Tropic Trooper

Threat Actor Profile Updated 3 months ago
Download STIX
Preview STIX
Tropic Trooper, a threat actor with suspected ties to China, has been identified as a significant cybersecurity concern. Their activities date back to at least 2013, when Trend Micro noted similarities in the encoding algorithms used by Tropic Trooper's malware and the KeyBoy versions from that year. A deep analysis of their activities in 2023 unveiled the use of Xiangoop Loader and EntryShell payload, as outlined in a VB20203 paper. Furthermore, there was observable infrastructure overlap between Tropic Trooper and TA413 campaigns, suggesting shared capabilities or infrastructure pipelines, and possibly indicating that TA413 is a subset of wider Tropic Trooper activity. The group has targeted various sectors across different geographical locations, demonstrating a wide range of interests and capabilities. They have notably targeted manufacturing companies and the semiconductors industry in Taiwan, as well as Taiwanese financial institutions. Other targets include an African stock exchange, a bank in Central Asia, a German financial company, and a government finance department in the Americas. Sekoia.io observed a stable targeting of Taiwan originating from China, including by Tropic Trooper, with an uptick directly related to political events, such as the visit of the U.S. House of Representatives speaker in Taiwan in August 2022. In addition to traditional cyber-espionage techniques, Tropic Trooper has also adopted innovative approaches to network communication. Notably, they have leveraged the MQTT protocol, commonly used in Internet of Things (IoT) technology, for communication with its command-and-control servers. This anonymization technique has been identified by Sekoia.io analysts and is shared with other China-nexus intrusion sets like Mustang Panda. Given the group's history, evolving tactics, and widespread targeting, Tropic Trooper remains a significant cybersecurity concern.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
KeyBoy
2
KeyBoy is a malicious software (malware) primarily linked to the cyber espionage group known as TA413, which has historically targeted Tibetan entities. The malware is designed with an array of functionalities that allow it to infiltrate and exploit computer systems, including screen grabbing, deter
Apt23
1
APT23, also known as PIRATE PANDA, KeyBoy and Tropic Trooper, is a threat actor suspected to be attributed to China. This group has been observed targeting the media and government sectors in the U.S. and the Philippines, with their operations primarily focusing on the theft of politically and milit
Mustang Panda
1
Mustang Panda, also known as Bronze President, Nomad Panda, Naikon, Earth Preta, and Stately Taurus, is a Chinese-aligned threat actor that has been associated with widespread attacks against various countries in the Asia-Pacific region. The group's malicious activities were first traced back to Mar
Ta413
1
TA413, also known as LuckyCat, is a threat actor suspected of conducting cyber espionage on behalf of the Chinese state. In the first half of 2022, TA413 targeted Tibetan individuals, organizations, and the exiled Tibetan government. The group exploited a now-patched zero-day vulnerability in the So
Pirate Panda
1
Pirate Panda, also known as Tropic Trooper or Keyboy, is a threat actor primarily involved in targeting Tibetan entities. As a threat actor, Pirate Panda represents a human entity, potentially a single individual, a private company, or a government organization, that executes actions with malicious
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Espionage
Backdoor
Chinese
China
Loader
Payload
Exploit
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Lucky MouseUnspecified
1
Lucky Mouse, also known as Emissary Panda, APT27, Threat Group 3390, Bronze Union, and several other names, is a malicious software (malware) attributed to a China-linked Advanced Persistent Threat (APT) group. This malware has been active since at least 2013, targeting various industry verticals fo
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Ke3changUnspecified
1
Ke3chang, also known as APT15, Mirage, Vixen Panda GREF, and Playful Dragon, is a prominent threat actor that has been active since at least 2010. According to the European Union Agency for Cybersecurity (ENISA), this group has consistently targeted energy, government, and military sectors. Ke3chang
APT41Unspecified
1
APT41, also known as Winnti, Wicked Panda, and Wicked Spider, is a sophisticated threat actor attributed to China. This group has been active since at least 2012, targeting organizations across 14 countries. The group is known for its extensive use of various code families and tools, with at least 4
GALLIUMUnspecified
1
Gallium, also known as Alloy Taurus, is a China-aligned threat actor known for executing actions with malicious intent in the cyber domain. In recent years, Gallium has been associated with various significant cyber-espionage campaigns. The group targeted telecommunication entities in the Middle Eas
LuckycatUnspecified
1
LuckyCat, also known as TA413, is a threat actor with a history of malicious cyber activities. This group has been consistently targeting Tibetan entities, including individuals, organizations, and the exiled Tibetan government. Its activities have been linked to the use of ExileRAT and LuckyCat And
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Tropic Trooper Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
9 months ago
Virus Bulletin :: Teasing the secrets from threat actors: malware configuration extractors
CERT-EU
10 months ago
My Tea's not cold : an overview of China's cyber threat – Global Security Mag Online
MITRE
a year ago
Covid-19 Cybersecurity Challenges & Recommendations | CrowdStrike
MITRE
a year ago
Tropic Trooper’s New Strategy
MITRE
a year ago
Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy
MITRE
a year ago
It’s Parliamentary: KeyBoy and the targeting of the Tibetan Community - The Citizen Lab
Recorded Future
a year ago
Chinese State-Sponsored Group TA413 Adopts New Capabilities in Pursuit of Tibetan Targets | Recorded Future
Recorded Future
a year ago
Chinese State-Sponsored Group TA413 Adopts New Capabilities in Pursuit of Tibetan Targets | Recorded Future