Operation Dragon Breath (APT-Q-27): Dimensional Reduction Attack Against the Gambling Industry
A threat group known as Golden Eye Dog (APT-Q-27) has been targeting individuals involved in gambling and related activities in Southeast Asia, as well as overseas Chinese communities. The group's operations include remote control, cryptocurrency mining, DDoS attacks, and traffic-related activities. Their malware samples are primarily distributed through Telegram groups, with strong anti-detection capabilities and highly targeted lures. The article describes new watering hole activities by the group, including the use of modified MSI installers for popular messaging apps like Telegram. The group has evolved its tactics since previous reports, making their operations more covert and difficult to detect. The analysis reveals the group's use of various programming languages and sophisticated techniques, suggesting it may be part of a larger, more advanced organization called Miuuti Group.
AI Analysis
Technical Summary
Operation Dragon Breath is a targeted cyber espionage and disruption campaign attributed to the advanced persistent threat group Golden Eye Dog (APT-Q-27), believed to be linked to the broader Miuuti Group. The campaign focuses on individuals and entities involved in the gambling industry, primarily in Southeast Asia and overseas Chinese communities. The group distributes malware mainly through Telegram groups, leveraging social engineering with highly targeted lures and strong anti-detection capabilities. A key tactic involves watering hole attacks using modified MSI installers masquerading as legitimate installers for popular messaging applications like Telegram, enabling initial compromise. The malware capabilities include remote control of infected systems, cryptocurrency mining to monetize compromised assets, distributed denial-of-service (DDoS) attacks to disrupt targets, and traffic-related manipulations. The group employs a variety of programming languages and sophisticated techniques such as process injection (T1055), credential dumping (T1003), persistence mechanisms (T1547), and network traffic obfuscation (T1071). Indicators of compromise include specific IP addresses, domain names, and file hashes associated with their infrastructure. Despite no known CVEs or exploits in the wild, the campaign’s covert nature and multi-faceted attack vectors demonstrate a medium-level threat that can impact confidentiality, integrity, and availability of targeted systems. The campaign’s evolution towards stealthier operations complicates detection and response efforts.
Potential Impact
For European organizations, the direct impact of Operation Dragon Breath is currently limited due to its primary focus on Southeast Asia and overseas Chinese communities. However, European entities involved in the gambling industry or with significant Chinese diaspora populations could be indirectly targeted or affected through supply chain or social engineering vectors. The campaign’s use of modified MSI installers and Telegram-based distribution channels poses a risk of initial compromise leading to unauthorized remote access, data theft, or resource hijacking for cryptocurrency mining. Disruption through DDoS attacks could affect service availability, damaging reputation and causing financial losses. The covert and sophisticated nature of the malware complicates detection, increasing the risk of prolonged undetected intrusions. Additionally, the targeting of messaging apps popular in Europe could facilitate lateral movement or espionage within European networks. The campaign’s impact on confidentiality, integrity, and availability underscores the need for vigilance, especially in sectors with cross-regional ties to Asia or Chinese communities.
Mitigation Recommendations
1. Implement strict controls and monitoring on software installation processes, especially for MSI installers, to detect and block unauthorized or modified installers masquerading as legitimate applications like Telegram. 2. Enhance network monitoring to detect anomalous traffic patterns associated with known APT-Q-27 IP addresses and domains, including those listed in the indicators of compromise. 3. Deploy endpoint detection and response (EDR) solutions capable of identifying advanced techniques such as process injection, credential dumping, and persistence mechanisms used by the threat group. 4. Educate employees and users about the risks of downloading software from unofficial sources and joining unverified Telegram groups, emphasizing social engineering awareness. 5. Conduct regular threat hunting exercises focusing on the tactics, techniques, and procedures (TTPs) associated with APT-Q-27, including monitoring for signs of cryptocurrency mining and DDoS preparation. 6. Maintain up-to-date threat intelligence feeds and integrate them into security operations to quickly identify emerging indicators related to this campaign. 7. Segment networks to limit lateral movement opportunities if initial compromise occurs, especially isolating critical gambling-related infrastructure. 8. Collaborate with law enforcement and cybersecurity communities to share intelligence and receive updates on the evolving threat landscape related to this group.
Affected Countries
United Kingdom, Germany, France, Netherlands, Belgium, Sweden
Indicators of Compromise
- ip: 118.107.47.123
- ip: 156.245.12.43
- ip: 156.255.211.27
- ip: 45.207.36.24
- hash: 2269f8f79975b2e924efba680e558046
- hash: 241426a9686ebcb82bf8344511b8a4ca
- hash: 3ec706ccc848ba999f2be30fce6ac9e2
- hash: 6bd09914b8e084f72e95a079c2265b77
- hash: b8da59d15775d19cc1f33f985c22e4cb
- hash: 05b1d6a4371c3fee9e89ccb437301f2a1fbf579d
- hash: e38bc95687f9752e778146e92c9b6a4a85fc018d
- hash: 74d05267a1193760d71498151a036280125187ddfce1148c99f0fb399a56c0f3
- hash: d7c222bfdece8d5bd243c42fc7646045d6df1b6cd67faaed4044e5f9e226adaa
- ip: 154.39.254.183
- ip: 209.209.49.241
- domain: downtele.xyz
- domain: nsjdhmdjs.com
- domain: telegarmzh.com
- domain: decoded.avast.io
Operation Dragon Breath (APT-Q-27): Dimensional Reduction Attack Against the Gambling Industry
Description
A threat group known as Golden Eye Dog (APT-Q-27) has been targeting individuals involved in gambling and related activities in Southeast Asia, as well as overseas Chinese communities. The group's operations include remote control, cryptocurrency mining, DDoS attacks, and traffic-related activities. Their malware samples are primarily distributed through Telegram groups, with strong anti-detection capabilities and highly targeted lures. The article describes new watering hole activities by the group, including the use of modified MSI installers for popular messaging apps like Telegram. The group has evolved its tactics since previous reports, making their operations more covert and difficult to detect. The analysis reveals the group's use of various programming languages and sophisticated techniques, suggesting it may be part of a larger, more advanced organization called Miuuti Group.
AI-Powered Analysis
Technical Analysis
Operation Dragon Breath is a targeted cyber espionage and disruption campaign attributed to the advanced persistent threat group Golden Eye Dog (APT-Q-27), believed to be linked to the broader Miuuti Group. The campaign focuses on individuals and entities involved in the gambling industry, primarily in Southeast Asia and overseas Chinese communities. The group distributes malware mainly through Telegram groups, leveraging social engineering with highly targeted lures and strong anti-detection capabilities. A key tactic involves watering hole attacks using modified MSI installers masquerading as legitimate installers for popular messaging applications like Telegram, enabling initial compromise. The malware capabilities include remote control of infected systems, cryptocurrency mining to monetize compromised assets, distributed denial-of-service (DDoS) attacks to disrupt targets, and traffic-related manipulations. The group employs a variety of programming languages and sophisticated techniques such as process injection (T1055), credential dumping (T1003), persistence mechanisms (T1547), and network traffic obfuscation (T1071). Indicators of compromise include specific IP addresses, domain names, and file hashes associated with their infrastructure. Despite no known CVEs or exploits in the wild, the campaign’s covert nature and multi-faceted attack vectors demonstrate a medium-level threat that can impact confidentiality, integrity, and availability of targeted systems. The campaign’s evolution towards stealthier operations complicates detection and response efforts.
Potential Impact
For European organizations, the direct impact of Operation Dragon Breath is currently limited due to its primary focus on Southeast Asia and overseas Chinese communities. However, European entities involved in the gambling industry or with significant Chinese diaspora populations could be indirectly targeted or affected through supply chain or social engineering vectors. The campaign’s use of modified MSI installers and Telegram-based distribution channels poses a risk of initial compromise leading to unauthorized remote access, data theft, or resource hijacking for cryptocurrency mining. Disruption through DDoS attacks could affect service availability, damaging reputation and causing financial losses. The covert and sophisticated nature of the malware complicates detection, increasing the risk of prolonged undetected intrusions. Additionally, the targeting of messaging apps popular in Europe could facilitate lateral movement or espionage within European networks. The campaign’s impact on confidentiality, integrity, and availability underscores the need for vigilance, especially in sectors with cross-regional ties to Asia or Chinese communities.
Mitigation Recommendations
1. Implement strict controls and monitoring on software installation processes, especially for MSI installers, to detect and block unauthorized or modified installers masquerading as legitimate applications like Telegram. 2. Enhance network monitoring to detect anomalous traffic patterns associated with known APT-Q-27 IP addresses and domains, including those listed in the indicators of compromise. 3. Deploy endpoint detection and response (EDR) solutions capable of identifying advanced techniques such as process injection, credential dumping, and persistence mechanisms used by the threat group. 4. Educate employees and users about the risks of downloading software from unofficial sources and joining unverified Telegram groups, emphasizing social engineering awareness. 5. Conduct regular threat hunting exercises focusing on the tactics, techniques, and procedures (TTPs) associated with APT-Q-27, including monitoring for signs of cryptocurrency mining and DDoS preparation. 6. Maintain up-to-date threat intelligence feeds and integrate them into security operations to quickly identify emerging indicators related to this campaign. 7. Segment networks to limit lateral movement opportunities if initial compromise occurs, especially isolating critical gambling-related infrastructure. 8. Collaborate with law enforcement and cybersecurity communities to share intelligence and receive updates on the evolving threat landscape related to this group.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.ctfiot.com/40522.html"]
- Adversary
- APT-Q-27
- Pulse Id
- 690b44c9a4ad4bf7349547c8
- Threat Score
- null
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip118.107.47.123 | — | |
ip156.245.12.43 | — | |
ip156.255.211.27 | — | |
ip45.207.36.24 | — | |
ip154.39.254.183 | — | |
ip209.209.49.241 | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash2269f8f79975b2e924efba680e558046 | — | |
hash241426a9686ebcb82bf8344511b8a4ca | — | |
hash3ec706ccc848ba999f2be30fce6ac9e2 | — | |
hash6bd09914b8e084f72e95a079c2265b77 | — | |
hashb8da59d15775d19cc1f33f985c22e4cb | — | |
hash05b1d6a4371c3fee9e89ccb437301f2a1fbf579d | — | |
hashe38bc95687f9752e778146e92c9b6a4a85fc018d | — | |
hash74d05267a1193760d71498151a036280125187ddfce1148c99f0fb399a56c0f3 | — | |
hashd7c222bfdece8d5bd243c42fc7646045d6df1b6cd67faaed4044e5f9e226adaa | — |
Domain
| Value | Description | Copy |
|---|---|---|
domaindowntele.xyz | — | |
domainnsjdhmdjs.com | — | |
domaintelegarmzh.com | — | |
domaindecoded.avast.io | — |
Threat ID: 690bc39f5c8b8caf26e1ed95
Added to database: 11/5/2025, 9:37:35 PM
Last enriched: 11/5/2025, 9:38:37 PM
Last updated: 12/20/2025, 7:43:06 PM
Views: 171
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
🚨WK 51: North Korean Infiltrator Caught Working in Amazon IT Department, EU Fines X €140 Million, Cisco Customers Hit by China-Linked APT...
MediumA Series of Unfortunate (RMM) Events
MediumAttempts to sniff out governmental affairs in Southeast Asia and Japan
MediumChina-linked APT UAT-9686 is targeting Cisco Secure Email Gateway and Secure Email and Web Manager
MediumHow we pwned X (Twitter), Vercel, Cursor, Discord, and hundreds of companies through a supply-chain attack
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.