What is Operation Dragon Castling and how does it target betting companies?

Operation Dragon Castling is a malware campaign attributed to an APT group targeting betting companies. The attack exploits a vulnerability in the updater process, allowing attackers to communicate with a malicious server, download and execute arbitrary files, and gain persistence by modifying the HKEY_CURRENT_USER registry key. The campaign uses fake update servers, sideloaded DLLs, privilege escalation (MS17-012), and advanced evasion techniques to maintain control over infected systems. Note: Cymulate provides tools to validate defenses against similar multi-stage attacks, but detailed limitations for this specific APT are not publicly documented; ask sales for specifics.

What techniques does Operation Dragon Castling use to evade detection?

The malware employs several evasion techniques, including sideloading signed binaries, modifying registry keys, using AES-256 encryption, remapping ntdll.dll to bypass security hooks, and checking for security processes like ekrn.exe (ESET Kernel service). It also uses process injection, plugin-based modularity, and persistent C&C communication. Note: Cymulate can simulate and validate defenses against these techniques, but may not cover every variant; consult technical documentation for coverage specifics.

How can betting and gaming companies detect and mitigate threats like Operation Dragon Castling?

Detection and mitigation require monitoring for registry modifications, network traffic anomalies, process injections, and the presence of suspicious binaries or DLL sideloading. Cymulate's Exposure Validation and Threat Studio modules can simulate similar attack chains, validate security controls, and provide actionable remediation guidance. Note: Effectiveness depends on the organization's existing controls and coverage; detailed limitations not publicly documented—ask sales for specifics.

What features does Cymulate offer for validating defenses against advanced threats?

Cymulate provides Exposure Validation, Auto Mitigation, Continuous Threat Exposure Management (CTEM), Detection Studio, and Threat Studio. These modules automate continuous testing, adapt defenses with automated updates, validate what’s exploitable, and scale offensive testing with custom attacks. Note: Some advanced persistent threat (APT) techniques may require custom scenario development; consult Cymulate's Threat Studio documentation for details.

Which types of threats can Cymulate validate?

Cymulate can validate threats such as malware, phishing, ransomware, advanced persistent threats (APTs), insider threats, network attacks, and web application attacks. The platform simulates diverse attack scenarios to ensure comprehensive security validation. Note: Coverage for highly specialized or novel threats may require custom configuration; see Threat Studio documentation for specifics.

How does Cymulate's Immediate Threats Module help organizations respond to new attacks?

The Immediate Threats Module is updated rapidly to reflect new attacks, allowing organizations to quickly assess their IT estate for risks posed by emerging threats and implement remedial actions promptly. Users have noted the speed and relevance of these updates. Note: Effectiveness depends on the organization's ability to act on the findings; some threats may require additional manual investigation.

How has Cymulate helped betting and gaming companies improve their security posture?

A UK-based gambling technology company used Cymulate to continuously validate security controls, assess against emerging threats, and prioritize exploitable vulnerabilities. The company moved from infrequent manual penetration tests to proactive identification and mitigation of security gaps, optimized defenses, validated compliance, and ran monthly phishing awareness campaigns. For details, see the gaming security validation case study PDF. Note: Results may vary based on company size and existing security maturity.

What specific Cymulate solutions are relevant for betting and gaming companies facing APT threats?

For organizations in the betting and gaming sector, Cymulate's Breach and Attack Simulation, Threat Studio, and Exposure Validation modules are particularly relevant. These solutions enable continuous validation of controls, custom attack simulation, and rapid assessment of exposure to new threats. Note: Effectiveness depends on integration with existing security tools and processes; detailed limitations not publicly documented.

How quickly can organizations implement Cymulate to defend against threats like Operation Dragon Castling?

Cymulate is designed for rapid deployment, operating in agentless mode without the need for additional hardware or complex configurations. Users can start running simulations and gaining insights with just a few clicks. Customer feedback highlights ease of use and minimal resources required. Note: Integration with existing security infrastructure may require additional setup for advanced scenarios.

What security and compliance certifications does Cymulate hold?

Cymulate is SOC2 Type II certified and holds ISO 27001:2013, ISO 27701, ISO 27017, and CSA STAR Level 1 certifications. These cover information security, privacy, cloud security, and compliance with the Cloud Controls Matrix. Note: Certification scope and applicability may vary by deployment; see security overview for details.

What integrations does Cymulate support for security validation?

Cymulate integrates with over 50 security tools, including SIEM platforms (Azure Sentinel, Splunk, CrowdStrike Falcon LogScale), EDR/anti-malware (CrowdStrike Falcon, Carbon Black EDR, Cisco Secure Endpoint), cloud security (AWS GuardDuty, Check Point CloudGuard), web gateways (Cisco Umbrella), vulnerability management (Rapid7 InsightVM), and others like Microsoft Defender, Palo Alto Networks, Wiz, and Zscaler. Note: Integration availability may depend on licensing and platform version; see technology alliances page for full list.

How is Cymulate priced for organizations in the betting and gaming sector?

Cymulate uses a subscription-based pricing model, customized based on the package, number of assets, and selected features. This ensures organizations only pay for the coverage they need. For a tailored quote, schedule a demo with the Cymulate team. Note: Exact pricing is not publicly disclosed; contact sales for specifics.

How does Cymulate compare to AttackIQ for exposure validation?

Cymulate offers AI-driven remediation guidance, a daily-updated attack scenario library, and an AI Copilot for automated test creation. It provides continuous, automated testing and is recognized as a Momentum Leader by G2 and a Customer’s Choice in the 2025 Gartner Peer Insights for Adversarial Exposure Validation. AttackIQ may offer different integrations or workflows. Choose Cymulate for rapid, AI-powered validation; choose AttackIQ if you require features not listed in Cymulate's integration catalog. Note: Cymulate may not support all AttackIQ-specific integrations; verify requirements before selection.

How does Cymulate differ from Mandiant Security Validation?

Cymulate emphasizes AI and automation, rapid deployment, easy integrations, and an intuitive dashboard. It provides a comprehensive attack library with daily updates and actionable remediation guidance. Mandiant Security Validation may offer different reporting or integration options. Choose Cymulate for fast onboarding and AI-powered workflows; choose Mandiant if you require features unique to their ecosystem. Note: Cymulate may not replicate all Mandiant-specific reporting features; confirm with both vendors.

How does Cymulate compare to Pentera for automated security validation?

Cymulate combines breach simulation, automated red teaming, and deep security control integrations. It allows custom attack chains from a library of over 100,000 actions and delivers daily threat updates. Pentera may focus more on automated penetration testing. Choose Cymulate for continuous validation and custom scenario creation; choose Pentera if you require features specific to their platform. Note: Cymulate may not cover all Pentera-specific automation workflows; check feature lists for alignment.

Where can I find technical documentation and resources about Cymulate's solutions?

Cymulate provides a resource hub with industry reports, whitepapers, case studies, and technical guides. Key resources include the Threat Studio data sheet and the Detection Engineering Automation Guide. Note: Some resources may require registration or a Cymulate account for access.

Operation Dragon Castling: APT group targeting betting companies

March 30, 2022

When analyzing the binary, analysts discovered a potential security issue that allows an attacker to use the updater to communicate with a server controlled by the attacker. This enables malicious actions on the victim's system, including downloading and running arbitrary executables.

To exploit the vulnerability, a registry key under HKEY_CURRENT_USER needs to be modified. By doing this, an attacker gains persistence on the system and control over the update process.

Fake Update Server and Malicious Binary

In the analyzed case, the malicious binary was downloaded from the domain update.wps[.]cn, a domain belonging to Kingsoft. However, the serving IP (103.140.187.16) has no relationship to the company, leading analysts to assume it is a fake update server used by attackers.

The downloaded binary (setup_CN_2052_11.1.0.8830_PersonalDownload_Triale.exe - B9BEA7D1822D9996E0F04CB5BF5103C48828C5121B82E3EB9860E7C4577E2954) drops two files for sideloading:

QMSpeedupRocketTrayInjectHelper64.exe - a signed Tencent Technology file (a3f3bc958107258b3aa6e9e959377dfa607534cc6a426ee8ae193b463483c341)
QMSpeedupRocketTrayStub64.dll - a malicious DLL

Malware Execution and Communication with C&C

First Stage: Backdoor Operations

The first stage of the malware is a backdoor communicating with a C&C server (mirrors.centos.8788912[.]com). Before contacting the C&C server, the backdoor performs several preparatory operations:

Hooks three functions: GetProcAddress, FreeLibrary, LdrUnloadDll
Reads the C&C domain stored as a wide string in clear text in the binary
Initializes an object for a JScript class with the named item ScriptHelper
Uses the ImpersonateLoggedOnUser API Call to re-use a token from explorer.exe
Redirects HKEY_CURRENT_USER to another user’s registry using RegOverridePredefKey
Constructs a User-Agent string containing system information

Exfiltration of System Information

The malware exfiltrates the following data:

Internet Explorer version
Windows version
User AgentPost Platform registry values

Execution of JScript Code

After collecting system information, the malware constructs JScript code for execution:

Defines variables for the C&C domain and a hardcoded key
Sends an HTTP GET request to /api/connect to receive encrypted JScript code
Decrypts and executes the received JScript code

Second Dropper: Privilege Escalation and Payload Execution

Privilege Escalation

The second dropper attempts to escalate privileges using COM Session Moniker Privilege Escalation (MS17-012). The malware uses AES-256 encryption to secure its data:

The encryption key starts at offset 0x8
The encrypted data starts at offset 0x528
Uses SHA256 hashing and CryptDecrypt API for decryption

Once the payloads are decrypted and decompressed, bdservicehost.exe is executed to run the next stage.

Loader (CoreX) DLL: Sideloading and Further Execution

Loader Initialization

The Loader (CoreX) DLL is sideloaded during the second dropper stage and hooks two API functions:

GetProcAddress
FreeLibrary

Decryption of Embedded Data

The main code checks if it was loaded by regsvr32.exe and then decrypts a file stored as syscfg.dat. The decryption process:

Uses the computer name as the key
Uses qwertyui12345678 as the IV
Employs AES-256 encryption

Evasion and Execution of Shellcode

The malware performs evasive actions:

Checks if ekrn.exe (ESET Kernel service) is running
Attempts to remap ntdll.dll to bypass security hooks
Decompresses and executes shellcode to load the next-stage DLL
Enumerates Zw functions* to bypass security solutions

Core Module: Malware Operations

Core Module Responsibilities

The core module is a single DLL that handles:

Setting up the malware’s working directory
Loading configuration files
Updating its code
Loading plugins
Beaconing to C&C servers and waiting for commands

Malware Persistence and Evasion Techniques

The core module:

1. Verifies execution conditions

Ensures it is executed by spdlogd.exe
Terminates if executed by rundll32.exe

2. Uses message callbacks for execution

Creates a window with ID 0x411 for executing functions

3. Loads configuration files

Searches for inst.dat and smcache.dat to determine its working directory and C&C details

4. Creates a log file based on the victim’s username and malware campaign ID

Malware Communication with C&C Servers

Initial C&C Contact

The malware sends a base64-encoded LZNT1-compressed buffer to the C&C, containing:

Generated UUID
Victim’s username, OS version, architecture
DNS and BIOS names
Campaign identifier from smcache.dat or comment.dat

HTTP Communication Setup

The core module opens two persistent HTTP request handles:

POST request: Sends an empty buffer to /connect
GET request: Retrieves data from the C&C

Malware Plugins

The core module loads multiple plugins to expand its functionality:

Core Plugin

Manages additional plugins
Stores plugin binaries as kbg.dat

Zload Plugin (Atomx.dll, xps1.dll)

Persistence setup by modifying Windows SSPs
Creates a backdoor user account
Uses UAC bypass techniques
Hides the malware by renaming processes

MecGame Plugin

Executes spdlogd.exe
Registers an RPC interface for further communication

MulCom Plugin

Provides backdoor functionality
Communicates over HTTP and TCP protocols
Uses RC4 encryption and aPack compression
Supports proxy authentication (SOCKS4, SOCKS5, NTLM, etc.)

Conclusion

This malware campaign employs multiple layers of evasion, persistence, and privilege escalation techniques. It leverages malicious updates, sideloaded DLLs, and advanced encryption methods to maintain control over infected systems. Security teams should monitor registry modifications, network traffic anomalies, and process injections to detect and mitigate these threats.

Featured Resources

View More Resources

CUSTOMERS

Financial Regulatory Authority Strengthens Security and Gains Continuous Visibility with Cymulate

Limited Visibility and Reliance on Point-in-Time Testing With a lean team of five responsible for securing a complex internal environment,

Read Case Study

blog

CVE-2026-35603: One Writable Folder, Every User Compromised: Exploiting Configuration Trust in AI Coding Tools

Ilan Kalendarov, Security Research Team LeadBen Zamir, Security ResearcherElad Beber, Security Researcher The AI coding tools that millions of developers launch every

Demo

Auto Mitigation Demo

Cymulate Auto Mitigation closes the risk-to-fix gap by automatically deploying targeted control updates when exposures are discovered. It then re-validates

Learn More

Frequently Asked Questions

Threat Analysis & Operation Dragon Castling