Night Dragon

Type: Nation-State-Sponsor

Status: Inactive

Active Since/Discovered: 2006-2011

Targets: Kazakhstan, Taiwan, Greece, and the U.S.

Target Sectors: Energy (oil, gas and petrochemical companies)


  • Night Dragon Operation Custom malware,
  • zwShell, Cain & Abel, Possibly: Gh0st RAT, webShell, ASPXSpy

Preferred Attack Vector: SQL Injection

  • Compromise public-facing web servers via SQL injection; install malware and RATs
  • Use the compromised web servers to stage attacks on internal targets
  • Launch spear-phishing attacks on mobile worker laptops to compromise VPN-connected accounts and gain additional internal access
  • Use password stealing tools to access other systems and install RATs and malware in the process
  • Target computers that belong to executives to capture their email and files


  • DLL is a Hidden or System file attribute and can be found by size (19-23 KB)
  • It is usually located in the C:WindowsSystem32 or C:WindowsSysWow64 directory


  • Attacks appeared to originate from computers on IP (Internet protocol) addresses in Beijing, between 9 a.m. to 5 p.m. local time
  • Hours suggest hackers are employees rather than freelance or unprofessional hackers