KeyBoy

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
KeyBoy is a malicious software (malware) primarily linked to the cyber espionage group known as TA413, which has historically targeted Tibetan entities. The malware is designed with an array of functionalities that allow it to infiltrate and exploit computer systems, including screen grabbing, determining public or WAN IP addresses, gathering extended system information, launching interactive shells for communication, downloading and uploading capabilities, and using custom SSL libraries to mask C2 traffic. Persistence is achieved through the WinLogon\Shell registry key, installed by the dropper's execution of the Install export from the KeyBoy DLL. The configuration file used by KeyBoy is written to disk as %localappdata%\cfs.dat by the dropper, demonstrating similar behavior to previous samples. Historically, there have been observed correlations between TA413 and publicly reported Tropic Trooper (also known as KeyBoy or Pirate Panda) activity. This suggests some degree of operational overlap between these groups. Tropic Trooper, in particular, has been known to launch campaigns against Taiwanese, Philippine, and Hong Kong targets, focusing on their government, healthcare, transportation, and high-tech industries. Additionally, KeyBoy has been associated with other groups such as Tick, Tonto Team, IceFog, and TA428, who are now believed to use the ShadowPad tool. KeyBoy appears to be the product of a development cycle that is iterated only as much as necessary to ensure the survival of the implant against antivirus detection and basic security controls. Multiple versions of KeyBoy have been analyzed, revealing a focus on avoiding basic antivirus detection. As of the last observation in February, KeyBoy, also referred to as APT23 or Pirate Panda, continues to pose a significant threat in the cybersecurity landscape.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Tropic Trooper
2
Tropic Trooper, a threat actor with suspected ties to China, has been identified as a significant cybersecurity concern. Their activities date back to at least 2013, when Trend Micro noted similarities in the encoding algorithms used by Tropic Trooper's malware and the KeyBoy versions from that year
Tonto Team
1
Tonto Team is a Chinese government-aligned Advanced Persistent Threat (APT) group, recognized for its malicious cyber activities. The team has been active for over a decade, utilizing various types of malware, notably the Bisonal and ShadowPad backdoors, in campaigns against entities in Japan, Russi
Tick
1
Tick is a threat actor, also known as BRONZE BUTLER, that likely originates from the People's Republic of China. Secureworks® incident responders and Counter Threat Unit™ (CTU) researchers have been investigating activities associated with this group. Tick has deployed various tools and malware fami
Apt23
1
APT23, also known as PIRATE PANDA, KeyBoy and Tropic Trooper, is a threat actor suspected to be attributed to China. This group has been observed targeting the media and government sectors in the U.S. and the Philippines, with their operations primarily focusing on the theft of politically and milit
Pirate Panda
1
Pirate Panda, also known as Tropic Trooper or Keyboy, is a threat actor primarily involved in targeting Tibetan entities. As a threat actor, Pirate Panda represents a human entity, potentially a single individual, a private company, or a government organization, that executes actions with malicious
Ta413
1
TA413, also known as LuckyCat, is a threat actor suspected of conducting cyber espionage on behalf of the Chinese state. In the first half of 2022, TA413 targeted Tibetan individuals, organizations, and the exiled Tibetan government. The group exploited a now-patched zero-day vulnerability in the So
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Backdoor
Exploit
Decoy
Antivirus
Implant
Payload
Espionage
Exploits
Dropper
Windows
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
ShadowPadUnspecified
1
ShadowPad is a modular backdoor malware that has been utilized by several Chinese threat groups since at least 2017. Notably, it was used as the payload in supply chain attacks targeting South Asian governments, as reported in the VB2023 paper. ShadowPad provides near-administrative capabilities in
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the KeyBoy Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
7 months ago
The KeyBoys are back in town
MITRE
a year ago
Covid-19 Cybersecurity Challenges & Recommendations | CrowdStrike
MITRE
a year ago
Tropic Trooper’s New Strategy
MITRE
a year ago
Exchange servers under siege from at least 10 APT groups | WeLiveSecurity
MITRE
a year ago
It’s Parliamentary: KeyBoy and the targeting of the Tibetan Community - The Citizen Lab
Recorded Future
a year ago
Chinese State-Sponsored Group TA413 Adopts New Capabilities in Pursuit of Tibetan Targets | Recorded Future
Recorded Future
a year ago
Chinese State-Sponsored Group TA413 Adopts New Capabilities in Pursuit of Tibetan Targets | Recorded Future