, especially for scriptable/proxy execution patterns such as rundll32 abuse.
- Restrict and monitor persistence locations such as Registry Run keys and startup folders, with change control for legitimate software.
- Improve DNS governance: centralize resolution, log queries, and monitor for anomalous DNS or tunneling-like behavior.
- Ensure endpoint controls collect sufficient process, registry, file, and module-load evidence for IR reconstruction.
- Train users and reinforce attachment/file-opening controls because related behavior includes execution through a malicious file.
Analyst notes and limits
The object is a malware entry for Heyoka Backdoor in enterprise ATT&CK, platformed for Windows. ATT&CK links it to Aoqin Dragon and to techniques spanning execution, persistence, privilege escalation, defense evasion/stealth, discovery, and command-and-control. The most decision-useful takeaway is to test whether existing SOC telemetry can connect endpoint persistence and stealth behaviors with DNS or tunneled network communication.
The supplied ATT&CK object has no official detection text, no malware aliases, and no object-level tactics specified. Some related techniques list non-Windows platforms, but the malware platform supplied here is Windows; local validation should therefore focus on Windows unless separate evidence supports other platforms. This summary does not establish current activity, local exposure, or attribution for any incident.
Heyoka Backdoor
Heyoka Backdoor is a custom backdoor--based on the Heyoka open source exfiltration tool--that has been used by Aoqin Dragon since at least 2013.[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1055.001 | Dynamic-link Library Injection Sub-technique | Heyoka Backdoor can inject a DLL into rundll32.exe for execution.CitationSentinelOne Aoqin Dragon June 2022 |
| Enterprise | T1070.004 | File Deletion Sub-technique | Heyoka Backdoor has the ability to delete folders and files from a targeted system.CitationSentinelOne Aoqin Dragon June 2022 |
| Enterprise | T1572 | Protocol Tunneling | Heyoka Backdoor can use spoofed DNS requests to create a bidirectional tunnel between a compromised host and its C2 servers.CitationSentinelOne Aoqin Dragon June 2022 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Heyoka Backdoor can decrypt its payload prior to execution.CitationSentinelOne Aoqin Dragon June 2022 |
| Enterprise | T1071.004 | DNS Sub-technique | Heyoka Backdoor can use DNS tunneling for C2 communications.CitationSentinelOne Aoqin Dragon June 2022 |
| Enterprise | T1680 | Local Storage Discovery | Heyoka Backdoor can enumerate drives on a compromised host.CitationSentinelOne Aoqin Dragon June 2022 |
| Enterprise | T1007 | System Service Discovery | Heyoka Backdoor can check if it is running as a service on a compromised host.CitationSentinelOne Aoqin Dragon June 2022 |
| Enterprise | T1057 | Process Discovery | Heyoka Backdoor can gather process information.CitationSentinelOne Aoqin Dragon June 2022 |
| Enterprise | T1218.011 | Rundll32 Sub-technique | Heyoka Backdoor can use rundll32.exe to gain execution.CitationSentinelOne Aoqin Dragon June 2022 |
| Enterprise | T1083 | File and Directory Discovery | Heyoka Backdoor has the ability to search the compromised host for files.CitationSentinelOne Aoqin Dragon June 2022 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Heyoka Backdoor can establish persistence with the auto start function including using the value `EverNoteTrayUService`.CitationSentinelOne Aoqin Dragon June 2022 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Heyoka Backdoor can encrypt its payload.CitationSentinelOne Aoqin Dragon June 2022 |
| Enterprise | T1120 | Peripheral Device Discovery | Heyoka Backdoor can identify removable media attached to victim's machines.CitationSentinelOne Aoqin Dragon June 2022 |
| Enterprise | T1036.004 | Masquerade Task or Service Sub-technique | Heyoka Backdoor has been named `srvdll.dll` to appear as a legitimate service.CitationSentinelOne Aoqin Dragon June 2022 |
| Enterprise | T1204.002 | Malicious File Sub-technique | Heyoka Backdoor has been spread through malicious document lures.CitationSentinelOne Aoqin Dragon June 2022 |
Groups, software, and campaigns
G1007: Aoqin Dragon
Aoqin Dragon is a suspected Chinese cyber espionage threat group that has been active since at least 2013. Aoqin Dragon has primarily targeted government, education, and telecommunication organizations in Australia, Cambodia, Hong Kong, Singapore, and Vietnam. Security researchers noted a potential association between Aoqin Dragon and UNC94, based on malware, infrastructure, and targets.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 0858597c49ca… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
SentinelOne Aoqin Dragon June 2022
Chen, Joey. (2022, June 9). Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years. Retrieved July 14, 2022.
Open source URL -
[2]
Sourceforge Heyoka 2022
Sourceforge. (n.d.). Heyoka POC Exfiltration Tool. Retrieved October 11, 2022.
Open source URL -
[3]
mitre-attack S1027Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.