Threat Actor ProfileDouble Dragon
Double Dragon, also known as APT41, Winnti, or Barium is a Chinese threat actor known for conducting a mixture of state-sponsored espionage and financially motivated cybercrime. The Advanced Persistent Threat (APT) group is linked to China's People's Liberation Army (PLA), and although the true nature of this relationship cannot be verified, researchers have speculated that Double Dragon acts as a contract organisation tasked with advancing China's goals through stealthy, persistent cyber campaigns.
The group is best known for its relentless, profit-driven schemes against the video game industry, highly targeted espionage campaigns against Chinese adversaries, and a string of sophisticated supply chain attacks that have impacted organisations across the world. This page will provide an overview of the group's history and preferred tactics, as well as looking to the future to see how this persistent threat actor may evolve in the years to come.
Request a free membership to access our full research insights
- Aliases: APT41, Double Dragon, Blackfly, Grayfly, LEAD, BARIUM, WICKED SPIDER, WICKED PANDA, BRONZE ATLAS, Earth Baku, Amoeba, HOODOO, Brass Typhoon
- Strategic motives: Espionage, Information Theft, Financial
- Affiliation: Chinese People's Liberation Army
- Cyber capabilities: ★★★★☆
- Target sectors: Government, Healthcare, High Tech, Media, Energy, Telecommunications, Video Games, Cryptocurrency, Dissidents
- Observed countries: Australia, Bahrain, Belarus, Brazil, Canada, Chile, China, Denmark, Finland, France, Georgia, Germany, Hong Kong, India, Indonesia, Italy, Japan, Malaysia, Mexico, Myanmar, Netherlands, Pakistan, Peru, Philippines, Poland, Qatar, Russia, Saudi Arabia, Singapore, South Africa, South Korea, Sri Lanka, Sweden, Switzerland, Taiwan, Thailand, Turkey, United Arab Emirates, United Kingdom, United States, Vietnam
Origins, Motivations & Targets
Origins
The origins of Double Dragon trace back to the Network Crack Program Hacker group (NCPH), a Chinese entity linked to various for-hire cyber operations between 2006 and 2012. The NCPH was founded by Tan Dailin, also known as Wicked Rose, after he was scouted by the PLA's Sichuan Military Command Communication Department while studying at university. Following intensive state-sponsored training, Dailin transitioned into the role of a hacker for hire and worked with at least three other individuals to conduct cyber operations on behalf of NCPH clients. The group was observed carrying out multiple zero-day attacks against US and Japanese entities by exploiting vulnerabilities in Microsoft Office products, as well as breaching the US Department of Defence (DoD) and Pentagon several times in 2006. During this time, NCPH members frequently detailed their activities on personal websites and in blog posts. This stopped in 2007, after which time the group moved further underground. By 2012, the NCPH's tactics, techniques and procedures (TTPs) had begun to overlap with other observed TTPs, prompting researchers to start tracking this new cluster as Double Dragon. Since then, Double Dragon has grown into one of the most prolific and versatile threat actors in operation today.
Motivations
Double Dragon splits its time between state-sponsored espionage, likely on behalf of the PLA, and financially motivated cybercrime. This dual-purpose approach is uncommon among Chinese threat actors, who are typically tracked as operating in one space or the other. However, Double Dragon displays impressive versatility, its operations ranging from stealing video game currency to pulling off complex supply chain attacks involving high-profile targets. The group has been able to balance both objectives since about 2014. Because of its unusual structure, some experts have speculated that Double Dragon operates as a legitimate contracting company, possibly comprised of multiple teams with different goals. Clear links have been made between Double Dragon and the company Chengdu Si Lingsi (404) Network Technology, commonly referred to as Chengdu 404. Established in 2014, Chengdu 404 claimed to provide white hat hacking and technology services to international clients. It is believed that the company was used as a front for Double Dragon, facilitating access to intellectual property and sensitive information under the guise of legitimate activities.
Double Dragon’s observed operating hours also support the idea of the group as a contract organisation. Research by Mandiant indicates that Double Dragon typically conducts state-sponsored espionage during normal work hours (the 996-schedule typical of Chinese tech workers), while the group's financially motivated intrusions tend to occur much later at night. The observed pattern might suggest the existence of two separate teams, one tasked with espionage and one with turning a profit, or that Double Dragon approaches cybercrime in a more ad-hoc manner, viewing it as a side-business that can be done outside of work hours. Without any further information available, it is only possible to speculate on the group’s structure and true motivations.
Targets
Double Dragon has been observed targeting businesses in a wide range of sectors across the world, as well as a selection of political and military organisations. It has launched cyberattacks against entities in more than 20 countries, including but not limited to: the United States, Japan, Taiwan, India, Thailand, China, Hong Kong, Mongolia, Indonesia, Vietnam, Bangladesh, Ireland, Brunei, Australia, Canada, France, and the United Kingdom. The group’s targeting tends to differ quite significantly depending on the purpose of the operation, be that state-sponsored espionage or profit-driven cybercrime. Unsurprisingly, clear links can be made between Double Dragon's state-sponsored campaigns and CCP policy decisions. Since 1953, the CCP has issued a series of Five-Year plans, which encompass a range of social and economic development initiatives. China‘s 13th and 14th Five Year plans (2016-2025) set targets for the domestic expansion of multiple sectors, including pharmaceuticals, biomedical devices, and high-tech. This coincided with Double Dragon attacks targeting the healthcare, medical research, and high-tech sectors. The group's activities also appear to be broadly aligned with the Made in China 2025 policy and the Belt and Road Initiative. These policies aim to increase China's geopolitical influence by strengthening its economy, reinforcing its military, and reducing its reliance on Western imports. Double Dragon is one of several Chinese threat actors working covertly to support these objectives. The group has targeted a diverse array of sectors across the world and is most often leveraged for strategic intelligence gathering. The group is believed to use its global network of compromised systems as a "dragnet for information" that may be of interest to the CCP. Recent trends show an increase in the targeting of foreign states’ critical infrastructure, raising questions over Double Dragon's ability to impact national security.
Looking at Double Dragon's financially motivated hacking, the number of target industries shrinks considerably. Since its founding, the group has relentlessly targeted the video game sector, engaging in a range of activities that includes manipulating virtual currency, deploying ransomware, and infiltrating game production environments. Many of these activities, such as manipulating or stealing in-game currency, display a clear financial motive. However, the line between the group’s profit-driven and state-sponsored operations becomes blurry when considering the full spectrum of their activities against the video game sector. On multiple occasions, Double Dragon has been observed infiltrating game production environments, leveraging this access to inject malicious code into legitimate files for later distribution. These actions lack an immediate financial incentive and can instead been viewed as broadly malicious activities intended to support future campaigns. It appears that Double Dragon’s experience of accessing game production environments has actively supported the group’s state-sponsored work, allowing them to develop the TTPs that would be used in later supply chain compromises. Similarly, the line between Double Dragon’s state-sponsored and financially motivated operations blurs when looking at the tools they use. Notably, the group has been observed using non-public malware, which is associated with multiple China-nexus threat actors, in operations that seem to fall outside the scope of their state sponsored campaigns. This raises questions about the CCP’s tacit support for Double Dragon’s (seemingly) profit driven targeting of the video game sector. Why would the CCP tolerate activities with an explicit financial motive, which draw increased scrutiny to the group? Further, why would the CCP tolerate the use of malware that is typically reserved for espionage in operations that appear to be for personal gain? Hunt & Hackett believes this surprising duality highlights the group’s strategic importance to the Chinese state. Double Dragon is an extremely resourceful threat actor that can be characterised by high levels of innovation and a willingness to adapt its techniques until its objectives are met. Our observations suggest that Double Dragon may use the video game sector as an innovation sandbox, so to speak, where it can sharpen its tools for later use in state-sponsored campaigns. From the perspective of the CCP, the benefits of these operations likely outweigh the risks associated with their explicitly profit driven activities. As noted by Mandiant researchers, the unusual relationship between Double Dragon and the CCP underscores a "blurred line between state power and crime that lies at the heart of threat ecosystems."
SWOT analysis
Strengths, weaknesses, opportunities & threats
Strengths
- Well resourced due to state support and for-profit activities
- Access to a diverse range of tools and malware
- Financially motivated operations appear to be tolerated by the Chinese government
Weaknesses
- Double Dragon has come under increased scrutiny from researchers and law enforcement in recent years, particularly after targeting US state governments and the critical national infrastructure of Asian states
Opportunities
- Double Dragon has proven its capabilities when it comes to creating custom tools and malware.
- Advancements in AI and other emerging technologies allows Double Dragon to increase the sophistication of its attacks.
Threats
- International legal action (as in the case of US indictments)
- Possibility of action from the Chinese government in relation to use of espionage-associated malware in profit-driven operations
More detailed information about this actor?
Double Dragon in the Netherlands
In 2020, researchers uncovered a campaign where more than 50 computers had been infected with ShadowPad malware, later attributing the attack to Double Dragon. A Dutch audit firm was among the targeted organisations, in addition to companies based in Russia, Germany and the US. Further details about this case have not been publicly disclosed, and it is unclear why this company was targeted.
Although we have limited information concerning the group's operations in the Netherlands, we do know that Dutch organisations are frequently targeted for intellectual property, trade secrets, R&D and other sensitive information that might benefit the threat actor or relevant nation state. China actively uses cyberspace to advance its ambitions of strengthening its global power, by focusing on (military) modernization, economic growth, domestic stability and territorial integrity. Because the Netherlands is known for having a high degree of technological innovation and a strong economy, Dutch enterprises are seen as attractive targets. This was demonstrated by a report published on February 6, 2024, by the Dutch Military Intelligence and Security Service (MIVD) and the General Intelligence and Security Service (AIVD) about a new type of malware found on a network of the Dutch armed forces. They assessed with high confidence that the malware, named COATHANGER, was installed by a state-sponsored actor from China, who was found spying on an unclassified military R&D unit. This case was viewed as part of a wider trend of Chinese political espionage in the Netherlands. To learn more about China’s cyber campaigns against the Netherlands, read Hunt & Hackett's China threat profile.
Trends
In recent years, Double Dragon has become the target of international legal action. In August 2019 and August 2020, a US court issued two separate indictments against five suspected members of the group - Zhang Haoran, Tan Dailin, Qian Chuan, Fu Qiang, and Jiang Lizhi - on various charges, including unauthorized access to protected computers, aggravated identity theft, money laundering, and wire fraud. The charges stemmed from multiple campaigns that enabled the theft of source code, code signing certificates, customer account data, and sensitive business information. Shortly after, an additional indictment was issued for two Malaysian businessmen who were accused of conspiring with Double Dragon to sell stolen virtual currency on an underground market. They were arrested in Sitiawan in September 2020. Although these indictments are unlikely to result in the arrest of any Double Dragon members, given their protection from the Chinese state, it will be interesting to see how future legal actions against the group take shape.
Taking a broader view, it is interesting to note the steady evolution in the tactics employed by Chinese APTs since the 2010s. Chinese espionage operations have become increasingly sophisticated and stealthy, with threat actors often evading detection for long periods and adapting their techniques as time goes on. Researchers have observed an increasing tendency to use living-off-the-land (LOTL) techniques, software supply chain compromise, and modular malware. Additionally, zero-day exploitation by Chinese APTs has increasingly focused on security, networking, and virtualization technologies, as targeting these Internet facing devices provides tactical advantages for obtaining and maintaining covert access to victim networks. This was seen in the case of a Chinese threat actor targeting the Dutch armed forces, when a firewall solution (FortiGate) was exploited before COATHANGER malware was installed. These general trends align with Hunt & Hackett's analysis of Double Dragon's evolution and modus operandi.