DragonOK

Threat Actor Profile Updated a month ago
Download STIX
Preview STIX
DragonOK, a threat actor group reportedly linked to China, has been associated with various malicious activities, including the deployment of the infamous Remote Access Trojan (RAT) known as FormerFirstRAT. This multi-featured RAT allows threat actors to gain complete control over a targeted machine. DragonOK's activities have been linked with other Chinese threat groups, such as APT10 and APT1, and it has historically targeted high-tech and manufacturing firms in Japan. In a persistent attack campaign, DragonOK deployed three RATs and two additional backdoors. Notably, one of these backdoors appears to be a custom-built tool not previously associated with DragonOK or any other attack group. The other backdoors, NFlog, PoisonIvy, and NewCT, have been publicly associated with DragonOK in the past. These attacks were identified using AutoFocus, a Palo Alto Networks threat intelligence tool, and took place between January and March of 2015. Following careful data review and attribution modeling, the suspect list was narrowed down to three known Advanced Persistent Threat (APT) groups - APT10, APT27, and DragonOK - all believed to be linked to China. In addition, connections have been found between DragonOK and Rancor, another group that has been publicly reported since 2018. As such, DragonOK represents a significant cybersecurity threat due to its sophisticated tools and tactics, and its links to other prominent threat actors.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the DragonOK Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
Unit 42 Identifies New DragonOK Backdoor Malware Deployed Against Japanese Targets
MITRE
a year ago
Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers
MITRE
a year ago
APT trends report Q1 2020