Researchers from SentinelLabs have uncovered the activities of a Chinese-speaking threat actor named Aoqin Dragon.

The group’s malicious activity, dating back to 2013, focused on cyber espionage and targeted government, education, and telecommunications organizations based in Singapore, Hong Kong, Vietnam, Cambodia, and Australia.

Since 2012, the gang has used three different infection methods: the first one concerns Microsoft Office documents that exploit known vulnerabilities such as CVE-2012-0158 and CVE-2010-3333.

The second method of infection involves malicious executable files with fake anti-virus icons that trick users into launching them and activating a malware dropper on their devices.

Aoqin Dragon began the third method of infection in 2018. This is a removable disk shortcut file that, when clicked, executes a DLL hijacking and loads an encrypted backdoor payload.

SentinelLabs also identified two different backdoors (Mongall and a modified version of Heyoka) used by the gang. Both backdoors are DLLs that are injected into the memory, decrypted and executed.