Finding WyrmSpy and DragonEgg Ties to APT41 in the DNS | WhoisXML API

Threat Reports

Finding WyrmSpy and DragonEgg Ties to APT41 in the DNS

It’s not unusual for threat groups to survive and even continue to thrive despite the capture and incarceration of some of their members, sometimes even leaders. APT41 can be considered proof of that.1 

Lookout researchers believe that APT41, responsible for tons of targeted attacks since at least 2012,2 was recently spotted distributing two mobile spyware—WyrmSpy and DragonEgg—to further their cyber espionage activities. A total of 12 IoCs—five for WyrmSpy and seven for DragonEgg—have been made public and attributed to the APT group.

WhoisXML API sought to determine ties between APT41 and WyrmSpy and DragonEgg aided by comprehensive DNS intelligence. We also identified other artifacts that could be connected to the recently discovered mobile spying campaigns, including:

  • Eight WyrmSpy string-connected domains
  • One additional IP address to which a DragonEgg domain identified as an IoC resolved that turned out to be malicious based on a malware check
  • 94 DragonEgg IP-connected domains
  • 3,085 DragonEgg string-connected domains, 14 of which turned out to be malicious based on a bulk malware check

Download a sample of the threat research materials now or contact us to access the complete set of research materials.

  • [1] https://www.lookout.com/threat-intelligence/article/wyrmspy-dragonegg-surveillanceware-apt41
  • [2] https://malpedia.caad.fkie.fraunhofer.de/actor/apt41
Try our WhoisXML API for free
Get started