DragonEgg

Malware updated 7 months ago (2024-05-04T21:18:11.703Z)
Download STIX
Preview STIX
DragonEgg is a malware associated with the notorious Chinese Advanced Persistent Threat (APT) group, APT41. This malicious software was developed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. The malware has been linked to surveillance activities targeting both Android and iOS users. It works in conjunction with another spyware, WyrmSpy, to compromise over 100 public and private sector organizations. Both DragonEgg and WyrmSpy were discovered in July 2023 by cybersecurity company Lookout, which also found that these tools share the same command-and-control (C2) infrastructure. The connection between DragonEgg and APT41 was further established through DNS searches and bulk WHOIS lookups for the DragonEgg indicators of compromise (IoCs). These investigations revealed that three out of four related domains were registered in China, where APT41 is based. Furthermore, cybersecurity firm ThreatFabric identified similarities between DragonEgg and LightSpy, an iPhone surveillance tool discovered in 2020. Both malware types use a trojanized Telegram app to deploy a second-stage payload prompting the installation of a "Core" module, capable of device fingerprint collection, remote server communication, and self-updating. ThreatFabric researchers concluded with high confidence that APT41 is responsible for using both the DragonEgg and LightSpy surveillance malware, given the similar configuration patterns, command-and-control server communications, and runtime structure and plugins. They also suggested that WyrmSpy, also known as AndroidControl, shares the same infrastructure as LightSpy and could be its successor. Therefore, DragonEgg represents a significant threat in the landscape of cyber espionage, particularly as it pertains to mobile devices, and is closely tied to the activities of state-sponsored threat operations like APT41.
Description last updated: 2024-05-04T20:41:58.106Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
APT41 is a possible alias for DragonEgg. APT41, also known as Winnti, is a threat actor suspected to be originating from China, with its activities dating back to as early as 2012. It has targeted organizations in at least 14 countries and has been associated with the use of at least 46 different code families and tools. The group's activi
4
Wyrmspy is a possible alias for DragonEgg. WyrmSpy is a sophisticated malware attributed to the Chinese espionage group APT41, also known as Double Dragon, BARIUM, and Winnti. This harmful software, designed to exploit and damage computer systems or devices, infects systems through suspicious downloads, emails, or websites, often without use
4
Lightspy is a possible alias for DragonEgg. LightSpy is a threat actor known for its sophisticated and malicious activities. It first gained attention in 2022 when it began deploying its namesake spyware, LightSpy, which has since evolved to possess extensive spying capabilities. The group has strategically enhanced its capabilities over time
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Android
Telegram
State Sponso...
Payload
Threatfabric
Spyware
Apt
Espionage
Malware
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Winnti Threat Actor is associated with DragonEgg. Winnti is a threat actor group known for its malicious activities, primarily originating from Chinese Advanced Persistent Threat (APT) operational infrastructure. The group, which has been active since at least 2007, was first spotted by Kaspersky in 2013. It is associated with several aliases such Unspecified
2
The Barium Threat Actor is associated with DragonEgg. Barium, also known as BRONZE ATLAS or APT41, is a threat actor that has been associated with various malicious activities. Originating from China and active since at least 2007, this group has been implicated in cyberespionage efforts targeting multiple sectors across the globe. In 2017, according tUnspecified
2
Source Document References
Information about the DragonEgg Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
CERT-EU
9 months ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
BankInfoSecurity
a year ago
CERT-EU
a year ago
BankInfoSecurity
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
Securityaffairs
a year ago
DARKReading
a year ago
CERT-EU
a year ago