Threat Intelligence Tarot
Vol. II · 121
Southeast Asia / China-aligned
G1007
risk 3/5
The USB Serpent
Aoqin Dragon
UNC94-adjacent
AustraliaSingaporeVietnamHong KongCambodia
Active since ~2013 · Regional espionage, Government intelligence
The USB Serpent slithers between machines on plastic and silicon. Where networks end, its scales begin — every conference giveaway, every promotional drive, a possible vector.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
T1566.001
Spearphishing Attachment
Initial Access
T1547.001
Registry Run Keys
Persistence
T1027
Obfuscated Files or Information
Defense Evasion
T1071.001
Web Protocols
Command and Control
T1025
Data from Removable Media
Collection
T1041
Exfiltration Over C2 Channel
Exfiltration
Notable Operations
  • Decade-long surveillance of Southeast Asian governments (SentinelOne disclosure 2022)
  • Mongall and Heyoka backdoor families
  • USB-based propagation into air-gapped networks
  • Themed lures aligned to APEC and ASEAN summit cycles
Defenses
  • USB device control and removable media restrictions
    CIS Control 10
  • Disable Autorun and Autoplay across managed endpoints
    Microsoft Security Baselines
  • Air-gapped network media review workflows with sandboxed read
    NIST SP 800-82
  • Conference and travel laptop hygiene programs
    NIST CSF: PR.AT
Reversed: Their Weakness
Removable-media policy enforcement and disabling Autorun close this serpent's preferred path. It bites only what plugs in willingly.

Share this adversary profile

Compare →

swipe to browse

← PreviousThe Side MasterNext →The Patient Colony
Related Adversaries
The Desert Hawk
Stealth Falcon
5 shared TTPs
The Strait Watcher
Tropic Trooper
5 shared TTPs
The Decade Patient
APT30
5 shared TTPs
Data sourced from MITRE ATT&CK. For educational purposes.