{ "id": "ee2616f4-f880-4bfa-a389-3735edcb028d", "created_at": "2026-04-06T00:18:57.412978Z", "updated_at": "2026-04-10T03:33:19.976691Z", "deleted_at": null, "sha1_hash": "45fa8fc6430e5231bccfd20416ceb9329046709c", "title": "Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 964943, "plain_text": "Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider\r\nWith Poison Ivy\r\nBy Vicky Ray, Robert Falcone, Jen Miller-Osborn, Tom Lancaster\r\nPublished: 2016-11-22 · Archived: 2026-04-05 18:00:56 UTC\r\nTaiwan has been a regular target of cyber espionage threat actors for a number of years. Reasons for Taiwan being targeted\r\nrange from being one of the sovereign states of the disputed South China Sea region to its emerging economy and growth\r\nwith Taiwan being one of the most innovative countries in the High-Tech industry in Asia.\r\nIn early August, Unit 42 identified two attacks using similar techniques. The more interesting one was a targeted attack\r\ntowards the Secretary General of Taiwan's Government office – Executive Yuan. The Executive Yuan has several individual\r\nboards which are formed to enforce different executing functions of the government. The Executive Yuan Council evaluates\r\nstatutory and budgetary bills and bills concerning martial law, amnesty, declaration of war, conclusion of peace and treaties,\r\nand other important affairs. Given the important functions undertaken by the Executive Yuan office, it is not a surprise that\r\nthey were targeted. The second attack was against an energy sector company also located in Taiwan.\r\nThe attacks in this case are associated with a campaign called Tropic Trooper, which has been active since at least 2011 and\r\nis known for heavily targeting Taiwan. One of the attacks used their known Yahoyah malware, but the other attack deployed\r\nthe widely available Poison Ivy RAT.  This confirms the actors are using Poison Ivy as part of their toolkit, something\r\nspeculated in the original Trend Micro report but not confirmed by them. Further analysis uncovered a handful of ties\r\nindicating the actors may also be using the PCShare malware family, which has not been previously tied to the group.\r\nFigure 1 shows the spear phishing email which was sent to the Secretary General of Executive Yuan. The email is spoofed so\r\nthat it appears as though it was sent from a staff member at the Democratic Progressive Party (DPP).\r\nFigure 1. Spear-phishing email with malicious attachment.\r\nThe document attached to this e-mail exploits CVE-2012-0158, a Microsoft Office vulnerability. This process is described in\r\nthe Malware Analysis section later in this report, but one interesting aspect of this malicious was the decoy document the\r\nattacker chose to deploy.\r\nDecoy Document\r\nAs we have noted in many earlier reports, attackers commonly use decoy files to trick victims into thinking a malicious\r\ndocument is actually legitimate. After infecting the computer, the display a clean document to the victim that contains\r\ncontent that is relevant to them.\r\nThe decoy document used in this case is a spreadsheet with four tabs, respectively titled “example,” “0720,” “0721,” and\r\n“1041109 full update”. All of the text uses Traditional Chinese, in contrast to Simplified Chinese, which is the official\r\nwritten language of the People's Republic of China. Traditional Chinese is used in Taiwan, Hong Kong, Macau, and many\r\noverseas Chinese communities.  The overarching theme of the spreadsheet is documenting protestor activity and/or\r\nprogressive reform attempts in progress across Taiwan and the tone of the spreadsheet suggests it was compiled by\r\nhttps://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/\r\nPage 1 of 12\n\nprogressive supporters. Because we were unable to find the spreadsheet online, and there is specific persona data included\r\nrelated to these movements and protests, we are not including any screen shots except for the one below.\r\nFigure 2. The four tabs in the decoy spreadsheet.\r\nThe “example” spreadsheet tab is exactly as described – it contains the headers and suggested information within two of the\r\nremaining three tabs. The headers themselves translate, from left to right, to “responsible department,” “issue,”\r\n“developments this week,” “political situation judgment,” and “related information.”  The tab labeled 0721 only has the\r\nmatching headers and no additional information.  None of the information in the spreadsheet relates to activities past 2015,\r\nand there are references made to the then upcoming January 16, 2016 elections in Taiwan. In that election the DPP won,\r\ndisplacing the Chinese Nationalist Party (KMT) for only the second time in history, and with Taiwan’s first female\r\nPresident.\r\nThe spreadsheet labeled 0720 refers to the Anti-Black Box Movement, which was a protest by Taiwanese high school\r\nstudents against certain proposed curriculum changes. The use of “black box” by the protestors is in reference to former\r\nTaiwanese President Ma Ying-Jeou’s government and its lack of transparency concerning government decisions. Protestors\r\noccupied Taiwan’s Ministry of Education last July. A resolution passed by Taiwan’s legislature and approved by the\r\nExecutive Yuan in May of this year delayed implementing that curriculum until 2020 to allow time for the act to be\r\namended.\r\nThe Anti-Black Box Movement is related to the Sunflower Student Movement, a coalition of both student groups and other\r\ncivic organizations that protested the Cross-Strait Trade Agreement between Taiwan and the PRC, feeling it would hurt\r\nTaiwan’s economy and increase the PRC’s sway over the island.  On March 17 2014, the KMT, the ruling party at the time,\r\ntried to force a vote without a previously agreed clause by clause review with the DPP. The following evening protesters\r\noccupied the Legislative Yuan, the first time that had occurred Taiwan’s history. On March 23 of the same year, after then\r\nPresident Ma re-affirmed he supported the pact and would not alter or drop it, protestors occupied the Executive Yuan where\r\nover 150 were injured and 61 arrested.\r\nThe final tab contains the most information of the three and has different headers. From left to right, the headers are titled\r\n“responsible person(s),” “summary of issues and major groups,” “crisis simulation, political judgment, and\r\nrecommendations,” “degree of tension,” and “participating members.”\r\nInformation related to the November 2015 \"Autumn Struggle\" protest, which is an annual protest first done in 2013.\r\nInformation on a Taichung City government development proposal being protested largely on environmental impact\r\ngrounds, and protestor demands.\r\nArmy 1st Special Forces veterans attempt to receive compensation for alleged illegal extension of forced military\r\nservice\r\nThe recently settled case where toll workers forced into unemployment by the Taiwanese government’s agreement\r\nwith the Far Eastern Electronic Toll Collection Company to create a national electronic toll collection system ended\r\nup resulting in the 2013 layoffs of hundreds, who have since protested for new jobs as well as lost severance and\r\npension.\r\nKaohsiung refinery closing and protestor demands, also largely related to environmental effects and necessary\r\ncleanup; the refinery officially closed at the end of December 2015\r\nClosely watching any trade agreements between the Malaysian government and Taiwan\r\nPotential environmental and current residential issues related to the development of the Aerotropolis around Taoyuan\r\nInternational Airport, which is intended to create a major transportation hub and industry center for Asia with\r\ninfrastructure for corporate research and development, conference centers, and other facilities.\r\nThe Puyu Development Plan, which is part of Taiwan’s Knowledge-based Economy plan\r\nTaiwan’s 12-year compulsory education plan\r\nAnti-Black Box Movement demands and recent activity\r\nImproving working conditions for Taiwanese firefighters\r\nPension reforms\r\nThe Nest Movement, which started in 2014 and is related to the older “Shell-less Snail Movement,” focused on\r\naffordable housing, neighborhood and urban development, ending forced demolition and relocation, property tax\r\nreform, and related housing issues\r\nThe Environmental Impact Assessment (EIA) voted on by the Environmental Protection Bureau (EPB) for the\r\nDongshi-Fengyuan Expressway, part of the National Highway #4 Project and anti-eviction efforts\r\nKaohsiung water quality issues and related projects\r\nSame sex marriage legalization\r\nProtecting old trees in Kaohsiung amidst construction for a new “green” library; most of the designated “precious\r\ntrees” are rare exotic species\r\nIndigenous peoples in Kaohsiung land return\r\nhttps://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/\r\nPage 2 of 12\n\nActivities against the Miramar Resort Village, including the revocation of the EIA, forcing development to halt\r\nLowering the voting age in Taiwan from 20 to 18\r\nMalware Analysis\r\nThe documents attached to spear-phishing e-mails used in both attacks contain code that exploits CVE-2012-0158, which\r\ndespite its age remains one of the most common Microsoft Word vulnerabilities being exploited by multiple threat actors.\r\nThis matches with known Tactics, Techniques, and Procedures (TTPs) for Tropic Trooper, targeting both government\r\ninstitutions and also the energy industry in Taiwan.\r\nThe delivery document uses the XLSX extension typically used by OpenXML documents, but the file itself is actually an\r\nOLE (XLS) document. The file extension to file type discrepancy was caused by the actor using Excel's built-in encryption\r\ncapability, which stores XLSX ciphertext and the information needed for decryption in an OLE document.\r\nFilename: 進步議題工作圈議題控管表.xlsx\r\nMD5: a89b1ce793f41f3c35396b054dbdb749\r\nSHA1: f45e2342e40100b770d73dd06f5d9b79bfce4a72\r\nSHA256: 2baa76c9aa3834548d82a36e150d329e3268417b3f12b8f72d209d51bbacf671\r\nType: CDF V2 Document, No summary info\r\nSize: 327128 bytes\r\nTable 1. Details of the malicious document attached to the e-mail.\r\nThe embedded shellcode enumerates open handles for a file with a size greater than 0xa6f0 (Decimal - 42736) bytes. It will\r\nthen set the file pointer to 0xa6e8 (Decimal - 42728) and starts looking for the following delimiter:\r\nGfCv\\xef\\xfe\\xec\\xce\r\nIf it finds this delimiter, the shellcode knows it is working with the correct file and continues by reading 0x600 (decimal\r\n1536) bytes following this delimiter. The shellcode then decrypts the first 0xc0 (decimal 192) DWORDs of the data read\r\nfrom the file using an XOR algorithm that decrypts one DWORD of ciphertext at a time with 0x29f7c592. The resulting\r\ncleartext is a second piece of shellcode that continues carrying out further functionality.\r\nThe secondary shellcode starts by resolving the following API functions using a ROT13 hashing algorithm:\r\nkernel32.dll!CreateFileA\r\nkernel32.dll!ReadFile\r\nkernel32.dll!WriteFile\r\nkernel32.dll!SetFilePointer\r\nkernel32.dll!CopyFileA\r\nkernel32.dll!MoveFileExA\r\nkernel32.dll!CreateToolhelp32Snapshot\r\nkernel32.dll!Process32Next\r\nkernel32.dll!CloseHandle\r\nkernel32.dll!VirtualAlloc\r\nkernel32.dll!WinExec\r\nkernel32.dll!TerminateProcess\r\nkernel32.dll!LoadLibraryA\r\nkernel32.dll!lstrlenA\r\nkernel32.dll!lstrcpyA\r\nkernel32.dll!lstrcatA\r\nkernel32.dll!GetTempPathA\r\nkernel32.dll!WideCharToMultiByte\r\nkernel32.dll!QueryDosDeviceA\r\nntdll.dll!NtQueryObject\r\nadvapi32.dll!RegOpenKeyA\r\nadvapi32.dll!RegSetValueExA\r\nadvapi32.dll!RegCloseKey\r\nImmediately following these API functions there are three DWORDS; one used to locate the payload embedded within the\r\nexploit file, one for the size of the payload, and one for the size of decoy document. The two size values are added together\r\nto get the length of the ciphertext that the shellcode will decrypt. In the sample we analyzed, the following values were\r\npresent, showing that the payload is at offset 0xabc0 and has a size of 0x45218:\r\nDWORD offset_toPayload; (0ABC0h)\r\nDWORD payload_Size; (1C600h)\r\nDWORD decoy_Size; (28C18h)\r\nhttps://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/\r\nPage 3 of 12\n\nThe shellcode then creates a string that it uses to create a registry key to automatically run the final payload each time the\r\nsystem starts. It then opens the registry key 'Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon' and sets the value\r\nto the \"Shell\" subkey to the previously created string. Ultimately, the following registry key is created for persistence:\r\nHKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell:\r\n\"explorer.exe,rundll32.exe \"C:\\Documents and Settings\\Administrator\\Application\r\nData\\Identities\\Identities.ocx\" SSSS\"\r\nIt then uses the \"offset_toPayload\" value as an offset that it will read 283160 (45218h) bytes from the XLS file. The\r\nshellcode then enters a decryption loop to convert the embedded payload from ciphertext to cleartext. The algorithm uses the\r\nlength of the ciphertext negated as the initial encryption key, which it bit rotates right by 1 to adjust the key for each of\r\ndecryption. It will use this key to decrypt four bytes of the ciphertext with the XOR operation until all the ciphertext is\r\ndecrypted. During each iteration of the decryption process, the algorithm will check to make sure the four bytes of ciphertext\r\nare not equal to the key or equal to zero before decrypting the ciphertext.  The following table contains the first five rounds\r\nof the algorithm to explain the decryption process:\r\n Key Ciphertext  Cleartext\r\n0  ~0x45218 = 0xFFFBADE8 \u003e\u003e 1 = 0x7FFDD6F4  0x7F6D8CB9  0x00905a4d = MZ\\x90\\x00\r\n1  0x7FFDD6F4 \u003e\u003e 1 = 0x3FFEEB7A  0x3FFEEB79  0x03 = \\x03\\x00\\x00\\x00\r\n2  0x3FFEEB7A \u003e\u003e 1 = 0x1FFF75BD  0x1FFF75B9  0x04 = \\x04\\x00\\x00\\x00\r\n3  0x1FFF75BD \u003e\u003e 1 = 0x8FFFBADE  0x8FFF4521  0xFFFF = \\xff\\xff\\x00\\x00\r\n4  0x8FFFBADE \u003e\u003e 1 = 0x47FFDD6F  0x47FFDDD7  0xB8 = \\xb8\\x00\\x00\\x00\r\n5  0x47FFDD6F \u003e\u003e 1 = 0xA3FFEEB7  0x00000000  0x00000000 = \\x00\\x00\\x00\\x00\r\n6  0xA3FFEEB7 \u003e\u003e 1 = 0xD1FFF75B  0xD1FFF71B  0x40 = \\x40\\x00\\x00\\x00\r\n7  0xD1FFF75B \u003e\u003e 1 = 0xE8FFFBAD  0x00000000  0x00000000 = \\x00\\x00\\x00\\x00\r\n8  0xE8FFFBAD \u003e\u003e 1 = 0xF47FFDD6  0x00000000  0x00000000 = \\x00\\x00\\x00\\x00\r\n9  0xF47FFDD6 \u003e\u003e 1 = 0x7A3FFEEB  0x00000000  0x00000000 = \\x00\\x00\\x00\\x00\r\n10  0x7A3FFEEB \u003e\u003e 1 = 0xBD1FFF75  0x00000000  0x00000000 = \\x00\\x00\\x00\\x00\r\n11  0xBD1FFF75 \u003e\u003e 1 = 0xDE8FFFBA  0x00000000  0x00000000 = \\x00\\x00\\x00\\x00\r\n12  0xDE8FFFBA \u003e\u003e 1 = 0x6F47FFDD  0x00000000  0x00000000 = \\x00\\x00\\x00\\x00\r\n13  0x6F47FFDD \u003e\u003e 1 = 0xB7A3FFEE  0x00000000  0x00000000 = \\x00\\x00\\x00\\x00\r\n14  0xB7A3FFEE \u003e\u003e 1 = 0x5BD1FFF7  0x00000000  0x00000000 = \\x00\\x00\\x00\\x00\r\n15  0x5BD1FFF7 \u003e\u003e 1 = 0xADE8FFFB  0xADE8FEF3  0x108 = \\x08\\x01\\x00\\x00\r\n16  0xADE8FFFB \u003e\u003e 1 = 0xD6F47FFD  0xD84E60F3  0xEBA1F0E = \\x0e\\x1f\\xba\\x0e\r\n17  0xD6F47FFD \u003e\u003e 1 = 0xEB7A3FFE  0x26738BFE  0xCD09B400 = \\x00\\xb4\\x09\\xcd\r\n18  0xEB7A3FFE \u003e\u003e 1 = 0x75BD1FFF  0x39BCA7DE  0x4C01B821 = \\x21\\xb8\\x01\\x4c\r\n19  0x75BD1FFF \u003e\u003e 1 = 0xBADE8FFF  0xD28AAE32  0x685421CD = \\xcd!Th\r\n20  0xBADE8FFF \u003e\u003e 1 = 0xDD6F47FF  0xAD4F3496  0x70207369 = is p\r\n21  0xDD6F47FF \u003e\u003e 1 = 0xEEB7A3FF  0x9CD0CC8D  0x72676F72 = rogr\r\n22  0xEEB7A3FF \u003e\u003e 1 = 0xF75BD1FF  0x947BBC9E  0x63206D61 = am c\r\n23  0xF75BD1FF \u003e\u003e 1 = 0xFBADE8FF  0x94C3869E  0x6F6E6E61 = anno\r\n24  0xFBADE8FF \u003e\u003e 1 = 0xFDD6F47F  0x98B4D40B  0x65622074 = t be\r\n25  0xFDD6F47F \u003e\u003e 1 = 0xFEEB7A3F  0x909E081F  0x6E757220 =  run\r\nTable 2.  Decrypting the payload\r\nAs you can see from the table above, the algorithm decrypts what is an embedded portable executable that acts as the\r\npayload in this attack. The embedded payload is written to %APPDATA\\Identities\\Identities.ocx and has the following\r\nattributes:\r\nhttps://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/\r\nPage 4 of 12\n\nMD5: 53f5b9d9e81612804ddaf15e71d983c7\r\nSHA1: aa32739c1b5c23274bfbdc24b882a53c868d1e04\r\nSHA256: c098235a43d9788661490d2c7b09b1b2b3544d22ee8d9ae6cd5d16a977fd1155\r\nType: PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit\r\nSize: 116224 bytes\r\nImphash: 58089f7df19ceafda8af75236cb1852a\r\nCompiled: 2016-05-23 07:00:51\r\nArchitecture: x86\r\nExports:\r\n(0x1a90) OnUserModel\r\n(0x1a90) SSSS\r\nThe decoy document, described in the section above, is saved to %TEMP%\\進步議題工作圈議題控管表.xlsx and has the\r\nfollowing attributes:\r\nMD5: 7ba4837be46ed1d9b58721a2c103a523\r\nSHA1: bb5fa41034bfe16a06ac95fbc504e2e779b3219b\r\nSHA256: 9dc5ecf4235841d91dd90c5410251b3dafee5c8dee598fd934018a1c62452a3a\r\nType: Zip archive data, at least v2.0 to extract\r\nSize: 166936 bytes\r\nMeta:\r\n  Author: Read64\r\n  Last Modified By: Windows 用户\r\n  Created: 2016:07:21 03:15:34Z\r\n  Modified: 2016:07:21 07:30:17Z\r\nThe shellcode will move the decoy document to the location of the originally executed XLSX file and will create the\r\nfollowing command:\r\ncmd /c start excel /e  “\u003cpath to original XLSX file, now decoy\r\ndocument\u003e”\r\nBefore running the above command to open the decoy document, the shellcode enumerates the running processes on the\r\nsystem, specifically looking for processes created for an executable with a filename that starts with “avp.”, presumably in an\r\nattempt to find Kaspersky’s antivirus process. If the process is found, the shellcode will not open the decoy document and\r\nexits.\r\nThe shellcode does not launch the payload, rather it relies on the registry key it created for persistence to execute the\r\npayload when the user reboots the system, meaning during dynamic analysis the execution of the payload may be missed.\r\nDelivered Payload – Poison Ivy\r\nWhen the system starts up, the persistence registry key will launch the Identities.ocx payload and call its “SSSS” exported\r\nfunction. The “SSSS” function checks to make sure that the DLL is running within the context of a “rundll32.exe” process\r\nand then begins piecing 0x141B bytes of data together in the correct order to build the shellcode of the Poison Ivy Trojan.\r\nWe found and parsed the following configuration from the Poison Ivy shellcode:\r\nCampaign ID: MyUser\r\nGroup ID: MyGroup\r\nhttps://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/\r\nPage 5 of 12\n\nC2 Cnt: 3\r\n- C2 #0: 202.133.236.177:443\r\n- C2 #1: news.hpc.tw:53\r\n- C2 #2: account.sino.tw:80\r\nComm Key: twone\r\nMutex: (V!hex67)\r\nAuto-remove Dropper Flag: 1\r\nActive Setup value name: StubPath\r\nDefault browser path reg key: SOFTWARE\\Classes\\http\\shell\\open\\command\r\nActive Key registry key: Software\\Microsoft\\Active Setup\\Installed Components\\\r\nLooking for more samples which exhibited the same file structure, encryption and obfuscation to deliver the above Poison\r\nIvy sample yielded only two additional samples. In the other two instances the delivered payloads were respectively\r\nPCShare and Yahoyah.  PCShare has not been previously associated with Tropic Trooper, but in addition to the\r\naforementioned overlaps, the two samples have passive DNS overlap with some known Tropic Trooper infrastructure. For\r\nthose reasons, we assess with limited confidence the group is also using this malware family.\r\nFigure 3. The limited ties between C2 infrastructure used by Yahoyah samples (top) and PCShare malware samples\r\n(bottom).\r\nThe below table shows the details of the documents, payload delivered and the C2 servers used for communications.\r\nSHA256 a3becf3639fa82bfbf01740ce5a8335f291fb83b544e02a6cc9f1e9c96fb3764\r\nFilename CTC Statement.xlsx\r\nhttps://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/\r\nPage 6 of 12\n\nPayload d76d7d64c941713d4faaedd5c972558c5136cd1b7de237280faaae89143e7d94\r\nTool PCShare\r\nC2 belindianlab[.]itemdb[.]com\r\nC2 IP 210.108.146[.]20\r\nSHA256 ca10489091b71b14f2c3dc0b5201825e63a1f64c0a859ba2bd95900f45580fc4\r\nFilename 全台餐廳更新版餐廳_.xlsx\r\nPayload bff5f2f84efc450b10f1a66064ed3afaf740c844c15af88a927c46a0b2146498\r\nTool Yahoyah\r\nC2 www[.]dpponline[.]trickip[.]org\r\nC2 www[.]myinfo[.]ocry[.]com\r\nC2 IP 223.27.35[.]244\r\nIt is interesting to see that the exploit documents we found had either low or no detections on most popular antivirus\r\nengines, showing that the threat actors behind this campaign have been having considerable success in bypassing static\r\nanalysis undertaken by traditional antivirus solutions with this technique.\r\nWe further expanded our search using the AutoFocus Threat Intelligence platform on the IOCs extracted from the PIVY,\r\nPCShare and Yahoyah payloads and found 42 samples which either matched unique behaviors, the unique PIVY mutex or\r\nhad common C2 infrastructure.  The hashes of all the samples found are given in the appendix section at the end of this blog.\r\nFigure 4 below shows the compilation timestamps of the payload samples found using AutoFocus. Given some of the\r\npayloads that were used in recent attacks, which were compiled months before, it shows that the threat actor group continues\r\nto reuse the payload within their exploit documents.\r\nFigure 4. Payload Compilation Timelines\r\nThe below Maltego graph shows some of the shared infrastructure which have been used by Tropic Trooper. The complete\r\nlist of indicators on the graph can also be found in the appendix section of this report.\r\nhttps://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/\r\nPage 7 of 12\n\nFigure 5 Maltego graph of Tropic Trooper infrastructure\r\nConclusion\r\nThe Tropic Trooper threat actor group has been known to target governments and organizations in the Asia Pacific region for\r\nat least six years. In addition to using Yahoyah malware, we were able to confirm they are also using Poison Ivy and\r\npossibly PCShare malware families.  They are also still exploiting CVE 2012-0158, as are many threat actors. Palo Alto\r\nNetworks customers are protected from Tropic Trooper’s malicious activities by:\r\nWildFire correctly identifies all related malware as malicious\r\nThe C2 infrastructure are classified as malicious in PAN-DB\r\nTraps prevents exploitation of CVE-2012-0158\r\nAutofocus customers can discover additional information on Tropic Trooper via the following AutoFocus tags:\r\nTropic Trooper\r\nYahoyah\r\nPoison Ivy\r\nAppendix\r\nhttps://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/\r\nPage 8 of 12\n\nSamples matching unique indicators, behaviors and C2 infrastructure from the payload extracted out of the malicious\r\ndocuments:\r\nSHA256 hashes\r\nWinsloader\r\nc098235a43d9788661490d2c7b09b1b2b3544d22ee8d9ae6cd5d16a977fd1155\r\ne81bc530075d6d31358aea5784d977d1ac2932a13a615cd1319d01d6e39c2995\r\ncf32fb6371cc751b852c2e2e607c813e0de71cd7bcf3892a9a23b57dfd38d6fc\r\n07663f8bca3c2118f3f77221c35873fd8dd61d9afa30e566fe4b51bcfb000834\r\n92da05bae1d9694a1f63b854e86b5b17ef27d5fc2551318e49e17677c7c90042\r\ne267ecfd37f3af55e8b02b081e7c9d8c0bf633e1d5acb0228be694eae4660eee\r\nPCShare\r\nd76d7d64c941713d4faaedd5c972558c5136cd1b7de237280faaae89143e7d94\r\n66d672a94f21e86655f243877ee04d7e67a515a7153891563f1aeedb2edbe579\r\nYahoyah\r\n85904e7b88b5049fb99b4b8456d9f01bdbf8f6fcf0f77943aed1ce7e6f7127c2\r\n2fce75daea5fdaafba376a86c59d5bc3e32f7fe5e735ec1e1811971910bc4009\r\naa812b1c0b24435b8e01100760bc4fef44032b4b0d787a8cf9aef83abd9d5dbd\r\n9623d6f3a3952280f3e83f8dbb29942694bb682296d36c4f4d1d7414a7493db0\r\nf0aa64c1646d91b0decbe4d4e6a7cc53bfd770c86ded9a7408034fa14d2bad83\r\n73bba13d1c7b6794be485a5eeb7b79a62f109c27c4c698601945702303dbcd6c\r\n25809242472a9e1f08ff83c00fae943a630867604ff95c7a57313187287384d2\r\n72d14f0a7ecb04eb2962bc9d8491194deb856ceebf30e7ecd644620932f3d4b0\r\n2172cc228760d6e4fa297bc485637a2b17103ae88237b30df39babe548cefaa5\r\nfdeb384ff68b99514f329eeffb05692c4c1580ca52e43e6dcbb5d760c2a78aa4\r\n1432a8a6ae6faa5d9f441b918ddc3edddb9c133458853ad356756835fe7b3291\r\na4334a33e4a87cfa52e9e24f6b4d3da0b686f71b25e5cc9a6f144485ea63108a\r\n7f8abefcc4598c643dff1ebf570677fd5c2a4f3d08bc8ddabbfbef1eed097fb3\r\n8e1a0d93ae644ac80048e5c3485bc6282a69d52cf26f94d2be1ce634851ac3aa\r\nc2ad0204ff90c113f7984a9db6006c9f09631c4983098803591170be62cdfaa7\r\n8ccaade84c9c7d5955e8aa1a0d36542beeaed5b8f619aedf82f74e8fd5a5283b\r\n03e9c25fe979f149f6dafb0398cdf3d2223b26f24009ef0f83825b60e961d111\r\nbee4cc2c3c393953f9247eab45767e01cd26d40037fb00bd69441e026d860a63\r\n626f65d4d638437aaa8352fe06589165d52a91e0963c988348b00734b0a3419f\r\n5395f709ef1ca64c57be367f9795b66b5775b6e73f57089386a85925cc0ec596\r\n72cc8c41008310024e9339b9e45bec7815b7fa8a0c3b6a56769d22bc4ced10ed\r\nfefd9bfb0f984590b54908c6868b39ca587a3e0d8198b795ff58f67adee4b9e9\r\n4ee115734733dae0705e5b2cb6789a1cdb877bc53e2fdb6e18ab845c0522d43b\r\n6b6ec318ede71baf79004fe22c46a8d7a500dc6ba6dd40b2641fe9a1c2b3dbd5\r\n78eda231bf494c7008a4ad49e982f2470597199829d46b166a75f654e3cb8d59\r\n21857cdd794649d72ab1bf90acfa8a57767a2a176b46cdb930025cf9242303bb\r\nhttps://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/\r\nPage 9 of 12\n\nbff5f2f84efc450b10f1a66064ed3afaf740c844c15af88a927c46a0b2146498\r\n6597c49bedf3fb1964e7f6ccbb03db9e38a5903a671209ae4d3fb4f9f4db4c95\r\n \r\nPoison Ivy\r\n6966e511a45e42a9cfa32799dd3ecf9ec1c2cf62ed491f872210334a26e8a533\r\n84f9d3c0895fbcc3148ec77b967eb9cdf33eb90915937b91a61664d36eed7464\r\nc4b73d2102c25e31e3b73a8547a0120e1d3706eed96392acb174ecbf1218fa37\r\nc9d0d7e3ba9a1369b670511966f2c3b5fa3618d3b8ac99cbc3a732bd13501b99\r\nee3f29d2a68217825666dae6a56ae7ee96297ea7f88ae4fd78819983ae67a3ce\r\nedfedfad21bd37b890d0e21c3c832ff9493612f9959a32d6406750b2d4a93697\r\n \r\nC2 domains\r\nnews[.]hpc[.]tw\r\nwww[.]dpponline[.]trickip[.]org\r\nwww[.]forensic[.]zyns[.]com\r\nwww[.]bannered[.]4dq[.]com\r\nwww[.]forensic611[.]3-a[.]net\r\nbbs[.]zzbooks[.]net\r\nbbs[.]ccdog[.]net\r\nwallstreet[.]1dumb[.]com\r\nwww[.]cham[.]com[.]tw\r\npinkker[.]zzux[.]com\r\nwww[.]amberisic611[.]4dq[.]com\r\nwww[.]metacu[.]ygto[.]com\r\nbbs[.]zzbook[.]net\r\nwww[.]myinfo[.]ocry[.]com\r\nwww[.]gmal1[.]com\r\nnews[.]hpc[.]tw\r\nwww[.]dpponline[.]trickip[.]org\r\npinkker[.]zzux[.]com\r\nwallstreet[.]1dumb[.]com\r\nredpeach[.]youdontcare[.]com\r\nredapple[.]justdied[.]com\r\nstone[.]mypop3[.]org\r\nzeus[.]jkub[.]com\r\nsniper[.]mynumber[.]org\r\nunclesam[.]jungleheart[.]com\r\narora[.]x24hr[.]com\r\nflanando[.]fartit[.]com\r\nwww[.]dpponline[.]trickip[.]org\r\nhttps://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/\r\nPage 10 of 12\n\nwww[.]myinfo[.]ocry[.]com\r\nbelindianlab[.]itemdb[.]com\r\nkr[.]dns1[.]us\r\nC2 HTTP requests\r\nhxxp://www[.]dpponline[.]trickip[.]org/images/D2015_id[.]jpg\r\nhxxp://223[.]27[.]35[.]244/images/D2015_id[.]jpg\r\nhxxp://www[.]myinfo[.]ocry[.]com/images/D2015_id[.]jpg\r\nhxxp://belindianlab[.]itemdb[.]com/1613986301|C7A5398FBD8214C92F6596CC39B8866B0121E53422D6B8378E5D1F5F63844D693810BDED3625\r\nhxxp://202[.]153[.]193[.]73/images/kong[.]24[.]jpg\r\nhxxp://113[.]10[.]221[.]89/images/kong[.]24[.]jpg\r\nhxxp://61[.]221[.]169[.]31/images/kongj[.]24[.]jpg\r\nhxxp://www[.]forensic611[.]3-a[.]net/monitor/images/Smarp140102[.]24[.]gif\r\nhxxp://www[.]bannered[.]4dq[.]com/monitor/images/Smarp140102[.]24[.]gif\r\nhxxp://www[.]forensic[.]zyns[.]com/monitor/images/Smarp140102[.]24[.]gif\r\nhxxp://113[.]10[.]221[.]89/Pictures/sbsb_0620[.]24[.]jpg\r\nhxxp://bbs[.]ccdog[.]net/Pictures/sbsb_0620[.]24[.]jpg\r\nhxxp://www[.]forensic611[.]3-a[.]net/monitor/images/Smartzh131225[.]24[.]gif\r\nhxxp://www[.]bannered[.]4dq[.]com/monitor/images/Smartzh131225[.]24[.]gif\r\nhxxp://www[.]forensic[.]zyns[.]com/monitor/images/Smartzh131225[.]24[.]gif\r\nhxxp://bbs[.]zzbooks[.]net/Pictures/lclc_0523[.]24[.]jpg\r\nhxxp://bbs[.]ccdog[.]net/Pictures/lclc_0523[.]24[.]jpg\r\nhxxp://113[.]10[.]221[.]89/Pictures/lclc_0523[.]24[.]jpg\r\nhxxp://50[.]117[.]38[.]164/Pictures/dzh_0925[.]24[.]jpg\r\nhxxp://www[.]cham[.]com[.]tw/images/dzh_0925[.]24[.]jpg\r\nhxxp://113[.]10[.]221[.]89/Pictures/dzh_0925[.]24[.]jpg\r\nhxxp://bbs[.]ccdog[.]net/Pictures/jpg_140430[.]24[.]jpg\r\nhxxp://198[.]100[.]122[.]66/Pictures/jpg_140430[.]24[.]jpg\r\nhxxp://192[.]69[.]221[.]92/Pictures/jpg_140430[.]24[.]jpg\r\nhxxp://www[.]bannered[.]4dq[.]com/monitor/images/SmartNav141216[.]64[.]gif\r\nhxxp://www[.]amberisic611[.]4dq[.]com/monitor/images/SmartNav141216[.]64[.]gif\r\nhxxp://www[.]metacu[.]ygto[.]com/monitor/images/SmartNav141216[.]64[.]gif\r\nhxxp://www[.]metacu[.]ygto[.]com/monitor/images/SmartNav141216[.]32[.]gif\r\nhxxp://www[.]amberisic611[.]4dq[.]com/monitor/images/SmartNav141216[.]32[.]gif\r\nhxxp://www[.]bannered[.]4dq[.]com/monitor/images/SmartNav141216[.]32[.]gif\r\nhxxp://bbs[.]ccdog[.]net/Pictures/20150120-hex[.]64[.]jpg\r\nhxxp://23[.]27[.]112[.]216/Pictures/20150120-hex[.]64[.]jpg\r\nhxxp://bbs[.]zzbook[.]net/Pictures/20150120-hex[.]64[.]jpg\r\nhxxp://bbs[.]zzbook[.]net/Pictures/20150120-hex[.]32[.]jpg\r\nhxxp://23[.]27[.]112[.]216/Pictures/20150120-hex[.]32[.]jpg\r\nhxxp://bbs[.]ccdog[.]net/Pictures/20150120-hex[.]32[.]jpg\r\nhttps://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/\r\nPage 11 of 12\n\nhxxp://bbs[.]ccdog[.]net/Pictures/h20141212012[.]64[.]jpg\r\nhxxp://23[.]27[.]112[.]216/Pictures/h20141212012[.]32[.]jpg\r\nhxxp://113[.]10[.]221[.]89/Pictures/h20141212012[.]32[.]jpg\r\nhxxp://bbs[.]ccdog[.]net/Pictures/h20141212012[.]32[.]jpg\r\nhxxp://113[.]10[.]221[.]89/Pictures/ooba_0823[.]24[.]jpg\r\nhxxp://198[.]100[.]122[.]66/Pictures/ooba_0823[.]24[.]jpg\r\nhxxp://50[.]117[.]38[.]164/Pictures/ooba_0823[.]24[.]jpg\r\nhxxp://www[.]metacu[.]ygto[.]com/monitor/images/SmartNav0120[.]64[.]gif\r\nhxxp://www[.]amberisic611[.]4dq[.]com/monitor/images/SmartNav0120[.]64[.]gif\r\nhxxp://www[.]bannered[.]4dq[.]com/moitor/images/SmartNav0120[.]64[.]gif\r\nhxxp://www[.]bannered[.]4dq[.]com/moitor/images/SmartNav0120[.]32[.]gif\r\nhxxp://www[.]metacu[.]ygto[.]com/monitor/images/SmartNav0120[.]32[.]gif\r\nhxxp://www[.]amberisic611[.]4dq[.]com/monitor/images/SmartNav0120[.]32[.]gif\r\nhxxp://www[.]dpponline[.]trickip[.]org/images/D2015_id[.]jpg\r\nhxxp://223[.]27[.]35[.]244/images/D2015_id[.]jpg\r\nhxxp://www[.]myinfo[.]ocry[.]com/images/D2015_id[.]jpg\r\nhxxp://49[.]254[.]211[.]75//tedws/1[.]64[.]jpg\r\nhxxp://107[.]183[.]183[.]235/public/1[.]64[.]jpg\r\nhxxp://49[.]254[.]211[.]75//tedws/1[.]32[.]jpg\r\nhxxp://107[.]183[.]183[.]235/public/1[.]32[.]jpg\r\nhxxp://flanando[.]fartit[.]com/2015/p1[.]64[.]jpg\r\nhxxp://flanando[.]fartit[.]com/2015/p1[.]32[.]jpg\r\nSource: https://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/\r\nhttps://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "Malpedia", "ETDA" ], "references": [ "https://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/" ], "report_names": [ "unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy" ], "threat_actors": [ { "id": "61ea51ed-a419-4b05-9241-5ab0dbba25fc", "created_at": "2023-01-06T13:46:38.354607Z", "updated_at": "2026-04-10T02:00:02.939761Z", "deleted_at": null, "main_name": "APT23", "aliases": [ "BRONZE HOBART", "G0081", "Red Orthrus", "Earth Centaur", "PIRATE PANDA", "KeyBoy", "Tropic Trooper" ], "source_name": "MISPGALAXY:APT23", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bef7800a-a08f-4e21-b65c-4279c851e572", "created_at": "2022-10-25T15:50:23.409336Z", "updated_at": "2026-04-10T02:00:05.319608Z", "deleted_at": null, "main_name": "Tropic Trooper", "aliases": [ "Tropic Trooper", "Pirate Panda", "KeyBoy" ], "source_name": "MITRE:Tropic Trooper", "tools": [ "USBferry", "ShadowPad", "PoisonIvy", "BITSAdmin", "YAHOYAH", "KeyBoy" ], "source_id": "MITRE", "reports": null }, { "id": "578f8e62-2bb4-4ce4-a8b7-6c868fa29724", "created_at": "2022-10-25T16:07:24.344358Z", "updated_at": "2026-04-10T02:00:04.947834Z", "deleted_at": null, "main_name": "Tropic Trooper", "aliases": [ "APT 23", "Bronze Hobart", "Earth Centaur", "G0081", "KeyBoy", "Operation Tropic Trooper", "Pirate Panda", "Tropic Trooper" ], "source_name": "ETDA:Tropic Trooper", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "ByPassGodzilla", "CHINACHOPPER", "CREDRIVER", "China Chopper", "Chymine", "Darkmoon", "Gen:Trojan.Heur.PT", "KeyBoy", "Neo-reGeorg", "PCShare", "POISONPLUG.SHADOW", "Poison Ivy", "RoyalRoad", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Swor", "TSSL", "USBferry", "W32/Seeav", "Winsloader", "XShellGhost", "Yahoyah", "fscan", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "86182dd7-646c-49c5-91a6-4b62fd2119a7", "created_at": "2025-08-07T02:03:24.617638Z", "updated_at": "2026-04-10T02:00:03.738499Z", "deleted_at": null, "main_name": "BRONZE HOBART", "aliases": [ "APT23", "Earth Centaur ", "KeyBoy ", "Pirate Panda ", "Red Orthrus ", "TA413 ", "Tropic Trooper " ], "source_name": "Secureworks:BRONZE HOBART", "tools": [ "Crowdoor", "DSNGInstaller", "KeyBoy", "LOWZERO", "Mofu", "Pfine", "Sepulcher", "Xiangoop Loader", "Yahaoyah" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434737, "ts_updated_at": 1775791999, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/45fa8fc6430e5231bccfd20416ceb9329046709c.pdf", "text": "https://archive.orkl.eu/45fa8fc6430e5231bccfd20416ceb9329046709c.txt", "img": "https://archive.orkl.eu/45fa8fc6430e5231bccfd20416ceb9329046709c.jpg" } }