🇨🇳

Pirate Panda

APT Group Information theft and espionage 13 zero-day CVEs ETDA ✓

Also Known As 8 names

BRONZE HOBART Earth Centaur G0081 KeyBoy APT23 Red Orthrus Tropic Trooper APT 23

Target Countries 7

Countries highlighted in red

Hong Kong India Malaysia Philippines Province of China Taiwan United States Vietnam

Sectors Targeted

Construction 23 Healthcare Government High-Tech Transportation Defense

Details

Origin 🇨🇳 CN

Last Updated 31 Oct 2024

Malware Families 3

ccleaner_backdoor

entryshell

win.shadow_rat

MITRE ATT&CK 131

T1003 - OS Credential Dumping T1005 T1007 T1008 - Fallback Channels T1011 T1012 T1016 - System Network Configuration Discovery T1020 T1021 - Remote Services T1027 - Obfuscated Files or Information T1027.003 T1027.013 T1033 - System Owner/User Discovery T1036 - Masquerading T1036.005 T1041 T1046 T1047 - Windows Management Instrumentation T1048 T1049 T1052 T1052.001 T1053 T1055 - Process Injection T1055.001 T1056 - Input Capture T1057 - Process Discovery T1059 - Command and Scripting Interpreter T1059.001 - PowerShell T1059.003 - Windows Command Shell T1059.007 - JavaScript T1060 T1068 - Exploitation for Privilege Escalation T1069 - Permission Groups Discovery T1070 T1070.004 T1071 T1071.001 - Web Protocols T1071.004 T1078 T1078.003 T1081 T1082 - System Information Discovery T1083 - File and Directory Discovery T1085 T1087 T1090 - Proxy T1091 T1095 T1102 - Web Service T1105 - Ingress Tool Transfer T1106 T1110 T1112 T1113 T1114 T1114.001 T1115 - Clipboard Data T1119 T1120 T1124 T1127 T1130 T1132 T1132.001 T1133 T1135 - Network Share Discovery T1136 T1137 T1140 - Deobfuscate/Decode Files or Information T1170 T1176 - Browser Extensions T1189 - Drive-by Compromise T1190 T1203 T1204 - User Execution T1204.002 T1204.003 - Malicious Image T1217 T1218 - Signed Binary Proxy Execution T1221 T1482 - Domain Trust Discovery T1485 T1486 T1489 T1490 - Inhibit System Recovery T1496 - Resource Hijacking T1497 T1497.003 T1498 - Network Denial of Service T1503 T1505 - Server Software Component T1505.003 - Web Shell T1518 T1518.001 - Security Software Discovery T1529 T1530 T1531 - Account Access Removal T1533 - Data from Local System T1539 T1543 T1543.003 - Windows Service T1547 T1547.001 - Registry Run Keys / Startup Folder T1547.004 T1550 T1552 T1553 - Subvert Trust Controls T1555 T1560 T1561 T1562 - Impair Defenses T1562.001 T1564 T1564.001 T1566 - Phishing T1566.001 T1571 T1573 T1573.001 - Symmetric Cryptography T1573.002 T1574 - Hijack Execution Flow T1574.001 - DLL Search Order Hijacking T1574.002 T1583 T1584.006 - Web Services T1587 T1588.002 - Tool T1589 - Gather Victim Identity Information T1595 T1680

Related Zero-Days 13

CVE-2018-0802 CVE-2018-8174 CVE-2019-0708 CVE-2020-1472 CVE-2021-44228 CVE-2022-1040 CVE-2022-26134 CVE-2022-30190 CVE-2022-42475 CVE-2023-36884 CVE-2023-38831 CVE-2025-41244 CVE-2025-49704

Known Names 8 entries

Tropic Trooper Trend Micro

Pirate Panda CrowdStrike

APT 23 Mandiant

Iron Microsoft

KeyBoy Rapid7

Bronze Hobart SecureWorks

Earth Centaur Trend Micro

G0081 MITRE

Observed Target Countries 8

Based on ETDA data — countries highlighted in red

Hong Kong India Malaysia Philippines Taiwan Tibet Vietnam Middle East

Description

Tropic Trooper is an unaffiliated threat group that has led targeted campaigns against targets in Taiwan, the Philippines, and Hong Kong. Tropic Trooper focuses on targeting government, healthcare, transportation, and high-tech industries and has been active since 2011.

Tools Used 15

8.t Dropper ByPassGodzilla China Chopper CREDRIVER fscan KeyBoy Neo-reGeorg PCShare Poison Ivy ShadowPad Winnti Swor Titan USBferry Yahoyah Winsloader

Operations 13

2012 Operation “Tropic Trooper” Taiwan and the Philippines have become the targets of an ongoing campaign called “Operation Tropic Trooper.” Active since 2012, the attackers behind the campaign have set their sights on the Taiwanese government as well as a number of companies in the heavy industry. The same campaign has also targeted key Philippine military agencies. https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-tropic-trooper.pdf

2013-06 KeyBoy, Targeted Attacks against Vietnam and India https://blog.rapid7.com/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india/

2014 New Strategy Tropic Trooper (also known as KeyBoy) levels its campaigns against Taiwanese, Philippine, and Hong Kong targets, focusing on their government, healthcare, transportation, and high-tech industries. https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/

2014-12 We found that Tropic Trooper’s latest activities center on targeting Taiwanese and the Philippine military’s physically isolated networks through a USBferry attack (the name derived from a sample found in a related research). We also observed targets among military/navy agencies, government institutions, military hospitals, and even a national bank. The group employs USBferry, a USB malware that performs different commands on specific targets, maintains stealth in environments, and steals critical data through USB storage. https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-troopers-back-usbferry-attack-targets-air-gapped-environments/

2015-03 Throughout March to May 2015, our researchers noted that 62% of the Tropic Trooper-related malware infections targeted Taiwanese organizations while the remaining 38% zoned in on Philippine entities. https://blog.trendmicro.com/trendlabs-security-intelligence/operation-tropic-trooper-old-vulnerabilities-still-pack-a-punch/

2016-08 In early August, Unit 42 identified two attacks using similar techniques. The more interesting one was a targeted attack towards the Secretary General of Taiwan’s Government office – Executive Yuan. The Executive Yuan has several individual boards which are formed to enforce different executing functions of the government. The Executive Yuan Council evaluates statutory and budgetary bills and bills concerning martial law, amnesty, declaration of war, conclusion of peace and treaties, and other important affairs. https://unit42.paloaltonetworks.com/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/

2016-08 KeyBoy and the targeting of the Tibetan Community https://citizenlab.ca/2016/11/parliament-keyboy/

2017-02 The KeyBoys are back in town https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/the-keyboys-are-back-in-town.html

2017 Tropic Trooper goes mobile with Titan surveillanceware The latest threat to follow this trend is Titan, a family of sophisticated Android surveillanceware apps surfaced by Lookout’s automated analysis that, based on command and control infrastructure, is linked to the same actors behind Operation Tropic Trooper. https://blog.lookout.com/titan-mobile-threat

2020 Early Ongoing PIRATE PANDA Operations Using Current Event Themes to DeployPoison Ivy https://www.scribd.com/document/451284814/CrowdStrike-Ongoing-Pirate-Panda-operations-using-current-event-themes

2020-04 The Anomali Threat Research Team detected a spear phishing email targeting government employees in the Municipality of Da Nang, Vietnam. https://www.anomali.com/blog/anomali-suspects-that-china-backed-apt-pirate-panda-may-be-seeking-access-to-vietnam-government-data-center#When:15:00:00Z

2020-07 Collecting In the Dark: Tropic Trooper Targets Transportation and Government https://www.trendmicro.com/en_us/research/21/l/collecting-in-the-dark-tropic-trooper-targets-transportation-and-government-organizations.html

2023-06 Tropic Trooper spies on government entities in the Middle East https://securelist.com/new-tropic-trooper-web-shell-infection/113737/

Reports & References 1

https://blogs.cisco.com/security/scope-of-keyboy-targeted-malware-attacks

ETDA Profile

Tropic Trooper, Pirate Panda, APT 23, KeyBoy

Origin

China

First Seen 2011

Sponsor State-sponsored

Motivation

Information theft and espionage

MITRE ATT&CK Groups

https://attack.mitre.org/groups/G0081/

View on ETDA APT Groups ↗