Report: Chinese-linked threat used porn to lure victims in Asia and Australia
Document used as lure in Aoqin Dragon attack, per report. (Via SentinelOne)
Andrea Peterson June 9, 2022

Report: Chinese-linked threat used porn to lure victims in Asia and Australia

Report: Chinese-linked threat used porn to lure victims in Asia and Australia

A threat actor in operation for nearly a decade has targeted government, telecommunication, and education organizations in Australia and Southeast Asia, according to a new report from SentinelOne — in some cases using exploits hidden in pornographic documents. 

The cybersecurity firm calls the threat “Aoqin Dragon,” and says it has moderate confidence the actor is a small Chinese-language group engaged in cyber-espionage. 

“The targeting of Aoqin Dragon closely aligns with the Chinese government’s political interests,” according to the report. Elements of the infrastructure observed by SentinelLabs, the firm’s research arm, also appear to have overlap with similar actors, per the report. 

“Government related sectors are their primary target for sure,” report author Joey Chen told The Record. 

The group’s tactics included phishing with documents that could exploit a target’s machine. In some cases, that involved using pornography and sexually explicit lures or materials targetted to be of policy interest in the region. 

Researchers are still actively gathering data on various lures used by the group, according to Chen. 

The threat actor also spread around to networks by disguising executable malicious programs with fake icons that users could be socially engineered to click, according to the report. 

The group regularly appears to change techniques to evade detection, SentinelLabs said, but has in the past relied on a technique known as DLL hijacking to insert malware on machines.

Researchers believe the group remains active, according to Chen.

“We fully expect that Aoqin Dragon will continue conducting espionage operations,” the report noted. “In addition, we assess it is likely they will also continue to advance their tradecraft, finding new methods of evading detection and stay longer in their target network.”

Andrea (they/them) is senior policy correspondent at The Record and a longtime cybersecurity journalist who cut their teeth covering technology policy ThinkProgress (RIP), then The Washington Post from 2013 through 2016, before doing deep dive public records investigations at the Project on Government Oversight and American Oversight. Their work has also been published at Slate, Politico, The Daily Beast, Ars Technica, Protocol, and other outlets. Peterson also produces independent creative projects under their Plain Great Productions brand and can generally be found online as kansasalps.