{
	"id": "d7c49b64-fff9-48ec-a615-b487c70b0170",
	"created_at": "2026-04-06T00:18:19.509658Z",
	"updated_at": "2026-04-10T03:33:20.141857Z",
	"deleted_at": null,
	"sha1_hash": "370a70e1f811565efc1f649b56d7ab5e684a06bb",
	"title": "Tropic Trooper, Pirate Panda, APT 23, KeyBoy",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 67832,
	"plain_text": "Tropic Trooper, Pirate Panda, APT 23, KeyBoy\nArchived: 2026-04-02 11:36:17 UTC\nNamesTropic Trooper (Trend Micro)\nPirate Panda (CrowdStrike)\nAPT 23 (Mandiant)\nIron (Microsoft)\nKeyBoy (Rapid7)\nBronze Hobart (SecureWorks)\nEarth Centaur (Trend Micro)\nG0081 (MITRE) Country China SponsorState-sponsored MotivationInformation theft and espionage First\nseen2011 DescriptionTropic Trooper is an unaffiliated threat group that has led targeted campaigns against targets\nin Taiwan, the Philippines, and Hong Kong. Tropic Trooper focuses on targeting government, healthcare,\ntransportation, and high-tech industries and has been active since 2011. ObservedSectors: Defense, Government,\nHealthcare, High-Tech, Transportation.\nCountries: Hong Kong, India, Malaysia, Philippines, Taiwan, Tibet, Vietnam and Middle East. Tools used8.t\nDropper, ByPassGodzilla, China Chopper, CREDRIVER, fscan, KeyBoy, Neo-reGeorg, PCShare, Poison Ivy,\nShadowPad Winnti, Swor, Titan, USBferry, Yahoyah, Winsloader. Operations performed2012Operation “Tropic\nTrooper”\nTaiwan and the Philippines have become the targets of an ongoing campaign called “Operation Tropic Trooper.”\nActive since 2012, the attackers behind the campaign have set their sights on the Taiwanese government as well as\na number of companies in the heavy industry. The same campaign has also targeted key Philippine military\nagencies.\nJun 2013KeyBoy, Targeted Attacks against Vietnam and India\n2014New Strategy\nTropic Trooper (also known as KeyBoy) levels its campaigns against Taiwanese, Philippine, and Hong Kong\ntargets, focusing on their government, healthcare, transportation, and high-tech industries.\nDec 2014We found\nthat Tropic Trooper’s latest activities center on targeting Taiwanese and the Philippine military’s physically\nisolated networks through a USBferry attack (the name derived from a sample found in a related research). We\nalso observed targets among military/navy agencies, government institutions, military hospitals, and even a\nnational bank. The group employs USBferry, a USB malware that performs different commands on specific\ntargets, maintains stealth in environments, and steals critical data through USB storage.\nMar 2015Throughout March to May 2015, our researchers noted that 62% of the Tropic\nTrooper-related malware infections targeted Taiwanese organizations while the remaining 38% zoned in on\nPhilippine entities.\nAug 2016In early August, Unit 42 identified two attacks using similar techniques. The more\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=dcba8f16-98e2-4d31-b7db-f4f1bdbfdb56\nPage 1 of 2\n\ninteresting one was a targeted attack towards the Secretary General of Taiwan’s Government office – Executive\nYuan. The Executive Yuan has several individual boards which are formed to enforce different executing functions\nof the government. The Executive Yuan Council evaluates statutory and budgetary bills and bills concerning\nmartial law, amnesty, declaration of war, conclusion of peace and treaties, and other important affairs.\nAug 2016KeyBoy and the targeting of the Tibetan Community\nFeb 2017The KeyBoys are back in town\n2017Tropic Trooper goes mobile with Titan surveillanceware\nThe latest threat to follow this trend is Titan, a family of sophisticated Android surveillanceware apps surfaced by\nLookout’s automated analysis that, based on command and control infrastructure, is linked to the same actors\nbehind Operation Tropic Trooper.\nEarly 2020Ongoing PIRATE PANDA Operations Using Current\nEvent Themes to DeployPoison Ivy\nApr 2020The Anomali Threat Research Team detected a spear phishing email targeting\ngovernment employees in the Municipality of Da Nang, Vietnam.\nJul 2020Collecting In the Dark: Tropic Trooper Targets\nTransportation and Government\nJun 2023Tropic Trooper spies on government entities in the Middle East\nInformation MITRE\nATT\u0026CK Source: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=dcba8f16-98e2-4d31-b7db-f4f1bdbfdb56\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=dcba8f16-98e2-4d31-b7db-f4f1bdbfdb56\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=dcba8f16-98e2-4d31-b7db-f4f1bdbfdb56"
	],
	"report_names": [
		"showcard.cgi?u=dcba8f16-98e2-4d31-b7db-f4f1bdbfdb56"
	],
	"threat_actors": [
		{
			"id": "61ea51ed-a419-4b05-9241-5ab0dbba25fc",
			"created_at": "2023-01-06T13:46:38.354607Z",
			"updated_at": "2026-04-10T02:00:02.939761Z",
			"deleted_at": null,
			"main_name": "APT23",
			"aliases": [
				"BRONZE HOBART",
				"G0081",
				"Red Orthrus",
				"Earth Centaur",
				"PIRATE PANDA",
				"KeyBoy",
				"Tropic Trooper"
			],
			"source_name": "MISPGALAXY:APT23",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "bef7800a-a08f-4e21-b65c-4279c851e572",
			"created_at": "2022-10-25T15:50:23.409336Z",
			"updated_at": "2026-04-10T02:00:05.319608Z",
			"deleted_at": null,
			"main_name": "Tropic Trooper",
			"aliases": [
				"Tropic Trooper",
				"Pirate Panda",
				"KeyBoy"
			],
			"source_name": "MITRE:Tropic Trooper",
			"tools": [
				"USBferry",
				"ShadowPad",
				"PoisonIvy",
				"BITSAdmin",
				"YAHOYAH",
				"KeyBoy"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "4d5f939b-aea9-4a0e-8bff-003079a261ea",
			"created_at": "2023-01-06T13:46:39.04841Z",
			"updated_at": "2026-04-10T02:00:03.196806Z",
			"deleted_at": null,
			"main_name": "APT41",
			"aliases": [
				"WICKED PANDA",
				"BRONZE EXPORT",
				"Brass Typhoon",
				"TG-2633",
				"Leopard Typhoon",
				"G0096",
				"Grayfly",
				"BARIUM",
				"BRONZE ATLAS",
				"Red Kelpie",
				"G0044",
				"Earth Baku",
				"TA415",
				"WICKED SPIDER",
				"HOODOO",
				"Winnti",
				"Double Dragon"
			],
			"source_name": "MISPGALAXY:APT41",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2a24d664-6a72-4b4c-9f54-1553b64c453c",
			"created_at": "2025-08-07T02:03:24.553048Z",
			"updated_at": "2026-04-10T02:00:03.787296Z",
			"deleted_at": null,
			"main_name": "BRONZE ATLAS",
			"aliases": [
				"APT41 ",
				"BARIUM ",
				"Blackfly ",
				"Brass Typhoon",
				"CTG-2633",
				"Earth Baku ",
				"GREF",
				"Group 72 ",
				"Red Kelpie ",
				"TA415 ",
				"TG-2633 ",
				"Wicked Panda ",
				"Winnti"
			],
			"source_name": "Secureworks:BRONZE ATLAS",
			"tools": [
				"Acehash",
				"CCleaner v5.33 backdoor",
				"ChinaChopper",
				"Cobalt Strike",
				"DUSTPAN",
				"Dicey MSDN",
				"Dodgebox",
				"ForkPlayground",
				"HUC Proxy Malware (Htran)"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "578f8e62-2bb4-4ce4-a8b7-6c868fa29724",
			"created_at": "2022-10-25T16:07:24.344358Z",
			"updated_at": "2026-04-10T02:00:04.947834Z",
			"deleted_at": null,
			"main_name": "Tropic Trooper",
			"aliases": [
				"APT 23",
				"Bronze Hobart",
				"Earth Centaur",
				"G0081",
				"KeyBoy",
				"Operation Tropic Trooper",
				"Pirate Panda",
				"Tropic Trooper"
			],
			"source_name": "ETDA:Tropic Trooper",
			"tools": [
				"8.t Dropper",
				"8.t RTF exploit builder",
				"8t_dropper",
				"ByPassGodzilla",
				"CHINACHOPPER",
				"CREDRIVER",
				"China Chopper",
				"Chymine",
				"Darkmoon",
				"Gen:Trojan.Heur.PT",
				"KeyBoy",
				"Neo-reGeorg",
				"PCShare",
				"POISONPLUG.SHADOW",
				"Poison Ivy",
				"RoyalRoad",
				"SPIVY",
				"ShadowPad Winnti",
				"SinoChopper",
				"Swor",
				"TSSL",
				"USBferry",
				"W32/Seeav",
				"Winsloader",
				"XShellGhost",
				"Yahoyah",
				"fscan",
				"pivy",
				"poisonivy"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "86182dd7-646c-49c5-91a6-4b62fd2119a7",
			"created_at": "2025-08-07T02:03:24.617638Z",
			"updated_at": "2026-04-10T02:00:03.738499Z",
			"deleted_at": null,
			"main_name": "BRONZE HOBART",
			"aliases": [
				"APT23",
				"Earth Centaur ",
				"KeyBoy ",
				"Pirate Panda ",
				"Red Orthrus ",
				"TA413 ",
				"Tropic Trooper "
			],
			"source_name": "Secureworks:BRONZE HOBART",
			"tools": [
				"Crowdoor",
				"DSNGInstaller",
				"KeyBoy",
				"LOWZERO",
				"Mofu",
				"Pfine",
				"Sepulcher",
				"Xiangoop Loader",
				"Yahaoyah"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434699,
	"ts_updated_at": 1775792000,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/370a70e1f811565efc1f649b56d7ab5e684a06bb.pdf",
		"text": "https://archive.orkl.eu/370a70e1f811565efc1f649b56d7ab5e684a06bb.txt",
		"img": "https://archive.orkl.eu/370a70e1f811565efc1f649b56d7ab5e684a06bb.jpg"
	}
}