• Aliases: APT‑Q‑27, Dragon Breath, GoldenEyeDog, Golden Eye Dog, Silver Fox, Void Arachne, The Great Thief of Valley

• Attribution: Believed to be Chinese-speaking, possibly state‑aligned operators within the broader Miuuti Group

🎯 Primary Targets

• Focused on the online gaming and gambling industry, especially users in Southeast Asia and Chinese-speaking communities (China, Hong Kong, Japan, Taiwan, Singapore, the Philippines)

• Additionally, smaller campaigns have hit sectors like manufacturing, securities, IT services, and education.

🛠️ Tactics, Techniques & Procedures (TTPs)

1. Watering‑hole & Trojanized installers

   • Fake download sites (e.g., “telegramos[.]org”) distribute malicious installers posing as legitimate apps: Telegram, LetsVPN, WhatsApp.

2. Double DLL sideloading

   • A novel multi-stage technique: a benign first-stage application loads a second clean app, which then sideloads the malicious DLL loader that finally executes the payload.

3. Malware frameworks

   • Utilizes a combination of tools: SilverFox, winos, gh0st RAT, alongside custom miners, DDoS bots, and remote-control trojans.

4. Multi-language development

   • Malware written in .NET, C++, Go, and Delphi for flexibility and evasion.

5. Infrastructure fingerprinting

   • Recent OSINT hunts highlight use of banner hash, ASN, and certificate correlation for clustered infrastructure analysis.

🛰️ Operation Focus & Activity

• First tracked around 2020 by Qi’anxin researchers; major campaigns occurred in May 2022 (“Operation Dragon Breath”).

• Ongoing activity continues as of June 2025, with fresh campaigns utilizing the SilverFox trojan targeting gaming and “dog‑pushing” communities