Night Dragon

Type: Nation-State-Sponsor

Status: Inactive

Active Since/Discovered: 2006-2011

Targets: Kazakhstan, Taiwan, Greece, and the U.S.

Target Sectors: Energy (oil, gas and petrochemical companies)


  • Night Dragon Operation Custom malware,
  • zwShell, Cain & Abel, Possibly: Gh0st RAT, webShell, ASPXSpy

Preferred Attack Vector: SQL Injection

  • Compromise public-facing web servers via SQL injection; install malware and RATs
  • Use the compromised web servers to stage attacks on internal targets
  • Launch spear-phishing attacks on mobile worker laptops to compromise VPN-connected accounts and gain additional internal access
  • Use password stealing tools to access other systems and install RATs and malware in the process
  • Target computers that belong to executives to capture their email and files


  • DLL is a Hidden or System file attribute and can be found by size (19-23 KB)
  • It is usually located in the C:WindowsSystem32 or C:WindowsSysWow64 directory


  • Attacks appeared to originate from computers on IP (Internet protocol) addresses in Beijing, between 9 a.m. to 5 p.m. local time
  • Hours suggest hackers are employees rather than freelance or unprofessional hackers
Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Consent to display content from Youtube
Consent to display content from Vimeo
Google Maps
Consent to display content from Google