According to a research by cybersecurity from Sophos, the APT group Dragon Breath (also known as Golden Eye Dog) is using complex variations of the classic DLL sideloading technique to evade detection.

image

The group uses trojanized versions of Telegram, LetsVPN, or WhatsApp to sideload a malicious malware loader DLL onto victims’ devices. The campaign’s scope is focused on Chinese-speaking Windows users in several countries, including China, Japan, Taiwan, Singapore, Hong Kong, and the Philippines.

image

The attackers use a “double DLL sideloading” technique to achieve evasion, obfuscation, and persistence. The final payload is a backdoor that targets the MetaMask cryptocurrency wallet Chrome extension, among other things.

image

The variations in this campaign make it harder for defenders to adjust to specific attack patterns and effectively shield their networks.


Indicators of Compromise

SHA256/IP/Domain
097899b3acb3599944305b064667e959c707e519aef3d98be1741bbc69d56a17
34c4eda45c782e74a5f3b179961659b472c053b63eb48318a2441db2bcbbb1dc
48a35466b1a08711abcdd2cd5564164265a4ee4e2082700f2eba69e1f3bf111a
1c4ad390cf903e78571fe9c3dbc0f9ff63fda7cae449d81f743a6011e8287caf
695e0312d6612201af4b3c6d4f50f67df8614cae69e35ce2a72e68d0c587de54
9c4f42124ff130e0ff61846b2cb3d1aa6d618d65b141e466613533a350bdf278
bf19222b9eac87650db9206cee05c695b1df22499bcac310376734197ee5457c
e414fc7bcd80a75d57ee4fdbb1c80a90a0993be8e8bbbe0decfc62870a2e1e86
530f01699688ab8c2bb25349a6bc398907b2adb5164d7602c28152c66851fa43
04db8e4dfecfc300a86614a2393bb768861196b18f17845b5765d06e1ba692c4
324bbcae91d4287e481ece09abe8d6d123b0c2f8ae0355c416924e4f8371661d
484fdf350c4a10c8bf0c495abf696a09f0a25258d39e81884122cb75e4432191
60f6fa45809c39ecdff4161d5925e6e8f491adedb7ed8ac67d772cd3c212b1cf
af04147945915737f3f2eed7df222c0b45d7b911bf82f6176df6856514e58c08
bfb44fb2194e25eee516b431fd84892a6073735dbf510a70dfa3a344526ade97
cdb645ea97980e63b9c165ca842bad2751ce2728cc5c55329ba04e96bab3077b
fe8c97f1ca9aab32b0ff4d46559f22677b3dba3c6d73c8b5d2fe9dd07c8ec64a
0b85cc5a583e94ba793a88a5184c68658eb7543bcc41deb4cf6aa633c67e538a
ad7ff3ffcf4276219830228de0c0454310710011f5274f3d2436a4b699af7030
c936f1598721a9a92d7f31c6c13b55013b8a2a344e3df4156e5b033006336544
31d2076066107bd04ab24ff7bbdf8271aa16dd1d04e70bd9cc492e9aa1e6c82b
769d59d03036af86c7a9950f03ebc7b693a94d3e2f8ecd1d74cf5600ab948105
03b1df2b08999262c772b67a7bd65e9e8f6058036b5e7a382f06d3aa672854d0
a8a09d4e1ddbe4de188100b285a53b53b10677e4fbc93014e07211cdaf532e7b
0ed0f8476f0c7d7cdbdfb8935c5c012463ce2cf1e00c8fbfc1ad202366539b38
49aca2efaca973d9dea2e01c2ac63cea7cd1e0cf12aa45d98653eea46b7593c9
4bf6b4544c8584fe933eec269568d8e3dc259110b36a9376d6956980fe43a37d
4c3899f2b7be819620b5eeb6f35643043141a2e51223d56a54840b1268a6893d
5e19f77df4d5241985e94e2770b94ed6f7fbaa977d516f44bb24f2cff1bca827
79bcd6e9dadf67b771a530821abff5944a2f40019bc5e57c59cc037edebfec51
ae2e145b36ab2ed129a2d34de435b76a1f4e5a4820d9d623e7018b87f24d0648
dc41b8e22c725ee4f8e04f55851b3129f0b8b6b5c2c16aaf893bfe92de440503
7fcba1dc809f39fa6b36e923af22fc7c576f3cfb49aaa7248a98d32e9bc90991
d1652c5153171fb5420a7c647888b23ab43c286eb2331ec661162cc37fb527f3
849d9e694d3e5d3f0eabcae4b722c2bbed31168d161a4f5d668f351bfa169743
1c4ad390cf903e78571fe9c3dbc0f9ff63fda7cae449d81f743a6011e8287caf
be061c8bb82cd52d2f76aeb1e3ba2448c1a3230dd7eda1250d272648af4669ca
9a17c5a4f48367557f06dacd3aefaa132214cb4163bc6b6cf43e06041936a69e
99f6932e3de96d6558f37030fce5007a13bed9de8617935dcad25e7be551b2a2
11359b92b062c426d58fcf738b4f92644c7bdd7e9f47a3ab9e1cb54ad29e6dc4
49a1826a70ef6a373910ebf43bb441213ec195e68c9a242e4bead60f7e04609b
1b32c531aca954a7812c65ea41b85941e199aa78ace782f17d9307f5f51f4e43
3fc9405cfe9272323bd96aacfd082c16b392fea6e0f108545138026aa6f79137
831b6a78bc193e5bb3a112aecc385ae00a2c81b963e126d2b949140b6acf333e
e50e72bf4684b2543b55234f798e728b02cafb27a70fa6f4459e68d99b988f3b
f05db80e4676ffb4b4df68982f1f22b38e8054070f78b21fed1baf51e62c6853
229011ca0351dc3461b19e427b1910990dde9f268f2a361e92f728171544b589
87528e65b5c10c699edce279516f8c41c603d2382261d2d7601191e97666fa57
a21f66260427b18c5db840dca84f33a762d4089a23ff293c4ae9dcf4ef2cb90f
a3e4747f878fa1959b54874d239c6170d8d3dde29b5bfbe7bfdf154a51cccdee
0e73131b428f45aa10a36e48fc8d5b30643a404125b95f9b179dd3756c6e023d
4cb3ebdc53a10c0c911fa79dd156f2d8b6c64c37f4f7c71a5ac002fd4fc8f3d5
7cd096bb8e2edd384b9cf149916b67653d07804bc0024973ee1e2e02c8d5288e
df1ef7db4e0c54de1f9362c873b21bc1c07710fd7106a7e0312c64aab807168b
f3ea4862b50ca8d0a360d05460a97bf7eb855c004a70323884396ef98be1bdee
fb9e192c418655704e86cc0ba606828a87a97a9fd3409791ae5e40200ee0205b
ff16e3b2a3f380de41b5fac6f6d2da7aebb3f1e4fc527490de0147e5ad18036f
4fbab28e76b3e58b4ddc04e7494e73c84b5264e03195dca01f0809f957e9b70e
6e0bdffbaa91dd9360a638988a9231a2ac81b8935b14d285b2aaaca13bbd49cc
0400b20492be1fcf6d2128b5b8d50a6011279341394fafce1da1e69482e7a750
464cce4295016c57b0af90d7621e4f358b58c2385377dcf77294383b246b7037
b95909f153ed99a279fc8e3b04bbc3416662bc755032fb886b93a18f23312e77
88edf471eed533e34fd18fa1d234f2cc3c6769f1e6456961b5b094cd6c934b0d
283426bb17d23c9b80c3f4c93666b6225caa50af8b004c5913b2e8ed386ab023
8bf79d037d2f6d422730b95407ea0de15ce119527083a06dfa18268cb8c95e04
6966a13c71badbf82357d3108ed8f3a921c1f8e8cba47194ccfdc446765faeb4
74efdf66302cda73060903ee07957cbae32a2c68416ed5cfa3c1aa7bfc1ed475
00a9101514b7cf8fd974a7f3b4ebf6c1768ac9a257848cb9df95874cc984ae55
02e7ede9b7bcc19506a4fa36fa66ecde2b8638422d7e711d525fb4a4fedc2f82
0b2b9da3685db339ab0bf7380fe39dd7a3f5ce004edb98fa4e1244b3eb35de25
187edeadef737db0733f7abad0f8a471f79d9fbd4bc39fea4d3475a19cea9d8e
1cb279f73e354ba6caff8aa69cbd7dde2182746a459dbe9bf4529f9890182ea6
1d4ccdda1c3ee0770a0eaf3e401d816949d1abfa4e26c6e6bb1daf1bfab90124
21388b23d5faf37632518c3309d44e721aa2d83911ab092272fc4526db34ea75
274fcf60280fbf9f2f21c8a529738e7839d412b5c98eedfbbbc8e967bc15900e
2839b91b46b3d68b6a0355b580d282ecd511a5fc9cd3a6f4250ca4b22af8511c
2f6c5fa76ddfb7ad9aa08aaa98305ac729fe742193bf3c6db5212cc651df851d
33a1216f3d1b1299d7227aef12eb91af7247e77f2bd52f29d8e82df89c0bc460
45023fd0e694d66c284dfe17f78c624fd7e246a6c36860a0d892d232a30949be
46b1c4848ba79be3d90542bd8b9537e72d9f96bd983d9cf793e455782e273807
489e121909baf86c725fda439838b7c4cc7da19038ab21df5bf041a4125c6405
49c1dec7843c186e434718818311d3fc693eefe26c2d2a068bdfa7601d118781
57a5ca04980f24e71bc08eca42d2da23ec17ae6dc0897649520b0b0f4e4fcf40
64613eadd91a803fe103bef5349db04ddfc01b8d115ba7a24a694563123d38ad
659fdd90ec33b0809d1b037f06c864ec02d785178ba6acfa02533661195d5163
687f682f6ddfb9786e4905ec367fe4fb55b9adfe1112c4e6aaab43ebfa52de5a
73667daa2716b33a672b05658ac3a3393c1d26f9bf9b94186f7c54c2d0a18468
749c6874af94ae263221e3d1261acf9a19b0599d247be3080c6bbb33a1fe687d
7e45c502e7ba61c2ed583c441cd41df24a6ca16405ceffa0fcd9e27c9a98ca1c
7e5b4dbc4b3db7a0e85bfa55e255260cf5426b8483c4f1d8365a3824b928886e
7f79408634879cd6c752340ebf2e609476512c2b8d239707e081cd1d1085209d
86959372cb04eb9c178cfe5150801774e5b8a3fe3876dcfda98a26c40a20e46c
882746f97d4cad4424735035e6fa45f96a849da63737cc1eeaca4ff459ad9d30
8efcbcff36c0dfed3e4966e1ecafe9f56532a9c1cceaeb76b5dd3033b4ebb5f2
93ce3af0ce4374aa1d5f5ba5258f03ec540ab4a744b57b20ecda72a03e0b648c
971389ff8acd1d883068dcc2c32c4bf0122c7d468f389a41e75f499b04e95c8b
9832b185d9b6d93f0ddb0ce62cd109ca64fffc5142fd4872b36d1d42635c9c81
beda51527ba522bd4b033c3d0c10028acffe5bc7a1ab51c373109a45cf3707e6
c55d501f880425330b84c7a6594662e055e898df6a978cca2c8b2eff588bf2c1
c84fed7e05b1b1cf2bff72ee3e96ec923929741c77fe6d97996664833bec1f00
c856930a4e67c36cba866401c5acda717eab636fd6648292b23cbd75d8f0f816
cb8714989882b6756aadf4ba1b1e3deb2b1f669cccf799a5ff423ecfb6467d0f
cc011a8487698bfe463d9ae6d615246349a8a61f980f497c53ef17e973e0a2d4
d58de58c55b55779ad9d45347337e2d5ebb94846bf38c29c4519cb0c7bc75557
d5a438d6f59f91d546ada978e842e47622b2f3ce1837248c0243fa19d750a114
d86f1292d83948082197f0a29fcb69fdec9feb4bf3898d7b8e693c7d5a28099c
da1d66610e0253a82c7ba3f2cc3e4c50d23bccee71f7a61f18f8f99937d04bdd
dc758f11e768a829836e27fa265993c937fd2bb4575a3dc18c12ba4b69baa953
e07113850a83ebf58816f619f14ce142187d7e27af4025ff44bfe611e1d68820
e1e0fba8c5c14bab3d83ee18f266385d56c91b347e509cd090bdb3ef4168d91f
e744f4d6ea7b88bc5e8d432f0c11b7c5cf86c0e4d22809f2df159608baf586f7
eb5b72a8a40123dfec2341414196ee11ec13c404125bb5c5ada9d70c0b2cc015
ec9083eb656234b4eb3dd5df1882046e605870975fa67ecf04bbee454a4d44ec
ee07de81fd6b8896bcd128dfe9db53e9e987b9bf42e865e1f1aa7dc5b27f373d
ee927ca55d06406b6dd266b286d3cfe0626308ec4193d98336e00ad509fe44e2
efacfe7cc34c5807f88296a373187a5c9324f59f476cbf07d219b6373d014f3a
23.225.147.227
206.233.128.103
nsjdhmdjs.com
123.nsjdhmdjs.com
2.nsjdhmdjs.com
ac2.nsjdhmdjs.com
a.pic447.com
b.pic447.com
d.pic447.com
l.pic447.com
l2.pic447.com
t.pic447.com
v.pic447.com
v2.pic447.com
w.pic447.com
j.pic6005588.com
potatouu.com
2.potatouu.com