DragonOK

DragonOK, a threat actor group reportedly linked to China, has been associated with various malicious activities, including the deployment of the infamous Remote Access Trojan (RAT) known as FormerFirstRAT. This multi-featured RAT allows threat actors to gain complete control over a targeted machine. DragonOK's activities have been linked with other Chinese threat groups, such as APT10 and APT1, and it has historically targeted high-tech and manufacturing firms in Japan. In a persistent attack campaign, DragonOK deployed three RATs and two additional backdoors. Notably, one of these backdoors appears to be a custom-built tool not previously associated with DragonOK or any other attack group. The other backdoors, NFlog, PoisonIvy, and NewCT, have been publicly associated with DragonOK in the past. These attacks were identified using AutoFocus, a Palo Alto Networks threat intelligence tool, and took place between January and March of 2015. Following careful data review and attribution modeling, the suspect list was narrowed down to three known Advanced Persistent Threat (APT) groups - APT10, APT27, and DragonOK - all believed to be linked to China. In addition, connections have been found between DragonOK and Rancor, another group that has been publicly reported since 2018. As such, DragonOK represents a significant cybersecurity threat due to its sophisticated tools and tactics, and its links to other prominent threat actors.