DragonEgg

Malware updated 4 months ago (2024-05-04T21:18:11.703Z)

Download STIX

Preview STIX

DragonEgg is a malware associated with the notorious Chinese Advanced Persistent Threat (APT) group, APT41. This malicious software was developed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. The malware has been linked to surveillance activities targeting both Android and iOS users. It works in conjunction with another spyware, WyrmSpy, to compromise over 100 public and private sector organizations. Both DragonEgg and WyrmSpy were discovered in July 2023 by cybersecurity company Lookout, which also found that these tools share the same command-and-control (C2) infrastructure. The connection between DragonEgg and APT41 was further established through DNS searches and bulk WHOIS lookups for the DragonEgg indicators of compromise (IoCs). These investigations revealed that three out of four related domains were registered in China, where APT41 is based. Furthermore, cybersecurity firm ThreatFabric identified similarities between DragonEgg and LightSpy, an iPhone surveillance tool discovered in 2020. Both malware types use a trojanized Telegram app to deploy a second-stage payload prompting the installation of a "Core" module, capable of device fingerprint collection, remote server communication, and self-updating. ThreatFabric researchers concluded with high confidence that APT41 is responsible for using both the DragonEgg and LightSpy surveillance malware, given the similar configuration patterns, command-and-control server communications, and runtime structure and plugins. They also suggested that WyrmSpy, also known as AndroidControl, shares the same infrastructure as LightSpy and could be its successor. Therefore, DragonEgg represents a significant threat in the landscape of cyber espionage, particularly as it pertains to mobile devices, and is closely tied to the activities of state-sponsored threat operations like APT41.

Description last updated: 2024-05-04T20:41:58.106Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
APT41	4	APT41, a threat actor attributed to China, has been actively targeting organizations in at least 14 countries since 2012. The group is known for its use of an extensive range of malware, with at least 46 different code families and tools observed in their operations. They are associated with various
Wyrmspy	4	WyrmSpy is a sophisticated malware attributed to the Chinese espionage group APT41, also known as Double Dragon, BARIUM, and Winnti. This harmful software, designed to exploit and damage computer systems or devices, infects systems through suspicious downloads, emails, or websites, often without use
Lightspy	2	LightSpy, a notable threat actor in the cybersecurity landscape, has renewed its espionage campaign, primarily targeting South Asia. This group, which could be an individual, a private company, or part of a government entity, is known for executing actions with malicious intent. The latest wave of a

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Android

State Sponso...

Payload

Threatfabric

Spyware

Apt

Espionage

Malware

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

ID	Type	Votes	Profile Description
Winnti	Unspecified	2	The Winnti Group is a sophisticated threat actor that has been active since at least 2007, first identified by Kaspersky in 2013. This collective of Chinese nation-state hackers is known for its advanced cyberespionage capabilities and its unique strategy of targeting legitimate software supply chai
Barium	Unspecified	2	Barium, also known as BRONZE ATLAS or APT41, is a threat actor that has been associated with various malicious activities. Originating from China and active since at least 2007, this group has been implicated in cyberespionage efforts targeting multiple sectors across the globe. In 2017, according t

Source Document References

Information about the DragonEgg Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	6 months ago	Lookout \| Webinar: Analyzing Scattered Spider and APT41 Attacks \| Lookout Webinar
CERT-EU	a year ago	Cyber Security Week in Review: October 6, 2023
CERT-EU	a year ago	Similarities between DragonEgg Android spyware, LightSpy iOS surveillance tool examined
CERT-EU	a year ago	Chinese APT Actors Target WeChat Users
CERT-EU	a year ago	LightSpy iPhone Spyware Linked to Chinese APT41 Group
BankInfoSecurity	a year ago	Chinese APT Actors Target WeChat Users
CERT-EU	a year ago	Finding WyrmSpy and DragonEgg Ties to APT41 in the DNS
BankInfoSecurity	a year ago	Chinese Threat Group APT41 Linked To Android Malware Attacks
CERT-EU	a year ago	Why Should You Care About Chinese APTs and Nation State Attacks? \| Lookout
CERT-EU	a year ago	Chinese APT41 Hackers Target Mobile Devices with New WyrmSpy and DragonEgg Spyware \| IT Security News
CERT-EU	a year ago	In Other News: Military Emails Leaked, Google Restricts Internet Access, Chinese Spyware
CERT-EU	a year ago	Cyber Security Week In Review: July 21, 2023
CERT-EU	a year ago	Experts attribute WyrmSpy and DragonEgg spyware to the Chinese APT41 group \| IT Security News
Securityaffairs	a year ago	Experts attribute WyrmSpy and DragonEgg spyware to the Chinese APT41 group
DARKReading	a year ago	China's APT41 Linked to WyrmSpy, DragonEgg Mobile Spyware
CERT-EU	a year ago	Chinese APT41 Linked to WyrmSpy and DragonEgg Surveillanceware