KeyBoy

Malware Profile Updated 13 days ago
Download STIX
Preview STIX
KeyBoy is a malicious software (malware) primarily linked to the cyber espionage group known as TA413, which has historically targeted Tibetan entities. The malware is designed with an array of functionalities that allow it to infiltrate and exploit computer systems, including screen grabbing, determining public or WAN IP addresses, gathering extended system information, launching interactive shells for communication, downloading and uploading capabilities, and using custom SSL libraries to mask C2 traffic. Persistence is achieved through the WinLogon\Shell registry key, installed by the dropper's execution of the Install export from the KeyBoy DLL. The configuration file used by KeyBoy is written to disk as %localappdata%\cfs.dat by the dropper, demonstrating similar behavior to previous samples. Historically, there have been observed correlations between TA413 and publicly reported Tropic Trooper (also known as KeyBoy or Pirate Panda) activity. This suggests some degree of operational overlap between these groups. Tropic Trooper, in particular, has been known to launch campaigns against Taiwanese, Philippine, and Hong Kong targets, focusing on their government, healthcare, transportation, and high-tech industries. Additionally, KeyBoy has been associated with other groups such as Tick, Tonto Team, IceFog, and TA428, who are now believed to use the ShadowPad tool. KeyBoy appears to be the product of a development cycle that is iterated only as much as necessary to ensure the survival of the implant against antivirus detection and basic security controls. Multiple versions of KeyBoy have been analyzed, revealing a focus on avoiding basic antivirus detection. As of the last observation in February, KeyBoy, also referred to as APT23 or Pirate Panda, continues to pose a significant threat in the cybersecurity landscape.
What's your take? (Question 1 of 1)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Tropic Trooper
2
Tropic Trooper, a threat actor with suspected ties to China, has been identified as a significant cybersecurity concern. Their activities date back to at least 2013, when Trend Micro noted similarities in the encoding algorithms used by Tropic Trooper's malware and the KeyBoy versions from that year
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the KeyBoy Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
It’s Parliamentary: KeyBoy and the targeting of the Tibetan Community - The Citizen Lab
MITRE
5 months ago
The KeyBoys are back in town
MITRE
a year ago
Tropic Trooper’s New Strategy
Recorded Future
a year ago
Chinese State-Sponsored Group TA413 Adopts New Capabilities in Pursuit of Tibetan Targets | Recorded Future
Recorded Future
a year ago
Chinese State-Sponsored Group TA413 Adopts New Capabilities in Pursuit of Tibetan Targets | Recorded Future
MITRE
a year ago
Exchange servers under siege from at least 10 APT groups | WeLiveSecurity
MITRE
a year ago
Covid-19 Cybersecurity Challenges & Recommendations | CrowdStrike