DragonEgg

Malware Profile Updated 13 days ago
Download STIX
Preview STIX
DragonEgg is a malware associated with the notorious Chinese Advanced Persistent Threat (APT) group, APT41. This malicious software was developed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. The malware has been linked to surveillance activities targeting both Android and iOS users. It works in conjunction with another spyware, WyrmSpy, to compromise over 100 public and private sector organizations. Both DragonEgg and WyrmSpy were discovered in July 2023 by cybersecurity company Lookout, which also found that these tools share the same command-and-control (C2) infrastructure. The connection between DragonEgg and APT41 was further established through DNS searches and bulk WHOIS lookups for the DragonEgg indicators of compromise (IoCs). These investigations revealed that three out of four related domains were registered in China, where APT41 is based. Furthermore, cybersecurity firm ThreatFabric identified similarities between DragonEgg and LightSpy, an iPhone surveillance tool discovered in 2020. Both malware types use a trojanized Telegram app to deploy a second-stage payload prompting the installation of a "Core" module, capable of device fingerprint collection, remote server communication, and self-updating. ThreatFabric researchers concluded with high confidence that APT41 is responsible for using both the DragonEgg and LightSpy surveillance malware, given the similar configuration patterns, command-and-control server communications, and runtime structure and plugins. They also suggested that WyrmSpy, also known as AndroidControl, shares the same infrastructure as LightSpy and could be its successor. Therefore, DragonEgg represents a significant threat in the landscape of cyber espionage, particularly as it pertains to mobile devices, and is closely tied to the activities of state-sponsored threat operations like APT41.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
APT41
4
APT41, also known as Winnti, Wicked Panda, Barium, Suckfly, Earth Freybug, and Daggerfly, is a sophisticated threat actor attributed to China that has been active since at least 2012. The group targets organizations across various sectors including public administration, professional services, scien
Wyrmspy
4
WyrmSpy is a sophisticated malware attributed to the Chinese espionage group APT41, also known as Double Dragon, BARIUM, and Winnti. This harmful software, designed to exploit and damage computer systems or devices, infects systems through suspicious downloads, emails, or websites, often without use
Lightspy
2
LightSpy is a threat actor known for its malicious activities, specifically targeting iOS devices with spyware. Initially documented in 2020 by Trend Micro and Kaspersky, LightSpy refers to an advanced iOS backdoor distributed via watering hole attacks through compromised news sites, particularly th
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Android
Telegram
State Sponso...
Payload
Threatfabric
Spyware
Apt
Espionage
Malware
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
WinntiUnspecified
2
Winnti is a threat actor group that has been active since at least 2007, primarily linked to China. It is also known as APT41, Axiom, Barium, Blackfly, and HOODOO. The group has been implicated in several high-profile cyberespionage campaigns targeting various sectors, including DAX companies such a
BariumUnspecified
2
Barium, also known as BRONZE ATLAS, APT41, TA415, and part of the Winnti Group, is a China-linked cyberespionage threat actor that has been active since at least 2007. Notable for its deployment of sophisticated malware such as ShadowPad and KEYPLUG, Barium has been implicated in numerous cyber atta
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the DragonEgg Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
8 months ago
Finding WyrmSpy and DragonEgg Ties to APT41 in the DNS
BankInfoSecurity
10 months ago
Chinese Threat Group APT41 Linked To Android Malware Attacks
Securityaffairs
10 months ago
Experts attribute WyrmSpy and DragonEgg spyware to the Chinese APT41 group
DARKReading
10 months ago
China's APT41 Linked to WyrmSpy, DragonEgg Mobile Spyware
CERT-EU
10 months ago
Chinese APT41 Linked to WyrmSpy and DragonEgg Surveillanceware
CERT-EU
10 months ago
Experts attribute WyrmSpy and DragonEgg spyware to the Chinese APT41 group | IT Security News
CERT-EU
7 months ago
Similarities between DragonEgg Android spyware, LightSpy iOS surveillance tool examined
CERT-EU
10 months ago
Cyber Security Week In Review: July 21, 2023
CERT-EU
7 months ago
LightSpy iPhone Spyware Linked to Chinese APT41 Group
CERT-EU
10 months ago
Why Should You Care About Chinese APTs and Nation State Attacks? | Lookout
CERT-EU
3 months ago
Lookout | Webinar: Analyzing Scattered Spider and APT41 Attacks | Lookout Webinar
CERT-EU
10 months ago
In Other News: Military Emails Leaked, Google Restricts Internet Access, Chinese Spyware
BankInfoSecurity
7 months ago
Chinese APT Actors Target WeChat Users
CERT-EU
7 months ago
Chinese APT Actors Target WeChat Users
CERT-EU
7 months ago
Cyber Security Week in Review: October 6, 2023
CERT-EU
10 months ago
Chinese APT41 Hackers Target Mobile Devices with New WyrmSpy and DragonEgg Spyware | IT Security News