{ "id": "78d5afc3-4f54-4788-ba5c-2c2dcd208714", "created_at": "2026-04-06T00:08:49.045258Z", "updated_at": "2026-04-10T03:33:20.121937Z", "deleted_at": null, "sha1_hash": "5a49b14444cb1b60b683972560b2899d1de5639f", "title": "Tropic Trooper spies on government entities in the Middle East", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 263902, "plain_text": "Tropic Trooper spies on government entities in the Middle East\r\nBy Sherif Magdy\r\nPublished: 2024-09-05 · Archived: 2026-04-05 13:21:28 UTC\r\nExecutive summary\r\nTropic Trooper (also known as KeyBoy and Pirate Panda) is an APT group active since 2011. This group has\r\ntraditionally targeted sectors such as government, healthcare, transportation and high-tech industries in Taiwan, the\r\nPhilippines and Hong Kong. Our recent investigation has revealed that in 2024 they conducted persistent campaigns\r\ntargeting a government entity in the Middle East, starting in June 2023.\r\nSighting this group’s TTPs in critical governmental entities in the Middle East, particularly those related to human\r\nrights studies, marks a new strategic move for them. This can help the threat intelligence community better understand\r\nthe motives of this threat actor.\r\nThe infection came to our attention in June 2024, when our telemetry gave recurring alerts for a new China Chopper\r\nweb shell variant (used by many Chinese-speaking actors), which was found on a public web server. The server was\r\nhosting an open-source content management system (CMS) called Umbraco, written in C#. The observed web shell\r\ncomponent was compiled as a .NET module of Umbraco CMS.\r\nIn our subsequent investigation, we looked for more suspicious detections on this public server and identified multiple\r\nmalware sets. These include post-exploitation tools, which, we assess with medium confidence, are related to and\r\nleveraged in this intrusion.\r\nFurthermore, we identified new DLL search-order hijacking implants that are loaded from a legitimate vulnerable\r\nexecutable as it lacks the full path specification to the DLL it needs. This attack chain was attempting to load the\r\nCrowdoor loader, which is half-named after the SparrowDoor backdoor, detailed by ESET. During the attack, the\r\nsecurity agent blocked the first Crowdoor loader, prompting the attackers to switch to a new, previously unreported\r\nvariant, with almost the same impact.\r\nWe attribute this activity to the Chinese-speaking threat actor known as Tropic Trooper with high confidence. Our\r\nfindings reveal an overlap in the techniques reported in recent Tropic Trooper campaigns. The samples we found also\r\nshow a high overlap with samples previously attributed to Tropic Trooper.\r\nBackground\r\nIn June 2024, we detected a new version of the well-known China Chopper web shell. Further investigation followed\r\nas it represents a module within Umbraco CMS, receiving commands via the Umbraco controller.\r\nOn the same public server hosting Umbraco, we found other suspicious implants and malware clusters, which appeared\r\nto be part of the same attack. The installed security agent kept detecting these malware implants, and the attackers tried\r\nto drop additional post-exploitation tools to achieve their main objectives: in this intrusion we assess with high\r\nconfidence that the motive is cyber espionage.\r\nhttps://securelist.com/new-tropic-trooper-web-shell-infection/113737/\r\nPage 1 of 11\n\nThe table below shows the discovered malware families related to this intrusion. The subsequent sections of this report\r\nprovide a technical analysis of these malware clusters.\r\nMalware Set Description\r\nOldest\r\nVariant\r\nEarliest\r\nVariant\r\nSample\r\nCount\r\n1 – Web shells\r\n.NET Web shells found dropped into path\r\nc:\\microsoft.net\\framework64\\v4.0.30319\\temporary\r\nasp.net files\\root\r\nwith filename similar to this pattern\r\nApp_Web_{8}[a-z0-9].dll\r\n2023.08.25 2024.04.18 37\r\n2 – Post-exploitation\r\ntools\r\nMultiple post-exploitation tools dropped\r\ninto path\r\nc:\\sql\\tools\\attunitycdcoracle\\x64\\1033\r\nMain usage: network scanning, lateral\r\nmovement, defense evasion\r\nMain tools: Fscan, Swor and batch scripts\r\n2024.05.07 2024.05.08 5\r\n3 – DLL\r\nsearch-order\r\nhijacking\r\nimplants –\r\nCrowdoor\r\nloaders\r\nMultiple malicious DLLs, side-loaded into\r\nother legitimate executables, dropped into\r\npaths c:\\Windows\\branding\\data and\r\nc:\\Users\\Public\\Music\\data\r\nThe malicious samples are called Crowdoor,\r\nwhich, when run, drop CobaltStrike and\r\nmaintain persistence.\r\n2024.04.18 2024.05.15 5\r\nTechnical details\r\nWebshells — Umbraco modules\r\nMD5 3f15c4431ad4573344ad56e8384ebd62\r\nSha-1 311d1d50673fbfc40b84d94239cd4fa784269465\r\nSha256 8df9fa495892fc3d183917162746ef8fd9e438ff0d639264236db553b09629dc\r\nLink-Time 2024-05-06 10:19:28\r\nFile Type dynamic-link-library, 32-bit, console / Microsoft Visual C# / Basic .NET | Microsoft.NET\r\nFile Name App_Web_dentsd54.dll\r\nThe module exhibits characteristics commonly associated with malicious activity, including obfuscation and dynamic\r\nexecution of commands. The commands are received and dispatched by the umbraco_bind_aspx module, as can be\r\nseen below.\r\nhttps://securelist.com/new-tropic-trooper-web-shell-infection/113737/\r\nPage 2 of 11\n\nMalicious module found inside Umbraco CMS on the compromised server\r\nThe umbraco_bind_aspx is a class generated by the ASP.NET framework for an ASPX page within Umbraco CMS.\r\nThe framework automatically calls the __BuildControlTree() function. This function, implemented by the attackers, is\r\nresponsible for calling malicious code as the argument to the RenderMethod() function. Also, event validation, which\r\nis a security feature in ASP.NET that prevents unauthorized events from being logged on the server, is disabled by\r\nsetting EnableEventValidation to false as can be seen in the screenshot below.\r\nMalicious function implementing China Chopper registered as a callback function\r\n__Render__control1() is the main malicious function. As can be seen in the screenshot below, a Base64 string is\r\ndecoded and then executed via dynamic evaluation using JavaScript.\r\nhttps://securelist.com/new-tropic-trooper-web-shell-infection/113737/\r\nPage 3 of 11\n\nObfuscated dynamic JS code execution\r\nThe script employs multiple Base64 decodings before the final JavaScript payload is generated and executed. The\r\nresulting code resembles the known functionality associated with the China Chopper web shell, a popular web shell\r\nused by attackers for remote access and control over compromised web servers.\r\nChina Chopper web shell functionality\r\nhttps://securelist.com/new-tropic-trooper-web-shell-infection/113737/\r\nPage 4 of 11\n\nThe attackers then started dropping various samples on this server, notably a dropper that was pushing more compiled\r\nvariants carrying the same functionality, but using different module names. These module names all match the pattern\r\nApp_Web_{8}[a-z0-9].dll. In our telemetry, we noticed exploitation attempts of several CVEs (CVE-2021-34473,\r\nCVE-2021-34523 and CVE-2021-31207 in Microsoft Exchange, CVE-2023-26360 in Adobe ColdFusion). Therefore,\r\nwe believe with moderate confidence that these web shells were dropped by exploiting an existing unpatched\r\nvulnerability.\r\nAccording to the timeline of the detection logs, the attackers were able to leverage some of these web shells to execute\r\ncommands on the affected server and drop more post-exploitation tools utilized for lateral movement. The majority of\r\nobserved software are open-source tools maintained by Chinese-speaking developers. These implants are dropped into\r\nthe Umbraco CMS root directory.\r\nWe found the following tools:\r\nFscan: A tool for vulnerability scanning including host status detection, port scanning, service enumeration,\r\nexploitation, etc. The tool documentation is in simplified Chinese and maintained by Chinese-speaking\r\naccounts. The attackers created a script, named i.bat, to identify available machines on the network using simple\r\nICMP ping requests. The output is directed to a text file, which is used later for lateral movement.\r\nSwor: A simple penetration testing tool whose author tried to make it immune to removal by security solutions.\r\nBased on its documentation, it can deploy mimikatz, FRP and ElevationStation. The tool is open-source and\r\nmaintained by Chinese-speaking developers. This tool was previously sighted being leveraged in attacks on\r\ngovernment entities in Malaysia, which is a similar industry vertical to the Middle East intrusion victimology.\r\nWe found the same compiled sample in the wild at [domain]/wampthemes/simple/123/In-Swor-v2/1.exe.\r\nNeo-reGeorg: An open-source SOCKS5 proxy, the attackers used it to pivot to other machines and evade\r\nnetwork-level security controls. Some detections suggest that this tool may be used to proxy traffic, but we have\r\nnot been able to verify the actual purpose of proxying traffic through this server.\r\nByPassGodzilla: A Chinese web shell encryptor used to obfuscate other deployed web shells to bypass\r\ndetections. We were able to source different implementations of encrypted web shells in .NET and ASPX scripts\r\nfrom the same server. According to our telemetry, the newly discovered web shell was also associated with a\r\ncampaign leveraging CVE-2023-26360 early this year targeting vulnerable servers in the Middle East.\r\nBackdoor implants using DLL search-order hijacking\r\nThe attackers tried to load a malicious DLL, datast.dll, from c:\\Users\\Public\\Music\\data three times. After these\r\nattempts failed, the attackers relied on another malicious loader, VERSION.dll, which was dropped into\r\nC:\\Windows\\branding\\data. We discuss this below in the “New samples” section. We believe, based on our telemetry,\r\nthat the Umbraco web shells were used to drop these files on the infected server.\r\nSince the timeframe for loading the two malicious DLLs, VERSION.dll and datast.dll, were very close, it allowed us to\r\nlink the two files. Additionally, the same approach was used for both: leveraging a legitimate executable file vulnerable\r\nto DLL search-order hijacking, which would load a malicious DLL dropped into the same path as the legitimate\r\nexecutable.\r\nThe datast.dll library\r\nMD5 a213873eb55dc092ddf3adbeb242bd44\r\nhttps://securelist.com/new-tropic-trooper-web-shell-infection/113737/\r\nPage 5 of 11\n\nSha-1 3650899c669986e5f4363fdbd6cf5b78a6fcd484\r\nSha256 23dea3a74e3ff6a367754d02466db4c86ffda47efe09529d3aad52b0d5694b30\r\nLink-Time Thu Jul 27 16:21:38 2023 (UTC)\r\nFile Type dynamic-link-library | 32-bit\r\nFile Name datast.dll\r\nIn this incident, our telemetry points to the malware export being called using the rundll32 command from the a.bat\r\nfile (MD5: fca94b8b718357143c53620c6b360470), which we were unable to obtain. A second assumption is that it\r\nwas loaded through a legitimate executable using DLL search-order hijacking, as datast.dll has been observed before,\r\nassociated with Tropic Trooper and loaded by the same method. We believe with low to medium confidence that the\r\nbatch script was merely used for testing purposes as the whole malware-loading chain was designed to be loaded from\r\na legitimate executable.\r\nOnce loaded, datast.dll exports a single function named InitCore. This function usually gets imported by another DLL\r\ncalled datastate.dll. The function implements the main functionality for this loader, decrypting the shellcode for the\r\nnext stage from a memory buffer inside the datastate.dll file using a variant of the RC4 stream cipher. The first code\r\nblock is the Key Scheduling Algorithm (KSA), while the second block (the “for” loop in the image below) is the core\r\nof the KSA, where it scrambles the initial permutation using the hardcoded RC4 key fYTUdr643$3u.\r\nCode stub responsible for decrypting the next stage\r\nCode stub responsible for decrypting the next stage\r\nhttps://securelist.com/new-tropic-trooper-web-shell-infection/113737/\r\nPage 6 of 11\n\nAfter decryption, the shellcode is executed, then the next stage is loaded into the address space of the process that\r\nloaded datast.dll.\r\nHunting for new loaders\r\nAs mentioned, the infection chain was not fully executed, forcing the attackers to shift to new undetected variants. By\r\npivoting on the hardcoded RC4 key, we found a new set of files sharing similar code, which turned out to be new\r\nupdated variants of this family with minor differences in functionality. Below is the chronological view of the\r\nevolution of this specific loader as observed from our telemetry and scanning third-party malware repositories.\r\nRecent variants\r\nUpdated loader variant in February 2024\r\nIn February 2024, a user uploaded three Crowdoor-related files to a multiscanner platform:\r\nThese files are also involved in a DLL search-order hijacking sequence:\r\n1. 1 A legitimate executable loads a vulnerable DLL ( datastate.dll);\r\n2. 2 This DLL then loads a malicious Crowdoor DLL ( datast.dll);\r\n3. 3 The loader DLL uses this malicious DLL to decrypt and load the Crowdoor payload.\r\nThis method is hard to detect since the malicious functions are split across two DLLs, which mostly perform\r\nseemingly benign tasks, such as reading files or decrypting RC4 data. Both DLLs have build timestamps future-dating\r\nthem to 26 May 2027.\r\nThe datastate.dll loader imports two functions from datast.dll — one called rcd (likely “run code”) to execute the\r\nshellcode and another called ldf (likely “load file”) to read content from a file that is named after a legitimate\r\nexecutable but without the file extension. In this case, the payload file uploaded is named WinStore, meaning the\r\nlegitimate executable is WinStore.exe. The loader uses the RC4 key fYTUdr643$3u, the same key as found in the\r\ninitial sample discussed in the previous section, to decrypt the payload file containing the same Crowdoor shellcode.\r\nThe Crowdoor payload from this chain stays active by creating a Windows service named WinStore, which is used as\r\nthe service name, display name and description. If creation of the service fails, the payload uses the registry auto-start\r\nextensibility point (ASEP) at HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run with the value WinStore to\r\npersist.\r\nWhen executed, it injects itself into the colorcpl.exe process with the command-line argument “2” and tries to contact a\r\nC2 server that is hardcoded in the payload using its configuration (blog.techmersion[.]com on port 443).\r\nWe compared the collected samples with the reference sample (MD5: a213873eb55dc092ddf3adbeb242bd44) and\r\nrevealed a degree of code similarity in them. For example, the core functions responsible for loading the next stage are\r\nalmost identical. Based on this, we believe with medium confidence that the newly found samples are related to Tropic\r\nTrooper, the same actor behind the Middle East intrusion.\r\nThe actor has likely been using this search-order hijacking technique since at least June 2022, which marks the first\r\nknown instance of a malicious DLL being loaded through a vulnerable executable using this method, according to our\r\ntelemetry. Tropic Trooper employs this technique to split the malicious code across several stages. In the first stage,\r\nhttps://securelist.com/new-tropic-trooper-web-shell-infection/113737/\r\nPage 7 of 11\n\nonly the extraction of the next stage, which was encrypted with the same RC4 key, occurs. Subsequently, the actual\r\nloader for the final implant is deployed.\r\nNew samples\r\nWe investigated the second attempt made by the threat actor after failing to load the previously covered loader. The\r\nactor uploaded new samples detailed in the table below:\r\nMD5 Hash File name File path\r\nFile\r\ncreation\r\ndate\r\nCompilation\r\ntimestamps\r\ne845563ba35e8d227152165b0c3e769f\r\n(variant 1)\r\nVERSION.dll c:\\Windows\\branding\\data 2024.04.28\r\nTue Jun 10\r\n10:39:52\r\n2025 (UTC)\r\n0b9ae998423a207f021f8e61b93bc849\r\n(variant 2)\r\nVERSION.dll c:\\Windows\\branding\\data 2024.05.15\r\nThu Oct 24\r\n10:23:24\r\n2024 (UTC)\r\n475aa86ae60c640eec4fdea93b5ed04d\r\n(legitimate executable)\r\ninst.exe c:\\Windows\\branding\\data 2024.04.28 NA\r\nAs usual, the same DLL search-order hijacking was used. Note that inst.exe, which is a legitimate executable, imports\r\nthree functions from VERSION.dll:\r\nVerQueryValueW;\r\nGetFileVersionInfoW;\r\nGetFileVersionInfoSizeW.\r\nEach variant of the dropped VERSION.dll implements the three exported functions, with minimal differences between\r\nboth samples. Upon analyzing the three malicious exports from the samples, it is very likely that the attackers built\r\nthem incrementally. The first sample (MD5: e845563ba35e8d227152165b0c3e769f) was dropped on April 28,\r\nimmediately after the failed attempt to execute the old loader. This variant had fewer capabilities than the one dropped\r\non May 15, which had a complete implementation for all the malicious capabilities needed to load the same shellcode\r\nthat would load Crowdoor into memory.\r\nBoth variants have compilation timestamps set in the future. Looking at the GetFileVersionInfoSizeW implementation\r\nbetween the two samples, we see that the most recently dropped sample has the full implementation, while the earlier\r\nsample has an empty implementation, implying gradual testing and development of this loader.\r\nThe main loading functionality was designed to execute a legitimate msiexec.exe process, then inject the next stage by\r\nwriting into its remote address space and creating a remote thread to execute it.\r\nThe victim\r\nWe sighted this targeted intrusion in a government entity in the Middle East. At the same time, we saw a subset of\r\nthese samples being used to target a government entity in Malaysia. This matches the type of targets and their location\r\nhttps://securelist.com/new-tropic-trooper-web-shell-infection/113737/\r\nPage 8 of 11\n\nas described in recent Tropic Trooper reports.\r\nAttribution\r\nBased on the samples found, we are reassessing the relationship between Tropic Trooper and the FamousSparrow\r\ngroup, reported by ESET in 2021. Some industry reports link the two groups together.\r\nThe following reasons led us to attribute the campaign described in this report and all the observed implants to Tropic\r\nTrooper and its associated group, FamousSparrow:\r\nHardcoded RC4 key: the attackers tried to launch a loader previously attributed to Tropic Trooper (MD5:\r\na213873eb55dc092ddf3adbeb242bd44), after they failed to load it from the a.bat file. They relied on a new\r\nmethod maintaining the same approach by using DLL search-order hijacking and used a new loader. Both\r\nsamples share the same RC4 key.\r\nPost-exploitation tools: some of the post-exploitation tools the attackers used were seen before in other attacks\r\nwithin the same timeframe of this campaign, in which the victims aligned with the targeted regions and industry\r\nverticals targeted by this threat group.\r\nThe code similarity between the Middle East intrusion sample and the sample found in the third-party malware\r\nrepository from February 2024 (MD5: c10643b3fb304972c650e593b69faaa1): both were loading Crowdoor\r\ninto memory. Also, the command-line argument “2” found in a variant related to Tropic Trooper samples is very\r\nsimilar to SparrowDoor “-k” switch functionality.\r\nConclusion\r\nThe event that made us investigate Tropic Trooper was the recurring detection of the China Chopper web shell.\r\nFollowing our investigation into this incident, we found more samples written by Tropic Trooper as well as third-party\r\ntools used in the post-exploitation phase. This improved insights into this threat actor’s TTPs. Notable is the\r\ndiscrepancy in skill set used in various stages of the attack, as well as the choices made after failure. When the actor\r\nbecame aware that their backdoors were detected, they tried to upload newer samples to evade detection, thereby\r\nincreasing the risk of their new set of samples being detected in the near future. In the same light, the loader sequence\r\ngoes to great lengths to avoid detection. However, the usage of publicly available tools such as Fscan for further\r\nexploitation of the victim’s network again highlights the discrepancy between some relatively advanced parts of their\r\noperation and the “noisier” parts.\r\nInvestigating the motives of this threat actor led us to conclude that the significance of this intrusion lies in the sighting\r\nof a Chinese-speaking actor targeting a content management platform that published studies on human rights in the\r\nMiddle East, specifically focusing on the situation around Israel-Hamas conflict. Our analysis of this intrusion revealed\r\nthat this entire system was the sole target during the attack, indicating a deliberate focus on this specific content.\r\nA more detailed analysis of this campaign is available to users of our private Threat Intelligence Portal, with another\r\nupcoming report on this activity. To learn more about this report, please contact intelreports@kaspersky.com.\r\nIndicators of Compromise\r\nUmbraco Webshells\r\n3F15C4431AD4573344AD56E8384EBD62\r\nhttps://securelist.com/new-tropic-trooper-web-shell-infection/113737/\r\nPage 9 of 11\n\n78B47DDA664545542ED3ABE17400C354\r\n3B7721715B2842CDFF0AB72BD605A0CE\r\n868B8A5012E0EB9A48D2DAF7CB7A5D87\r\nPost-Exploitation Tools\r\n149A9E24DBE347C4AF2DE8D135AA4B76\r\n103E4C2E4EE558D130C8B59BFD66B4FB\r\nE0D9215F64805E0BFF03F4DC796FE52E\r\n27C558BD42744CDDC9EDB3FA597D0510\r\n4F950683F333F5ED779D70EB38CDADCF\r\nFile Paths:\r\nc:\\sql\\tools\\attunitycdcoracle\\x64\\1033\r\nc:\\microsoft.net\\framework64\\v4.0.30319\\temporary asp.net files\\root\\fc88e889\\b64f0276\r\nc:\\microsoft.net\\framework64\\v4.0.30319\\temporary asp.net files\\root\\5b841946\\ca5a9bf5\r\nTropic Trooper Loaders\r\nFD8382EFB0A16225896D584DA56C182C\r\n1DD03936BAF0FE95B7E5B54A9DD4A577\r\n8A900F742D0E3CD3898F37DBC3D6E054\r\nA213873EB55DC092DDF3ADBEB242BD44\r\nDD7593E9BA80502505C958B9BBBF2838\r\n2C7EBD103514018BAD223F25026D4DB3\r\n0B9AE998423A207F021F8E61B93BC849\r\nE845563BA35E8D227152165B0C3E769F\r\nA213873EB55DC092DDF3ADBEB242BD44\r\nDomains and IPs\r\n51.195.37[.]155\r\n162.19.135[.]182\r\ntechmersion[.]com\r\nYara Rules\r\nrule tropictrooper_umbraco_compiled_webshells {\r\nmeta:\r\ndescription = \"Rule to detect Tropic Trooper Umbraco webshells .NET sample\"\r\nauthor = \"Kaspersky\"\r\ncopyright = \"Kaspersky\"\r\ndistribution = \"DISTRIBUTION IS FORBIDDEN. DO NOT UPLOAD TO ANY MULTISCANNER OR\r\nSHARE ON ANY THREAT INTEL PLATFORM\"\r\nhttps://securelist.com/new-tropic-trooper-web-shell-infection/113737/\r\nPage 10 of 11\n\nsample = \"3f15c4431ad4573344ad56e8384ebd62\"\r\nstrings:\r\n$s1 = { 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? A2 25 1F 0A 72 ?? ?? ?? ?? A2 25 1F 0B 72 ?? ?? ?? ?? A2\r\n25 1F 0C 72 ?? ?? ?? ?? A2 25 1F 0D 72 ?? ?? ?? ?? A2 25 1F 0E 72 ?? ?? ?? ?? A2 25 1F 0F 72 ?? ?? ?? ?? A2\r\n25 1F 10 72 ?? ?? ?? ?? A2 25 1F 11 72 ?? ?? ?? ?? A2 25 1F 12 72 ?? ?? ?? ?? A2 25 1F 13 72 ?? ?? ?? ?? A2\r\n25 1F 14 72 ?? ?? ?? ?? A2 25 1F 15 72 ?? ?? ?? ?? A2 25 1F 16 72 ?? ?? ?? ?? A2 25 1F 17 72 ?? ?? ?? ?? A2\r\n25 1F 18 72 ?? ?? ?? ?? A2 }\r\ncondition:\r\n$s1 and\r\nfilesize \u003c 1MB\r\n}\r\nSource: https://securelist.com/new-tropic-trooper-web-shell-infection/113737/\r\nhttps://securelist.com/new-tropic-trooper-web-shell-infection/113737/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://securelist.com/new-tropic-trooper-web-shell-infection/113737/" ], "report_names": [ "113737" ], "threat_actors": [ { "id": "f67fb5b3-b0d4-484c-943e-ebf12251eff6", "created_at": "2022-10-25T16:07:23.605611Z", "updated_at": "2026-04-10T02:00:04.685162Z", "deleted_at": null, "main_name": "FamousSparrow", "aliases": [ "Earth Estries" ], "source_name": "ETDA:FamousSparrow", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "f0eca237-f191-448f-87d1-5d6b3651cbff", "created_at": "2024-02-06T02:00:04.140087Z", "updated_at": "2026-04-10T02:00:03.577326Z", "deleted_at": null, "main_name": "GhostEmperor", "aliases": [ "OPERATOR PANDA", "FamousSparrow", "UNC2286", "Salt Typhoon", "RedMike" ], "source_name": "MISPGALAXY:GhostEmperor", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "61ea51ed-a419-4b05-9241-5ab0dbba25fc", "created_at": "2023-01-06T13:46:38.354607Z", "updated_at": "2026-04-10T02:00:02.939761Z", "deleted_at": null, "main_name": "APT23", "aliases": [ "BRONZE HOBART", "G0081", "Red Orthrus", "Earth Centaur", "PIRATE PANDA", "KeyBoy", "Tropic Trooper" ], "source_name": "MISPGALAXY:APT23", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bef7800a-a08f-4e21-b65c-4279c851e572", "created_at": "2022-10-25T15:50:23.409336Z", "updated_at": "2026-04-10T02:00:05.319608Z", "deleted_at": null, "main_name": "Tropic Trooper", "aliases": [ "Tropic Trooper", "Pirate Panda", "KeyBoy" ], "source_name": "MITRE:Tropic Trooper", "tools": [ "USBferry", "ShadowPad", "PoisonIvy", "BITSAdmin", "YAHOYAH", "KeyBoy" ], "source_id": "MITRE", "reports": null }, { "id": "d390d62a-6e11-46e5-a16f-a88898a8e6ff", "created_at": "2024-12-28T02:01:54.899899Z", "updated_at": "2026-04-10T02:00:04.880446Z", "deleted_at": null, "main_name": "Salt Typhoon", "aliases": [ "Earth Estries", "FamousSparrow", "GhostEmperor", "Operator Panda", "RedMike", "Salt Typhoon", "UNC2286" ], "source_name": "ETDA:Salt Typhoon", "tools": [ "Agentemis", "Backdr-NQ", "Cobalt Strike", "CobaltStrike", "Crowdoor", "Cryptmerlin", "Deed RAT", "Demodex", "FamousSparrow", "FuxosDoor", "GHOSTSPIDER", "HemiGate", "MASOL RAT", "Mimikatz", "NBTscan", "NinjaCopy", "ProcDump", "PsExec", "PsList", "SnappyBee", "SparrowDoor", "TrillClient", "WinRAR", "Zingdoor", "certutil", "certutil.exe", "cobeacon", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "578f8e62-2bb4-4ce4-a8b7-6c868fa29724", "created_at": "2022-10-25T16:07:24.344358Z", "updated_at": "2026-04-10T02:00:04.947834Z", "deleted_at": null, "main_name": "Tropic Trooper", "aliases": [ "APT 23", "Bronze Hobart", "Earth Centaur", "G0081", "KeyBoy", "Operation Tropic Trooper", "Pirate Panda", "Tropic Trooper" ], "source_name": "ETDA:Tropic Trooper", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "ByPassGodzilla", "CHINACHOPPER", "CREDRIVER", "China Chopper", "Chymine", "Darkmoon", "Gen:Trojan.Heur.PT", "KeyBoy", "Neo-reGeorg", "PCShare", "POISONPLUG.SHADOW", "Poison Ivy", "RoyalRoad", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Swor", "TSSL", "USBferry", "W32/Seeav", "Winsloader", "XShellGhost", "Yahoyah", "fscan", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "86182dd7-646c-49c5-91a6-4b62fd2119a7", "created_at": "2025-08-07T02:03:24.617638Z", "updated_at": "2026-04-10T02:00:03.738499Z", "deleted_at": null, "main_name": "BRONZE HOBART", "aliases": [ "APT23", "Earth Centaur ", "KeyBoy ", "Pirate Panda ", "Red Orthrus ", "TA413 ", "Tropic Trooper " ], "source_name": "Secureworks:BRONZE HOBART", "tools": [ "Crowdoor", "DSNGInstaller", "KeyBoy", "LOWZERO", "Mofu", "Pfine", "Sepulcher", "Xiangoop Loader", "Yahaoyah" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434129, "ts_updated_at": 1775792000, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5a49b14444cb1b60b683972560b2899d1de5639f.pdf", "text": "https://archive.orkl.eu/5a49b14444cb1b60b683972560b2899d1de5639f.txt", "img": "https://archive.orkl.eu/5a49b14444cb1b60b683972560b2899d1de5639f.jpg" } }