Summary:
Keypoints:
- Active since 2011, targeting sensitive sectors in East Asia.
- Utilizes spear-phishing campaigns for initial access.
- Employs advanced malware for persistence and data exfiltration.
- Adapts tactics and tools to evade detection.
- Aligns operations with China’s geopolitical interests.
MITRE Techniques
- Initial Access (T1190): Exploit public-facing application.
- Initial Access (T1566.001): Spear Phishing Attachment.
- Execution (T1059.001): Command and Scripting Interpreter: PowerShell.
- Execution (T1059.003): Command and Scripting Interpreter: Windows Command Shell.
- Execution (T1569.002): System Services: Service Execution.
- Persistence (T1543.003): Create or Modify System Process: Windows Service.
- Persistence (T1574.002): Hijack Execution Flow: DLL Side-Loading.
- Persistence (T1505.003): Server Software Component: Web Shell.
- Defense Evasion (T1140): Deobfuscate/Decode Files or Information.
- Defense Evasion (T1070.001): Indicator Removal on Host: Clear Windows Event Logs.
- Defense Evasion (T1027.002): Obfuscated Files or Information: Software Packing.
- Defense Evasion (T1218.011): Signed Binary Proxy Execution: Rundll32.
- Defense Evasion (T1036.005): Masquerading: Match Legitimate Name or Location.
- Credential Access (T1003.001): OS Credential Dumping: LSASS Memory.
- Credential Access (T1552.002): OS Credential Dumping: Credentials in Registry.
- Lateral Movement (T1021.002): Remote Services: SMB/Windows Admin Shares.
- Discovery (T1087.002): Account Discovery: Domain Account.
- Discovery (T1482): Domain Trust Discovery.
- Discovery (T1083): File and Directory Discovery.
- Collection (T1005): Data from Local System.
- Command and Control (T1071.001): Application Layer Protocol: Web Protocols.
- Command and Control (T1095): Non-Application Layer Protocol.
- Command and Control (T1090.001): Proxy: Internal Proxy.
- Exfiltration (T1567.002): Exfiltration to Cloud Storage.
- Exfiltration (T1020): Automated Exfiltration.
- Exfiltration (T1547.001): Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder.
- Exfiltration (T1203): Exploitation for Client Execution.
- Exfiltration (T1564.001): Hide Artifacts: Hidden Files and Directories.
- Exfiltration (T1518.001): Software Discovery.
- Exfiltration (T1082): System Information Discovery.
- Exfiltration (T1016): System Network Configuration Discovery.
- Exfiltration (T1049): System Network Connections Discovery.
- Exfiltration (T1033): System Owner/User Discovery.
- Exfiltration (T1204.002): User Execution: Malicious File.
- Exfiltration (T1078.003): Valid Accounts: Local Accounts.
Tropic Trooper, also known as Pirate Panda and APT 23, is a Chinese state-sponsored cyber threat group that has been active since 2011. Specializing in espionage, the group primarily targets sensitive sectors like government, healthcare, and transportation. Their operations have been focused on areas such as Taiwan, Hong Kong, and the Philippines, where they employ advanced tactics to compromise networks and steal valuable information.
Illustration of Tropic Trooper (Bing AI)
Who is Tropic Trooper?
Tropic Trooper is a cyber espionage group attributed to Chinese state-sponsored activities, primarily active since 2011. The group operates under various names, including Pirate Panda, APT 23, Iron, KeyBoy, Bronze Hobart, Earth Centaur. They are known for their sophisticated techniques and targeted attacks, often focusing on sectors crucial to national interests, such as government, telecommunications, and technology. With a strong emphasis on intelligence gathering, Tropic Trooper utilizes social engineering and advanced malware to infiltrate networks and extract sensitive data. Their operations typically align with the geopolitical interests of China.
Their attacks frequently involve the infiltration of networks through spear-phishing campaigns, which are designed to deceive individuals into providing access to confidential data or systems. Over the years, Tropic Trooper has adapted its tactics, demonstrating a keen ability to innovate and evade detection, which makes them a persistent threat in the cyber landscape. Their targeted approach and technical prowess underscore their significance as a key player among state-sponsored threat actors.
How Does Tropic Trooper Operate?
Initial Access
Tropic Trooper initiates attacks primarily through spear-phishing campaigns, carefully crafted with extensive social engineering to appeal directly to their targets. These emails often contain malicious attachments, such as Microsoft Office files or PDFs, or embed links that, once clicked, lead to websites hosting exploit kits.
Point of entry, a malicious doc (TrendMicro)
They exploit common application vulnerabilities, including those in Microsoft Office, to execute malware payloads that establish a foothold in the victim’s system. Tropic Trooper’s spear-phishing emails are customized, often incorporating language, subject matter, and scenarios relevant to the target’s environment to maximize the chances of engagement. This calculated initial access strategy enables Tropic Trooper to breach networks within government, healthcare, and high-value sectors across Southeast Asia.
Thus, they not only gain access through phishing, but they can also exploit Web server vulnerabilities, especially Exchange Server, and create attack vectors using Webshell.
A malicious module was found inside Umbraco CMS – an open source .NET content management system- on the compromised server (Securelist)
Tools used in 2021 and 2024 attacks in this step:
Fscan: Used for vulnerability scanning, detecting open ports, and available services on target machines. Tropic Trooper also uses an ICMP-based script to identify accessible devices for exploitation.
Swor: Deployed for penetration testing, it facilitates initial access and includes mimikatz and FRP for additional exploitation.
Persistence
Following initial access, Tropic Trooper leverages sophisticated custom malware, including TClient, and Yahoyah ChinaChopper, designed for persistence. These tools allow Tropic Trooper to maintain continuous access to compromised systems, systematically collecting, encrypting, and transmitting sensitive data to their servers over long periods. To avoid detection, they employ advanced obfuscation and encryption techniques, modifying their malware periodically to evade signature-based security measures. This persistent access not only secures a stable position within the network but also supports Tropic Trooper’s broader espionage objectives, allowing them to collect intelligence and track target activity over time.
Malicious function implementing China Chopper registered as a callback function (Securelist)
Tools used:
ChinaChopper: A small but powerful web shell used for persistent access, allowing Tropic Trooper to maintain control even if other tools are detected.
YAHOYAH: Ensures persistence by encrypting its payload, making it harder to detect and allowing the attacker to reload it as needed.
PoisonIvy: Ensures persistence through autostart execution and system modifications that help re-establish access upon reboot.
Privilege Escalation
Once established, Tropic Trooper seeks to elevate its privileges within the infected network. They exploit vulnerabilities in widely used applications or leverage privilege escalation exploits tailored to the target’s system environment. By doing so, they transition from low-level user access to higher-level administrative permissions, granting them enhanced control over critical network resources and security configurations. This escalation allows them to disable security controls selectively and to navigate the environment with greater freedom, ultimately facilitating deeper infiltration and access to high-value data assets.
In one instance in 2024, Kaspersky stated that attackers utilized DLL search-order hijacking to implant backdoor loaders (datast.dll and VERSION.dll). The process involves planting malicious DLLs alongside legitimate executables vulnerable to search-order hijacking, enabling the malicious DLL to load as if it were part of the original program. Once loaded, datast.dll decrypts and executes the shellcode for further malware stages, leveraging functions within a secondary DLL to conceal its activities. The attackers reportedly employed Umbraco web shells to place these malicious files on compromised servers.
Code stub responsible for decrypting the next stage (Securelist)
Tools used:
ShadowPad: Utilized for privilege escalation through dynamic-link library injection, bypassing security controls for enhanced access.
Lateral Movement
Upon achieving elevated privileges, Tropic Trooper initiates lateral movement, systematically navigating the network to extend their reach across interconnected devices and servers. Using reconnaissance tools, they map network topologies, identify accessible resources, and pinpoint potential vulnerabilities in the organization’s infrastructure. They then employ various propagation techniques, including credential harvesting and exploitation of network misconfigurations, to spread to additional systems. By doing so, Tropic Trooper ensures that they retain access to multiple points within the network, allowing them to re-establish connections even if detection efforts uncover some parts of their operation.
Tools used:
Neo-reGeorg: A SOCKS5 proxy tool, allowing Tropic Trooper to pivot across networks and evade network security controls.
FRPC (Fast Reverse Proxy Client): Assists in lateral movement by exposing local servers behind firewalls.
Chisel: Facilitates TCP/UDP tunneling, allowing traffic forwarding across the compromised network.
Data Exfiltration
Data exfiltration is the final objective, as Tropic Trooper systematically targets and extracts classified or strategically valuable information, including government documents, healthcare records, and military data. Once they’ve mapped out the network and identified high-priority assets, they employ data compression, encryption, and stealthy data transfer methods to exfiltrate information undetected. Often, exfiltration is staged to avoid triggering network alarms; Tropic Trooper minimizes data volumes or utilizes obscure channels to avoid standard detection protocols. Through encrypted tunnels, they transfer this intelligence to remote command and control servers, focusing on data that supports their long-term intelligence and espionage goals in political, economic, and security domains.
Tools used:
SharpHound: Maps Active Directory relationships and identifies key systems and paths for further infiltration.
USBferry: Used for network discovery and spreading across devices connected through removable media.
RClone: Syncs files to and from cloud storage for large-scale data exfiltration.
BITSAdmin: Transfers data over alternative protocols like BITS Jobs to avoid detection.
How Have Their Tactics Changed?
After 2020, two comprehensive reports, one from TrendMicro and another from Kaspersky, have been released to the community. The differences in each report’s approach highlight the ongoing evolution of the group’s tactics and strategies. Between 2021 and 2024, Tropic Trooper significantly expanded and evolved its operations. Originally focused on government, healthcare, and high-tech sectors in regions like Taiwan, Hong Kong, and the Philippines, Earth Centaur broadened its geographical and strategic scope by 2023, targeting transportation, governmental agencies, and human rights organizations in Southeast Asia and the Middle East. This shift included a focus on sensitive geopolitical areas and issues, like those involving Middle Eastern governments and human rights organizations linked to ongoing conflicts.
During this period, Tropic Trooper’s tactics also became more sophisticated. They continued using known exploits for entry—particularly in vulnerable Microsoft Exchange and Adobe ColdFusion servers—and employed a revamped set of malware tools. For example, in 2024, they introduced the “Crowdoor” backdoor variant to deliver Cobalt Strike payloads, enabling them to establish persistent access and gather sensitive information covertly. This is alongside the continued use of Quasar RAT, a tool they’d utilized in previous years but with increased efficiency through enhancements like custom decryption algorithms and DLL side-loading.
Their technical approach increasingly mirrors advanced red-teaming techniques, which reflect an evolution toward a more agile, adaptable operation style, enabling them to bypass network security more effectively. Their goals, however, remain consistent with prior espionage-focused activities, with an emphasis on internal data collection from compromised networks for long-term strategic use.
What Are Their Targets?
Tropic Trooper’s attacks are concentrated on highly sensitive sectors, primarily in Southeast Asia. Government institutions, healthcare organizations, and military entities in Taiwan, the Philippines, and Hong Kong have been frequent targets. Their operations focus on accessing data that could provide strategic advantages in political, economic, or military arenas. By compromising governmental networks, Tropic Trooper aims to gather intelligence that informs national security interests, while attacks on healthcare sectors often seek to obtain sensitive personal and medical records, which can further their political or tactical objectives.
Government Institutions
Tropic Trooper’s most common targets are government agencies and ministries. By infiltrating these networks, they gather data that could serve national intelligence or political strategies, focusing on sectors involved in policy-making, economic development, and international relations.
Healthcare and Research Organizations
Healthcare facilities and research centers are targeted for their valuable data on citizens, medical records, and scientific advancements. Tropic Trooper leverages this information to analyze population health data or disrupt public health infrastructure. Attacks on these sectors are often strategic, serving geopolitical or economic motives aligned with the interests of their sponsors.
Military Networks and Infrastructure
The group also has a history of breaching military networks, seeking out plans, defense strategies, and communications data. These intrusions into defense sectors are intended to obtain intelligence on military capabilities, troop movements, and strategic defense postures, providing critical information that could be advantageous in regional security dynamics.
How Organizations Can Defend Against Tropic Trooper
Organizations facing potential threats from Tropic Trooper can employ a comprehensive defense strategy to detect, prevent, and respond to cyber incidents. By implementing the following security measures, companies can strengthen their defenses and reduce the likelihood of compromise:
Enhanced Email Security
Since Tropic Trooper frequently relies on spear-phishing emails to initiate attacks, organizations should implement robust email filtering solutions to detect and block malicious emails. Training employees to recognize phishing attempts and report suspicious emails is essential to prevent initial access.
Access Control and Privileged Account Management
Limiting user privileges based on job roles and implementing Multi-Factor Authentication (MFA) can prevent Tropic Trooper from easily gaining unauthorized access to sensitive systems. Privileged Account Management (PAM) tools can monitor and secure high-level access accounts, reducing the likelihood of lateral movement within the network.
Network Segmentation
To limit the spread of an intrusion, organizations should segment their networks by grouping systems with similar functions together and restricting communication between them. This containment measure can prevent threat actors from easily moving between different network segments, reducing the overall impact of a breach.
Endpoint Detection and Response (EDR)
Deploying advanced EDR solutions on endpoints allows security teams to monitor unusual activity, detect malware, and analyze suspicious files in real time. EDR tools offer insight into endpoint activity, aiding in the early detection of Tropic Trooper’s custom malware and persistence mechanisms.
Regular Patch Management
Organizations should prioritize regular software updates and patches for all systems and applications. Addressing known vulnerabilities can limit potential attack vectors exploited by groups like Tropic Trooper, reducing the risk of exploitation and unauthorized access.
Network Monitoring and Intrusion Detection
Continuous network monitoring and Intrusion Detection Systems (IDS) can help detect and mitigate unauthorized traffic within the organization’s infrastructure. By identifying abnormal traffic patterns or unauthorized access attempts, security teams can respond swiftly to potential threats, reducing the risk of data exfiltration.
Incident Response Plan and Cyber Threat Intelligence (CTI)
Having an incident response plan tailored to Advanced Persistent Threats (APTs) allows security teams to respond effectively if Tropic Trooper infiltrates the network. Cyber threat intelligence (CTI) teams can enhance this plan by staying informed of Tropic Trooper’s latest TTPs, enabling proactive defense and faster identification of attack patterns.
SOCRadar’s Extended Cyber Threat Intelligence (XTI) offers support to organizations combating the evolving threat of threat actors like Troopic Trooper through a suite of advanced cybersecurity tools and services.
SOCRadar’s Operational Intelligence/Threat Actor Intelligence
Summary
Tropic Trooper remains a formidable and adaptive threat, continually targeting sensitive sectors across East Asia with sophisticated techniques and a long history of state-sponsored espionage. Known by various names, including Pirate Panda and APT 23, this group has honed its approach to employ advanced malware, spear-phishing tactics, and lateral movement strategies that enable them to infiltrate and extract valuable information from critical infrastructures. Their operations reflect a strategic focus aligned with China’s geopolitical interests, making them a key player in the cyber threat landscape.
To combat the persistent threat posed by Tropic Trooper, organizations must adopt a comprehensive cybersecurity framework. This should include enhanced email security, strict access controls, network segmentation, and advanced endpoint detection solutions. By fostering a proactive security culture and maintaining an updated incident response plan, organizations can significantly bolster their defenses against the sophisticated tactics employed by Tropic Trooper and similar state-sponsored actors.
MITRE ATT&CK Matrix
| Tactic | ID | Technique |
| Initial Access | T1190 | Exploit public-facing application |
| T1566.001 | Spear Phishing Attachment | |
| Execution | T1059.001 | Command and Scripting Interpreter: PowerShell |
| T1059.003 | Command and Scripting Interpreter: Windows Command Shell | |
| T1569.002 | System Services: Service Execution | |
| Persistence | T1543.003 | Create or Modify System Process: Windows Service |
| T1574.002 | Hijack Execution Flow: DLL Side-Loading | |
| T1505.003 | Server Software Component: Web Shell | |
| Defense Evasion | T1140 | Deobfuscate/Decode Files or Information |
| T1070.001 | Indicator Removal on Host: Clear Windows Event Logs | |
| T1027.002 | Obfuscated Files or Information: Software Packing | |
| T1218.011 | Signed Binary Proxy Execution: Rundll32 | |
| T1036.005 | Masquerading: Match Legitimate Name or Location | |
| Credential Access | T1003.001 | OS Credential Dumping: LSASS Memory |
| T1552.002 | OS Credential Dumping: Credentials in Registry | |
| Lateral Movement | T1021.002 | Remote Services: SMB/Windows Admin Shares |
| Discovery | T1087.002 | Account Discovery: Domain Account |
| T1482 | Domain Trust Discovery | |
| T1083 | File and Directory Discovery | |
| Collection | T1005 | Data from Local System |
| Command and Control | T1071.001 | Application Layer Protocol: Web Protocols |
| T1095 | Non-Application Layer Protocol | |
| T1090.001 | Proxy: Internal Proxy | |
| Exfiltration | T1567.002 | Exfiltration to Cloud Storage |
| T1020 | Automated Exfiltration | |
| T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | |
| T1203 | Exploitation for Client Execution | |
| T1564.001 | Hide Artifacts: Hidden Files and Directories | |
| T1518.001 | Software Discovery | |
| T1082 | System Information Discovery | |
| T1016 | System Network Configuration Discovery | |
| T1049 | System Network Connections Discovery | |
| T1033 | System Owner/User Discovery | |
| T1204.002 | User Execution: Malicious File | |
| T1078.003 | Valid Accounts: Local Accounts |
Sources: [1],[2],[3]
Tools&Software and IoCs
| Tool Name | Purpose | Description |
| Fscan | Vulnerability Scanning | Scans for host status, ports, services, and exploits vulnerabilities. |
| Swor | Penetration Testing | A tool for deploying payloads like mimikatz, designed to evade detection. |
| Neo-reGeorg | Network Pivoting | Open-source SOCKS5 proxy used to pivot and evade security controls. |
| ByPassGodzilla | Web Shell Obfuscation | Encrypts web shells to avoid detection, associated with CVE-2023-26360. |
| SharpHound | Active Directory Discovery | Identifies relationships within an Active Directory environment. |
| FRPC | Intranet Penetration | Fast reverse proxy for exposing local servers behind NAT/firewalls to the internet. |
| Chisel | Intranet Penetration | Facilitates fast TCP/UDP tunneling. |
| RClone | Data Exfiltration | Command-line tool for syncing files with various cloud storage providers. |
| BITSAdmin | Job Management and Exfiltration | Manages BITS jobs for transferring files using unencrypted protocols. |
| KeyBoy | System Control | Uses various methods for executing commands and capturing credentials. |
| PoisonIvy | Remote Access | Provides capabilities for remote control and data exfiltration via various techniques. |
| ShadowPad | Remote Access and Data Exfiltration | A versatile malware with capabilities for communication, data transfer, and persistence. |
| USBferry | Data Gathering and System Discovery | Gathers information from local accounts and can replicate through removable media. |
| YAHOYAH | Data Management | Handles data exfiltration and obfuscation through various protocols. |
For the latest IoCs and YARA / Sigma Rules visit SOCRadar Platform’s Threat Actor Intelligence tab.
Source: Original Post