Threat Actor Profile
High APT
Description

DragonOK is a threat group that has targeted Japanese organizations with phishing emails. Due to overlapping TTPs, including similar custom tools, DragonOK is thought to have a direct or indirect relationship with the threat group Moafee. (Citation: Operation Quantum Entanglement) It is known to use a variety of malware, including Sysget/HelloBridge, PlugX, PoisonIvy, FormerFirstRat, NFlog, and NewCT. (Citation: New DragonOK)

Confidence Score
90%
Known Aliases
DragonOK
Tags
mitre-attack stix-2.1 intrusion-set
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'aliases': ['DragonOK'],
 'created': '2017-05-31T21:31:53.197Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': '[DragonOK](https://attack.mitre.org/groups/G0017) is a threat '
                'group that has targeted Japanese organizations with phishing '
                'emails. Due to overlapping TTPs, including similar custom '
                'tools, [DragonOK](https://attack.mitre.org/groups/G0017) is '
                'thought to have a direct or indirect relationship with the '
                'threat group [Moafee](https://attack.mitre.org/groups/G0002). '
                '(Citation: Operation Quantum Entanglement) It is known to use '
                'a variety of malware, including Sysget/HelloBridge, PlugX, '
                'PoisonIvy, FormerFirstRat, NFlog, and NewCT. (Citation: New '
                'DragonOK)',
 'external_references': [{'external_id': 'G0017',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G0017'},
                         {'description': '(Citation: Operation Quantum '
                                         'Entanglement) (Citation: New '
                                         'DragonOK)',
                          'source_name': 'DragonOK'},
                         {'description': 'Haq, T., Moran, N., Vashisht, S., '
                                         'Scott, M. (2014, September). '
                                         'OPERATION QUANTUM ENTANGLEMENT. '
                                         'Retrieved November 17, 2024.',
                          'source_name': 'Operation Quantum Entanglement',
                          'url': 'https://web.archive.org/web/20210920193513/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf'},
                         {'description': 'Miller-Osborn, J., Grunzweig, J.. '
                                         '(2015, April). Unit 42 Identifies '
                                         'New DragonOK Backdoor Malware '
                                         'Deployed Against Japanese Targets. '
                                         'Retrieved November 4, 2015.',
                          'source_name': 'New DragonOK',
                          'url': 'http://researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/'}],
 'id': 'intrusion-set--f3bdec95-3d62-42d9-a840-29630f6cdc1a',
 'modified': '2024-11-17T16:27:34.666Z',
 'name': 'DragonOK',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_deprecated': False,
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '1.0'}
Quick Actions
Back to Threat Actors
Dashboard Home