From 81ff1f0f53e4caf7b50d4a245b2aa1a518be005b Mon Sep 17 00:00:00 2001
From: Rony <rony_123@protonmail.ch>
Date: Thu, 1 Sep 2022 09:30:49 +0000
Subject: [PATCH] add Red Dev 17 and Aoqin Dragon

---
 clusters/threat-actor.json | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index f227f0c3..871b86d7 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -9681,6 +9681,32 @@
       },
       "uuid": "50d61877-bfc7-4c65-980e-c0589b5561fa",
       "value": "Red Dev 17"
+    },
+    {
+      "description": "SentinelLabs has uncovered a cluster of activity beginning at least as far back as 2013 and continuing to the present day, primarily targeting organizations in Southeast Asia and Australia. They assess that the threat actor's primary focus is espionage and relates to targets in Australia, Cambodia, Hong Kong, Singapore, and Vietnam. We track this activity as 'Aoqin Dragon'. The threat actor has a history of using document lures with pornographic themes to infect users and makes heavy use of USB shortcut techniques to spread the malware and infect additional targets. Attacks attributable to Aoqin Dragon typically drop one of two backdoors, Mongall and a modified version of the open source Heyoka project.",
+      "meta": {
+        "cfr-suspected-victims": [
+          "Australia",
+          "Cambodia",
+          "Hong Kong",
+          "Singapore",
+          "Vietnam"
+        ],
+        "cfr-target-category": [
+          "Government",
+          "Education",
+          "Telecommunications"
+        ],
+        "country": "CN",
+        "refs": [
+          "https://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/"
+        ],
+        "synonyms": [
+          "UNC94"
+        ]
+      },
+      "uuid": "fa1fdccb-1a06-4607-bd45-1a7df4db02d7",
+      "value": "Aoqin Dragon"
     }
   ],
   "version": 244