Group description: Tropic Trooper
quality 2/10 · low quality
0 net
Tags
Tropic Trooper, Pirate Panda, KeyBoy, Group G0081 | MITRE ATT&CK®
ATT&CK v19 will be released April 28th! Check out this blog post for information on the planned deprecation of Enterprise's Defense Evasion tactic in the upcoming release.
Home
Groups
Tropic Trooper
Tropic Trooper
Tropic Trooper is an unaffiliated threat group that has led targeted campaigns against targets in Taiwan, the Philippines, and Hong Kong. Tropic Trooper focuses on targeting government, healthcare, transportation, and high-tech industries and has been active since 2011. [1] [2] [3]
ID: G0081
ⓘ
Associated Groups : Pirate Panda, KeyBoy
Contributors : Edward Millington
Version : 1.6
Created: 29 January 2019
Last Modified: 21 October 2025
Version Permalink
Live Version
Associated Group Descriptions
Name
Description
Pirate Panda
[4]
KeyBoy
[2] [1]
ATT&CK ® Navigator Layers
Enterprise Layer
download
view
Techniques Used
Domain
ID
Name
Use
Enterprise
T1071
.001
Application Layer Protocol : Web Protocols
Tropic Trooper has used HTTP in communication with the C2. [5] [3]
.004
Application Layer Protocol : DNS
Tropic Trooper 's backdoor has communicated to the C2 over the DNS protocol. [3]
Enterprise
T1119
Automated Collection
Tropic Trooper has collected information automatically using the adversary's USBferry attack. [3]
Enterprise
T1020
Automated Exfiltration
Tropic Trooper has used a copy function to automatically exfiltrate sensitive data from air-gapped systems using USB storage. [3]
Enterprise
T1547
.001
Boot or Logon Autostart Execution : Registry Run Keys / Startup Folder
Tropic Trooper has created shortcuts in the Startup folder to establish persistence. [5] [3]
.004
Boot or Logon Autostart Execution : Winlogon Helper DLL
Tropic Trooper has created the Registry key HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell and sets the value to establish persistence. [2] [3]
Enterprise
T1059
.003
Command and Scripting Interpreter : Windows Command Shell
Tropic Trooper has used Windows command scripts. [3]
Enterprise
T1543
.003
Create or Modify System Process : Windows Service
Tropic Trooper has installed a service pointing to a malicious DLL dropped to disk. [6]
Enterprise
T1132
.001
Data Encoding : Standard Encoding
Tropic Trooper has used base64 encoding to hide command strings delivered from the C2. [3]
Enterprise
T1140
Deobfuscate/Decode Files or Information
Tropic Trooper used shellcode with an XOR algorithm to decrypt a payload. Tropic Trooper also decrypted image files which contained a payload. [2] [3]
Enterprise
T1573
Encrypted Channel
Tropic Trooper has encrypted traffic with the C2 to prevent network detection. [3]
.002
Asymmetric Cryptography
Tropic Trooper has used SSL to connect to C2 servers. [1] [3]
Enterprise
T1052
.001
Exfiltration Over Physical Medium : Exfiltration over USB
Tropic Trooper has exfiltrated data using USB storage devices. [3]
Enterprise
T1203
Exploitation for Client Execution
Tropic Trooper has executed commands through Microsoft security vulnerabilities, including CVE-2017-11882, CVE-2018-0802, and CVE-2012-0158. [1] [2]
Enterprise
T1083
File and Directory Discovery
Tropic Trooper has monitored files' modified time. [3]
Enterprise
T1564
.001
Hide Artifacts : Hidden Files and Directories
Tropic Trooper has created a hidden directory under C:\ProgramData\Apple\Updates\ and C:\Users\Public\Documents\Flash\ . [1] [3]
Enterprise
T1574
.001
Hijack Execution Flow : DLL
Tropic Trooper has been known to side-load DLLs using a valid version of a Windows Address Book and Windows Defender executable with one of their tools. [7] [5]
Enterprise
T1070
.004
Indicator Removal : File Deletion
Tropic Trooper has deleted dropper files on an infected system using command scripts. [3]
Enterprise
T1105
Ingress Tool Transfer
Tropic Trooper has used a delivered trojan to download additional files. [3]
Enterprise
T1680
Local Storage Discovery
Tropic Trooper has detected a target system’s system volume information. [8] [3]
Enterprise
T1036
.005
Masquerading : Match Legitimate Resource Name or Location
Tropic Trooper has hidden payloads in Flash directories and fake installer files. [3]
Enterprise
T1106
Native API
Tropic Trooper has used multiple Windows APIs including HttpInitialize, HttpCreateHttpHandle, and HttpAddUrl. [3]
Enterprise
T1046
Network Service Discovery
Tropic Trooper used pr and an openly available tool to scan for open ports on target systems. [8] [3]
Enterprise
T1135
Network Share Discovery
Tropic Trooper used netview to scan target systems for shared resources. [8]
Enterprise
T1027
.003
Obfuscated Files or Information : Steganography
Tropic Trooper has used JPG files with encrypted payloads to mask their backdoor routines and evade detection. [3]
.013
Obfuscated Files or Information : Encrypted/Encoded File
Tropic Trooper has encrypted configuration files. [1] [3]
Enterprise
T1566
.001
Phishing : Spearphishing Attachment
Tropic Trooper sent spearphishing emails that contained malicious Microsoft Office and fake installer file attachments. [2] [8] [9] [5] [3]
Enterprise
T1057
Process Discovery
Tropic Trooper is capable of enumerating the running processes on the system using pslist . [2] [3]
Enterprise
T1055
.001
Process Injection : Dynamic-link Library Injection
Tropic Trooper has injected a DLL backdoor into dllhost.exe and svchost.exe. [1] [3]
Enterprise
T1091
Replication Through Removable Media
Tropic Trooper has attempted to transfer USBferry from an infected USB device by copying an Autorun function to the target machine. [3]
Enterprise
T1505
.003
Server Software Component : Web Shell
Tropic Trooper has started a web service in the target host and wait for the adversary to connect, acting as a web shell. [3]
Enterprise
T1518
Software Discovery
Tropic Trooper 's backdoor could list the infected system's installed software. [3]
.001
Security Software Discovery
Tropic Trooper can search for anti-virus software running on the system. [2]
Enterprise
T1082
System Information Discovery
Tropic Trooper has detected a target system’s OS version. [8] [3]
Enterprise
T1016
System Network Configuration Discovery
Tropic Trooper has used scripts to collect the host's network topology. [3]
Enterprise
T1049
System Network Connections Discovery
Tropic Trooper has tested if the localhost network is available and other connection capability on an infected system using command scripts. [3]
Enterprise
T1033
System Owner/User Discovery
Tropic Trooper used letmein to scan for saved usernames on the target system. [8]
Enterprise
T1221
Template Injection
Tropic Trooper delivered malicious documents with the XLSX extension, typically used by OpenXML documents, but the file itself was actually an OLE (XLS) document. [2]
Enterprise
T1204
.002
User Execution : Malicious File
Tropic Trooper has lured victims into executing malware via malicious e-mail attachments. [5]
Enterprise
T1078
.003
Valid Accounts : Local Accounts
Tropic Trooper has used known administrator account credentials to execute the backdoor directly. [3]
Software
ID
Name
References
Techniques
S0190
BITSAdmin
[1]
BITS Jobs , Exfiltration Over Alternative Protocol : Exfiltration Over Unencrypted Non-C2 Protocol , Ingress Tool Transfer , Lateral Tool Transfer
S0387
KeyBoy
[2] [9]
Boot or Logon Autostart Execution : Winlogon Helper DLL , Command and Scripting Interpreter : Python , Command and Scripting Interpreter : Visual Basic , Command and Scripting Interpreter : PowerShell , Command and Scripting Interpreter : Windows Command Shell , Create or Modify System Process : Windows Service , Credentials from Password Stores : Credentials from Web Browsers , Data Obfuscation : Protocol or Service Impersonation , File and Directory Discovery , Hide Artifacts : Hidden Window , Indicator Removal : Timestomp , Ingress Tool Transfer , Input Capture : Keylogging , Inter-Process Communication : Dynamic Data Exchange , Obfuscated Files or Information : Encrypted/Encoded File , Screen Capture , System Information Discovery , System Network Configuration Discovery
S0012
PoisonIvy
[2]
Application Window Discovery , Boot or Logon Autostart Execution : Registry Run Keys / Startup Folder , Boot or Logon Autostart Execution : Active Setup , Command and Scripting Interpreter : Windows Command Shell , Create or Modify System Process : Windows Service , Data from Local System , Data Staged : Local Data Staging , Encrypted Channel : Symmetric Cryptography , Execution Guardrails : Mutual Exclusion , Ingress Tool Transfer , Input Capture : Keylogging , Modify Registry , Obfuscated Files or Information , Process Injection : Dynamic-link Library Injection , Rootkit
S0596
ShadowPad
[10]
Application Layer Protocol : DNS , Application Layer Protocol : File Transfer Protocols , Application Layer Protocol : Web Protocols , Data Encoding : Non-Standard Encoding , Deobfuscate/Decode Files or Information , Dynamic Resolution : Domain Generation Algorithms , Indicator Removal , Ingress Tool Transfer , Local Storage Discovery , Modify Registry , Non-Application Layer Protocol , Obfuscated Files or Information : Fileless Storage , Obfuscated Files or Information , Process Discovery , Process Injection , Process Injection : Dynamic-link Library Injection , Scheduled Transfer , System Information Discovery , System Network Configuration Discovery , System Owner/User Discovery , System Time Discovery
S0452
USBferry
[3]
Account Discovery : Local Account , Command and Scripting Interpreter : Windows Command Shell , Data from Local System , File and Directory Discovery , Peripheral Device Discovery , Process Discovery , Remote System Discovery , Replication Through Removable Media , System Binary Proxy Execution : Rundll32 , System Network Configuration Discovery , System Network Connections Discovery
S0388
YAHOYAH
[8]
Application Layer Protocol : Web Protocols , Deobfuscate/Decode Files or Information , Ingress Tool Transfer , Obfuscated Files or Information : Encrypted/Encoded File , Software Discovery : Security Software Discovery , System Information Discovery
References
Horejsi, J., et al. (2018, March 14). Tropic Trooper’s New Strategy. Retrieved November 9, 2018.
Ray, V. (2016, November 22). Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy. Retrieved November 9, 2018.
Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.
Busselen, M. (2020, April 7). On-demand Webcast: CrowdStrike Experts on COVID-19 Cybersecurity Challenges and Recommendations. Retrieved May 20, 2020.
Moore, S. et al. (2020, April 30). Anomali Suspects that China-Backed APT Pirate Panda May Be Seeking Access to Vietnam Government Data Center. Retrieved May 19, 2020.
Parys, B. (2017, February 11). The KeyBoys are back in town. Retrieved June 13, 2019.
Hulcoop, A., et al. (2016, November 17). It’s Parliamentary KeyBoy and the targeting of the Tibetan Community. Retrieved June 13, 2019.
Alintanahin, K. (2015). Operation Tropic Trooper: Relying on Tried-and-Tested Flaws to Infiltrate Secret Keepers. Retrieved June 14, 2019.
Alexander, G., et al. (2018, August 8). Familiar Feeling: A Malware Campaign Targeting the Tibetan Diaspora Resurfaces. Retrieved June 17, 2019.
Insikt Group. (2021, February 28). China-Linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions. Retrieved March 22, 2021.
×
load more results