Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Malware

DragonEgg (Spyware) – Malware

April 16, 2024
Reading Time: 6 mins read
in Malware
DragonEgg  (Spyware) – Malware

DragonEgg

Type of Malware

Spyware

Country of Origin

China

Date of initial activity

2021

Associated Groups

APT 41 (aka Wicked Panda)

Targeted Countries

Southern Asia, Possibly India

Motivation

Gathering sensitive data from Android devices, such us Device contacts, SMS messages, External device storage files, Device location, Audio recording, Camera photos

Attack vectors

DragonEgg has been observed in apps purporting to be third-party Android keyboards and messaging apps like Telegram.

Targeted systems

Android

Overview

DragonEgg, a spyware malware, infiltrates Android operating systems, leveraging multiple downloaded modules for surveillance activities. Its inception dates back to January 2021, marking its prolonged presence in the cyber threat landscape. Attributed to the Chinese state-sponsored cyber-espionage faction APT41, also known as BARIUM, Double Dragon, and Winnti, DragonEgg signifies a novel venture into mobile device targeting for the group. This evolution underscores APT41’s adaptability and expanding reach in the realm of cyber warfare. DragonEgg has been associated with the iOS surveillance tool LightSpy due to similar configuration patterns, command-and-control server communications, and runtime structure and plugins

Targets

Governmental bodies, pro-democratic Hong Kong activists, universities, computer hardware manufacturers, software developers, telecommunication service providers, social media platforms, and video game companies.

How they operate

DragonEgg appears to rely on additional payloads to implement the full scale of its surveillance functionality. According to Dutch mobile security firm ThreatFabric, DragonEgg attack chains involve the use of a trojanized Telegram app that’s designed to download a second-stage payload (smallmload.jar), which, in turn, is configured to download a third component codenamed Core. In DragonEgg’s logging messages, the developers refer to the tertiary module acquired by the “smallmload” class files as “forensics program (T1 version)”. Naming surveillance tools as “forensics program” is common amongst Chinese-speaking defense or software development firms. This is in contrast to the use of “trojan” or other malware-related moniker that independent developers of surveillance tools would use. Researchers suspect that by trojanizing legitimate chat apps like Telegram, APT41 is trying to remain inconspicuous while requesting access to extensive device data. Messaging apps typically request access to sensitive device data, and by hiding its surveillance functionality within a large, fully-functional app, the threat actor is better able to remain inconspicuous while the app is running on the device or statically analyzed by a researcher.

MITRE Techniques Used

Initial Access Masquerade as a Legitimate Application Persistence App Auto-Start at Device Boot Defense Evasion Download New Code at Runtime Obfuscated Files or Information Credential Access Capture SMS Messages Discovery File and Directory Discovery Location Tracking System Information Discovery Collection Access Calendar Entries Access Contact List Capture SMS Messages Location Tracking Command and Control Commonly Used Port Standard Application Layer Protocol Exfiltration Commonly Used Port Standard Application Layer Protocol  

Significant Malware Campaigns

  • WyrmSpy and DragonEgg use modules to hide their malicious intentions and avoid detection. (July 2023)
  • ThreatFabric discovered DragonEgg Android implant and set of 14 plugins that are responsible for private data exfiltration. (October 2023)
References:
  • Lookout Attributes Advanced Android Surveillanceware to Chinese Espionage Group APT41
  • LightSpy mAPT Mobile Payment System Attack
Tags: AndroidAPT41ChinaDragonEggHong KongLightSpyMalwarespyware
ADVERTISEMENT

Related Posts

Iranian Phishing Campaign (Scam) – Malware

Iranian Phishing Campaign (Scam) – Malware

March 2, 2025
Fake WalletConnect (Infostealer) – Malware

Fake WalletConnect (Infostealer) – Malware

March 2, 2025
SilentSelfie (Infostealer) – Malware

SilentSelfie (Infostealer) – Malware

March 2, 2025
Sniper Dz (Scam) – Malware

Sniper Dz (Scam) – Malware

March 2, 2025
TikTok Malware Scam (Trojan) – Malware

TikTok Malware Scam (Trojan) – Malware

March 2, 2025
Zombinder (Exploit Kit) – Malware

Zombinder (Exploit Kit) – Malware

March 2, 2025

Latest Alerts

New ZeroCrumb Malware Steals Browser Cookies

TikTok Videos Spread Vidar StealC Malware

CISA Commvault ZeroDay Flaw Risks Secrets

GitLab Patch Stops Service Disruption Risks

3AM Ransomware Email Bomb and Vishing Threat

Function Confusion Hits Serverless Clouds

Subscribe to our newsletter

    Latest Incidents

    Cetus Crypto Exchange Hacked For $223M

    MCP Data Breach Hits 235K NC Lab Patients

    UFCW Data Breach Risks Social Security Data

    Cyberattack Paralyzes French Hauts de Seine

    Santa Fe City Loses $324K In Hacker Scam

    Belgium Housing Hit by Ransomware Attack

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial