DragonEgg

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
DragonEgg is a malware associated with the notorious Chinese Advanced Persistent Threat (APT) group, APT41. This malicious software was developed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. The malware has been linked to surveillance activities targeting both Android and iOS users. It works in conjunction with another spyware, WyrmSpy, to compromise over 100 public and private sector organizations. Both DragonEgg and WyrmSpy were discovered in July 2023 by cybersecurity company Lookout, which also found that these tools share the same command-and-control (C2) infrastructure. The connection between DragonEgg and APT41 was further established through DNS searches and bulk WHOIS lookups for the DragonEgg indicators of compromise (IoCs). These investigations revealed that three out of four related domains were registered in China, where APT41 is based. Furthermore, cybersecurity firm ThreatFabric identified similarities between DragonEgg and LightSpy, an iPhone surveillance tool discovered in 2020. Both malware types use a trojanized Telegram app to deploy a second-stage payload prompting the installation of a "Core" module, capable of device fingerprint collection, remote server communication, and self-updating. ThreatFabric researchers concluded with high confidence that APT41 is responsible for using both the DragonEgg and LightSpy surveillance malware, given the similar configuration patterns, command-and-control server communications, and runtime structure and plugins. They also suggested that WyrmSpy, also known as AndroidControl, shares the same infrastructure as LightSpy and could be its successor. Therefore, DragonEgg represents a significant threat in the landscape of cyber espionage, particularly as it pertains to mobile devices, and is closely tied to the activities of state-sponsored threat operations like APT41.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Wyrmspy
4
WyrmSpy is a sophisticated malware attributed to the Chinese espionage group APT41, also known as Double Dragon, BARIUM, and Winnti. This harmful software, designed to exploit and damage computer systems or devices, infects systems through suspicious downloads, emails, or websites, often without use
APT41
4
APT41, also known as Winnti, Wicked Panda, and Wicked Spider, is a sophisticated threat actor attributed to China. This group has been active since at least 2012, targeting organizations across 14 countries. The group is known for its extensive use of various code families and tools, with at least 4
Lightspy
2
LightSpy is a threat actor known for its malicious activities in the realm of cybersecurity. This entity, which could be an individual, a private organization, or a government body, has been identified as the force behind a series of cyber attacks targeting South Asia. The primary method of attack i
Androidcontrol
1
None
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Android
Telegram
Malware
State Sponso...
Payload
Threatfabric
Apt
Spyware
Espionage
Chinese
Ios
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
WinntiUnspecified
2
Winnti is a sophisticated threat actor group, first identified by Kaspersky in 2013, with activities dating back to at least 2007. The group has been associated with the Chinese nation-state and is part of a collective known as APT41, which also includes subgroups like Wicked Panda, Suckfly, and Bar
BariumUnspecified
2
Barium, also known as BRONZE ATLAS and part of the APT41 collective, is a China-linked cyberespionage group that has been active since at least 2007. It is associated with several other subgroups, including Wicked Panda, Winnti, Suckfly, and Blackfly. This threat actor has been responsible for vario
WymspyUnspecified
1
None
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the DragonEgg Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
5 months ago
Lookout | Webinar: Analyzing Scattered Spider and APT41 Attacks | Lookout Webinar
CERT-EU
10 months ago
Cyber Security Week in Review: October 6, 2023
CERT-EU
10 months ago
Similarities between DragonEgg Android spyware, LightSpy iOS surveillance tool examined
CERT-EU
10 months ago
Chinese APT Actors Target WeChat Users
CERT-EU
10 months ago
LightSpy iPhone Spyware Linked to Chinese APT41 Group
BankInfoSecurity
10 months ago
Chinese APT Actors Target WeChat Users
CERT-EU
a year ago
Finding WyrmSpy and DragonEgg Ties to APT41 in the DNS
BankInfoSecurity
a year ago
Chinese Threat Group APT41 Linked To Android Malware Attacks
CERT-EU
a year ago
Why Should You Care About Chinese APTs and Nation State Attacks? | Lookout
CERT-EU
a year ago
Chinese APT41 Hackers Target Mobile Devices with New WyrmSpy and DragonEgg Spyware | IT Security News
CERT-EU
a year ago
In Other News: Military Emails Leaked, Google Restricts Internet Access, Chinese Spyware
CERT-EU
a year ago
Cyber Security Week In Review: July 21, 2023
CERT-EU
a year ago
Experts attribute WyrmSpy and DragonEgg spyware to the Chinese APT41 group | IT Security News
Securityaffairs
a year ago
Experts attribute WyrmSpy and DragonEgg spyware to the Chinese APT41 group
DARKReading
a year ago
China's APT41 Linked to WyrmSpy, DragonEgg Mobile Spyware
CERT-EU
a year ago
Chinese APT41 Linked to WyrmSpy and DragonEgg Surveillanceware