BLACK HAT ASIA – Singapore – The China-linked advanced persistent threat (APT) known as Tropic Trooper appears to be changing up its tactics, techniques, and procedures (TTPs), with an odd spear-phishing effort that involved compromising a target’s home Wi-Fi network.
Tropic Trooper (aka Pirate Panda, KeyBoy, APT23, Bronze Hobart, and Earth Centaur) has been active since at least 2011. The group historically spies on government, military, healthcare, transportation, and high‑tech organizations in Taiwan, the Philippines, and Hong Kong, with researchers recently also finding one singular campaign in the Mideast. But its latest efforts are aimed at specific individuals in new geographies like Japan, Taiwan, and South Korea, according to recent analysis, indicating an expansion of not just operational modus operandi, but also victim profiles.
According to threat researchers at Japan-based security firm Itochu Cyber & Intelligence, one of the hallmarks of the group is a penchant for using unconventional intrusion vectors, such as physically deploying fake Wi-Fi access points in targeted offices; it’s also known for the rapid adoption of novel and open source malware, making it difficult for researchers to keep up with its evolution. That’s held true in its most recent campaigns too, where Itochu and Zscaler investigations have uncovered a variety of creative approaches and new malware elements within its attack chain.
Cyber Compromise via Home Wi-Fi Router
In a session this week at Black Hat Asia in Singapore entitled Tropic Trooper Reloaded: Unraveling the Invisible Supply Chain Mystery, Itochu researchers Suguru Ishimaru and Satoshi Kamekawa detailed a supply chain compromise in which malware was delivered through what seemed like ghostly activity; i.e., there was no indication of where it originated.
“We found a complex infection chain delivering a Cobalt Strike beacon that uses a watermark (520), which Tropic Trooper has used since 2024; so, it can be used as an identifier for the group’s activity,” explained Ishimaru, from the stage. “But it was a supply chain mystery — the victim appeared to have downloaded a legitimate executable (youdaodict.exe) to update a well-known dictionary app, and there were two very small files in the downloaded update, including a very suspicious .xml file [that was the source of the infection]. We were unsure though of how the update had been compromised in the first place.”
A follow-up investigation indicated that unauthorized changes had been made to the target’s home router, resulting in the malware infection.
“One year later, the same host was compromised again, with the same infection routine, so we resumed the investigation, and found there to be tampering with the DNS for the software update,” Ishimaru explained. “There was the legitimate domain and executable, but the actual IP was changed. Where was the DNS hijacking happening? We traced it back to the victim’s home router, which was compromised, and the DNS settings were overwritten to point to an attacker’s server in an ‘evil twin’ attack.”
It shows that Tropic Trooper is interested in targeting personal devices outside of the office environment, he added, which layers on a new risk profile for the APT. However, that was just the tip of the proverbial iceberg when it comes to the APT mixing up its strategy.
Tropic Trooper: An Evolving Malware Toolset for Cyberespionage
The investigation yielded additional fruit, according to Itochu’s Kamekawa.
“We hunted for artifacts and discovered an exposed Amazon S3 bucket containing 48 files with new malware sets and phishing pages that mimicked authentication pages for Signal and other apps,” he explained during the session. “It’s clear that Tropic Trooper is targeting high-profile individuals with tailored decoy files in Japan, Taiwan, and South Korea; these are new targets showing they’re expanding their operations scope.”
Since the APT sometimes reuses IP addresses and file names, the research team brute-forced the command-and-control (C2) file names, and it eventually uncovered fresh malware families lurking inside the group’s cyberattack arsenal.
“In all, we obtained five different .dat files, which were encrypted payloads,” Kamekawa explained. “We decrypted these and found new malware, including DaveShell and Donut loader, which are two open source loaders being observed for first time in Tropic Trooper activity; Merlin Agent and Apollo Agent, which are a Go-based remote access Trojans (RATs) that are part of the Mythics Agents open source C2 framework; and C6DOOR, a simple [custom] backdoor compiled with Go.”
In addition, Tropic Trooper is still using its older, known tools, including the EntryShell backdoor, heavily obfuscated Xiangoop loader variants [PDF] (a distinctive, custom malware family), and the aforementioned watermarked Cobalt Strike beacon.
Meanwhile, Zscaler ThreatLabz has also been tracking the group’s latest activity, and this week detailed its discovery of a malicious ZIP archive containing military-themed document lures. These, dovetailing with Itochu’s finding, targeted Chinese-speaking individuals in Japan, South Korea, and Japan. The campaign that ThreatLabz researchers observed used a trojanized SumatraPDF binary to deploy an AdaptixC2 Beacon and ultimately VS Code on targeted machines.
In all, it’s clear that Tropic Trooper continues to iterate its toolset at a rapid pace, and is casting a wider net geographically, meaning that organizations in the region need to be on their toes. The Zscaler blog includes a long list of indicators of compromise (IoCs) to monitor for the activity.
“Based on our 2025 investigation, several new malware families, toolsets, and notable artifacts, including decoys were identified, providing fresh insight into the group’s expanding geographic footprint and targeted industries,” Itochu researchers explained in their supporting materials for the Black Hat Asia session. “Recent activity has revealed a marked shift toward open source-based tools within the infection chain. These findings highlight a rapid change in the actor’s tooling strategy, demonstrating its ability to pivot quickly and overhaul their methods within a short period of time.”
