DragonOK

Threat Actor Profile Updated 3 months ago
Download STIX
Preview STIX
DragonOK, a threat actor group reportedly linked to China, has been associated with various malicious activities, including the deployment of the infamous Remote Access Trojan (RAT) known as FormerFirstRAT. This multi-featured RAT allows threat actors to gain complete control over a targeted machine. DragonOK's activities have been linked with other Chinese threat groups, such as APT10 and APT1, and it has historically targeted high-tech and manufacturing firms in Japan. In a persistent attack campaign, DragonOK deployed three RATs and two additional backdoors. Notably, one of these backdoors appears to be a custom-built tool not previously associated with DragonOK or any other attack group. The other backdoors, NFlog, PoisonIvy, and NewCT, have been publicly associated with DragonOK in the past. These attacks were identified using AutoFocus, a Palo Alto Networks threat intelligence tool, and took place between January and March of 2015. Following careful data review and attribution modeling, the suspect list was narrowed down to three known Advanced Persistent Threat (APT) groups - APT10, APT27, and DragonOK - all believed to be linked to China. In addition, connections have been found between DragonOK and Rancor, another group that has been publicly reported since 2018. As such, DragonOK represents a significant cybersecurity threat due to its sophisticated tools and tactics, and its links to other prominent threat actors.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Rancor
1
Rancor, a previously unidentified threat actor group, has been executing malicious actions through targeted cyber-attacks since 2018. The cybersecurity industry has linked Rancor with the DragonOK group, and their activities have been observed to focus primarily on Southeast Asia. The group's attack
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Backdoor
Malware
Apt
Rat
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
PoisonIvyUnspecified
1
PoisonIvy is a malicious software (malware) known for its damaging capabilities, including stealing personal information and disrupting system operations. The malware can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it maintai
PlugXUnspecified
1
PlugX is a notorious malware, typically associated with Chinese threat actors, that has been used in various cyberattacks. This malicious software infiltrates systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data for ransom. It
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
APT10Unspecified
1
APT10, also known as the Menupass Team, is a threat actor believed to operate on behalf of the Chinese Ministry of State Security (MSS). The group has been active since 2009 and is suspected to be based in Tianjin, China, according to research by IntrusionTruth in 2018. APT10 has primarily targeted
APT3Unspecified
1
APT3, also known as the UPS Team, is a highly sophisticated threat group suspected to be based in China and attributed to the Chinese Ministry of State Security (MSS) and Boyusec. This threat actor targets sectors including Aerospace and Defense, Construction and Engineering, High Tech, Telecommunic
APT27Unspecified
1
APT27, also known as Iron Taurus, is a Chinese threat actor group that primarily engages in cyber operations with the goal of intellectual property theft. The group targets multiple organizations worldwide, including those in North and South America, Europe, and the Middle East. APT27 utilizes vario
APT1Unspecified
1
APT1, also known as Unit 61398 or Comment Crew, is a notorious cyber-espionage group believed to be part of China's People's Liberation Army (PLA) General Staff Department's 3rd Department. This threat actor has been linked with several high-profile Remote Access Trojans (RATs), enabling them to tak
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the DragonOK Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
APT trends report Q1 2020
MITRE
a year ago
Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers
MITRE
a year ago
Unit 42 Identifies New DragonOK Backdoor Malware Deployed Against Japanese Targets