MalwareUsed by 1 actor

Heyoka

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

Aoqin Dragon

Aoqin Dragon obtained the Heyoka open source exfiltration tool and subsequently modified it for their operations.

via mitre attack websiteattack.mitre.org

MITRE ATT&CK

Techniques & procedures

5 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

1 technique

T1588.002ToolEvidence2

TacticResource Development

The content repeatedly states that threat actors 'obtained,' 'acquired,' or 'used' publicly available, open-source, legitimate, or modified tools such as Mimikatz, Cobalt Strike, PsExec, Empire, Impacket, and many others.

Command and Control

1 technique

T1071.004DNSEvidence1

TacticCommand and Control

Heyoka is an open source exfiltration tool that uses spoofed DNS requests to create a two-way communication tunnel.

Exfiltration

3 techniques

T1041Exfiltration Over C2 ChannelEvidence1

TacticExfiltration

Aoqin Dragon “obtained the Heyoka open source exfiltration tool and subsequently modified it for their operations.”

T1048Exfiltration Over Alternative ProtocolEvidence1

TacticExfiltration

Heyoka is an open source exfiltration tool that uses spoofed DNS requests to create a two-way communication tunnel. Hackers employ Heyoka by copying files from compromised devices

T1567Exfiltration Over Web ServiceEvidence1

TacticExfiltration

Aoqin Dragon modified the Heyoka open source exfiltration tool; Cinnamon Tempest used a keylogger that uploads data to Alibaba cloud storage; Salesforce Data Exfiltration relied on the legitimate Salesforce Data Loader app for data exfiltration.

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

iicybersecurity wordpressNews

Jun 10, 2022

EDUCATION AND TELECOMMUNICATION ORGANIZATIONS BASED IN SINGAPORE, HONG KONG, VIETNAM, CAMBODIA, AND AUSTRALIA WERE BEING SPIED ON SINCE 2013 " Cyber Security

An open-source exfiltration tool used to copy files from compromised devices via spoofed DNS requests that establish a two-way communication tunnel.

mitre attack websiteNews

Mar 8, 2018

Obtain Capabilities: Tool, Sub-technique T1588.002 - Enterprise | MITRE ATT&CK®

Open source exfiltration tool used to steal data and modified by Aoqin Dragon for operational use.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping5

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.