2022-06-09 Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years| Threat Intelligence Malaysia

📃Title: Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years
📅Date: 2022-06-09
🔗References:

https://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/

🔖Rectifyq Taxonomies:

relevancy: 🔴 Highly Relevant
category: ⚔Threat
sub-category: TA-profile
target: targeted
MY-relevancy: relevant

🔖MISP Galaxies:

producer SentinelOne
threat-actor Aoqin-Dragon
malpedia=“heyoka”
malpedia=“mongall”
mitre-attack-pattern=[‘T1560’, ‘T1547’, ‘T1071.004’, ‘T1132’, ‘T1055.001’, ‘T1211’, ‘T1571’, ‘T1027’, ‘T1566’, ‘T1055’, ‘T1091’, ‘T1082’, ‘T1033’, ‘T1569’, ‘T1204’, ‘T1071.001’]

MISP event uuid: bcc25902-9ad5-46bb-b91d-6bf7b5473669

Indicator of Compromise (IoCs)

type,value,comment
sha1, 16a59d124acc977559b3126f9ec93084ca9b76c7, 'Mongall No sample in VT\r\nLast check:09/05/2025'
sha1, d36c3d857d23c89bbdfefd6c395516a68ffa6b82, 'Mongall No sample in VT\r\nLast check:09/05/2025'
sha1, 155db617c6cf661507c24df2d248645427de492c, 'Modified Heyoka No sample in VT\r\nLast check:09/05/2025'
sha1, 683a3e0d464c7dcbe5f959f8fd82d738f4039b38, 'DLL-test No sample in VT\r\nLast check:09/05/2025'
sha1, cd59c14d46daaf874dc720be140129d94ee68e39, 'Upan component No sample in VT\r\nLast check:09/05/2025'
ip-dst, 10.100.0.34, 'Mongall C2 Server'
ip-dst, 10.100.27.4, 'Mongall C2 Server'
ip-dst, 172.111.192.233, 'Mongall C2 Server'
ip-dst, 59.188.234.233, 'Mongall C2 Server'
ip-dst, 64.27.4.157, 'Mongall C2 Server'
ip-dst, 64.27.4.19, 'Mongall C2 Server'
ip-dst, 67.210.114.99, 'Mongall C2 Server'
hostname, back.satunusa.org, 'Mongall C2 Server'
hostname, baomoi.vnptnet.info, 'Mongall C2 Server'
hostname, bbw.fushing.org, 'Mongall C2 Server'
hostname, bca.zdungk.com, 'Mongall C2 Server'
hostname, bkav.manlish.net, 'Mongall C2 Server'
hostname, bkav.welikejack.com, 'Mongall C2 Server'
hostname, bkavonline.vnptnet.info, 'Mongall C2 Server'
domain, bush2015.net, 'Mongall C2 Server'
hostname, cl.weststations.com, 'Mongall C2 Server'
domain, cloundvietnam.com, 'Mongall C2 Server'
hostname, dns.lioncity.top, 'Mongall C2 Server'
hostname, dns.satunusa.org, 'Mongall C2 Server'
hostname, dns.zdungk.com, 'Mongall C2 Server'
hostname, ds.vdcvn.com, 'Mongall C2 Server'
hostname, ds.xrayccc.top, 'Mongall C2 Server'
domain, facebookmap.top, 'Mongall C2 Server'
hostname, fbcl2.adsoft.name, 'Mongall C2 Server'
hostname, fbcl2.softad.net, 'Mongall C2 Server'
hostname, flower2.yyppmm.com, 'Mongall C2 Server'
hostname, game.vietnamflash.com, 'Mongall C2 Server'
hostname, hello.bluesky1234.com, 'Mongall C2 Server'
hostname, ipad.vnptnet.info, 'Mongall C2 Server'
hostname, ks.manlish.net, 'Mongall C2 Server'
hostname, lepad.fushing.org, 'Mongall C2 Server'
hostname, lllyyy.adsoft.name, 'Mongall C2 Server'
hostname, lucky.manlish.net, 'Mongall C2 Server'
hostname, ma550.adsoft.name, 'Mongall C2 Server'
hostname, ma550.softad.net, 'Mongall C2 Server'
hostname, mail.comnnet.net, 'Mongall C2 Server'
hostname, mail.tiger1234.com, 'Mongall C2 Server'
hostname, mail.vdcvn.com, 'Mongall C2 Server'
hostname, mass.longvn.net, 'Mongall C2 Server'
hostname, mcafee.bluesky1234.com, 'Mongall C2 Server'
hostname, media.vietnamflash.com, 'Mongall C2 Server'
hostname, mil.dungk.com, 'Mongall C2 Server'
hostname, mil.zdungk.com, 'Mongall C2 Server'
hostname, mmchj2.telorg.net, 'Mongall C2 Server'
hostname, mmslsh.tiger1234.com, 'Mongall C2 Server'
hostname, mobile.vdcvn.com, 'Mongall C2 Server'
hostname, moit.longvn.net, 'Mongall C2 Server'
hostname, movie.vdcvn.com, 'Mongall C2 Server'
hostname, news.philstar2.com, 'Mongall C2 Server'
hostname, news.welikejack.com, 'Mongall C2 Server'
hostname, npt.vnptnet.info, 'Mongall C2 Server'
hostname, ns.fushing.org, 'Mongall C2 Server'
hostname, nycl.neverdropd.com, 'Mongall C2 Server'
hostname, phcl.followag.org, 'Mongall C2 Server'
hostname, phcl.neverdropd.com, 'Mongall C2 Server'
hostname, pna.adsoft.name, 'Mongall C2 Server'
hostname, pnavy3.neverdropd.com, 'Mongall C2 Server'
hostname, sky.bush2015.net, 'Mongall C2 Server'
hostname, sky.vietnamflash.com, 'Mongall C2 Server'
hostname, tcv.tiger1234.com, 'Mongall C2 Server'
hostname, telecom.longvn.net, 'Mongall C2 Server'
hostname, telecom.manlish.net, 'Mongall C2 Server'
hostname, th-y3.adsoft.name, 'Mongall C2 Server'
hostname, th550.adsoft.name, 'Mongall C2 Server'
hostname, th550.softad.net, 'Mongall C2 Server'
hostname, three.welikejack.com, 'Mongall C2 Server'
hostname, thy3.softad.net, 'Mongall C2 Server'
domain, vdcvn.com, 'Mongall C2 Server'
hostname, video.philstar2.com, 'Mongall C2 Server'
hostname, viet.vnptnet.info, 'Mongall C2 Server'
hostname, viet.zdungk.com, 'Mongall C2 Server'
hostname, vietnam.vnptnet.info, 'Mongall C2 Server'
domain, vietnamflash.com, 'Mongall C2 Server'
hostname, vnet.fushing.org, 'Mongall C2 Server'
hostname, vnn.bush2015.net, 'Mongall C2 Server'
hostname, vnn.phung123.com, 'Mongall C2 Server'
hostname, webmail.philstar2.com, 'Mongall C2 Server'
hostname, www.bush2015.net, 'Mongall C2 Server'
hostname, yok.fushing.org, 'Mongall C2 Server'
hostname, yote.dellyou.com, 'Mongall C2 Server'
hostname, zing.vietnamflash.com, 'Mongall C2 Server'
hostname, zingme.dungk.com, 'Mongall C2 Server'
hostname, zingme.longvn.net, 'Mongall C2 Server'
hostname, zw.dinhk.net, 'Mongall C2 Server'
hostname, zw.phung123.com, 'Mongall C2 Server'
ip-dst, 45.77.11.148, 'Modified Heyoka C2 Server'
hostname, cvb.hotcup.pw, 'Modified Heyoka C2 Server'
hostname, dns.foodforthought1.com, 'Modified Heyoka C2 Server'
hostname, test.facebookmap.top, 'Modified Heyoka C2 Server'

Full IOCs available in Rectifyq's MISP```

Rectifyq

Explorer

2022-06-09 Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years

Indicator of Compromise (IoCs)

Graph View