{ "id": "f60b81bd-1cf8-4134-b80d-fbeb53f45713", "created_at": "2026-04-06T00:11:51.52613Z", "updated_at": "2026-04-10T13:11:20.35032Z", "deleted_at": null, "sha1_hash": "6086288717103d6b1c55ed76db5a6078d07d3a30", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 54457, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 22:03:14 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool USBferry\n Tool: USBferry\nNames USBferry\nCategory Malware\nType Reconnaissance, Backdoor, Info stealer, Exfiltration\nDescription\n(Trend Micro) USBferry has variants that perform different commands depending on\nspecific targets; it can also combine capabilities, improve its stealth in infected\nenvironments, and steal critical information through USB storage.\nSpecific functions will be embedded in the trojan downloader to adopt the target\nenvironment. Our in-depth analysis found that when Tropic Trooper first penetrates the\nvictim's environment, they will use basic sourcing scripts to collect the host network’s\ntopology, connection capability, and volume information. The second function uses USB\nstorage to copy highly classified documents from the physically isolated environment.\nMoreover, this function copies certain files into the USB %RECYCLER% folder,\nmonitors files’ modified time, and updates the newest one to the USB device. The last\nfunction will infiltrate the target’s internal machine with a customized Windows\ncommand and reverse backdoor malware.\nInformation\nMITRE ATT\u0026CK Malpedia Last change to this tool card: 30 December 2022\nDownload this tool card in JSON format\nAll groups using tool USBferry\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=0089ab73-bdcf-4834-ba12-4eb76d2dbd25\nPage 1 of 2\n\nChanged Name Country Observed\r\nAPT groups\r\n  Tropic Trooper, Pirate Panda, APT 23, KeyBoy 2011-Jun 2023  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=0089ab73-bdcf-4834-ba12-4eb76d2dbd25\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=0089ab73-bdcf-4834-ba12-4eb76d2dbd25\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=0089ab73-bdcf-4834-ba12-4eb76d2dbd25" ], "report_names": [ "listgroups.cgi?u=0089ab73-bdcf-4834-ba12-4eb76d2dbd25" ], "threat_actors": [ { "id": "61ea51ed-a419-4b05-9241-5ab0dbba25fc", "created_at": "2023-01-06T13:46:38.354607Z", "updated_at": "2026-04-10T02:00:02.939761Z", "deleted_at": null, "main_name": "APT23", "aliases": [ "BRONZE HOBART", "G0081", "Red Orthrus", "Earth Centaur", "PIRATE PANDA", "KeyBoy", "Tropic Trooper" ], "source_name": "MISPGALAXY:APT23", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bef7800a-a08f-4e21-b65c-4279c851e572", "created_at": "2022-10-25T15:50:23.409336Z", "updated_at": "2026-04-10T02:00:05.319608Z", "deleted_at": null, "main_name": "Tropic Trooper", "aliases": [ "Tropic Trooper", "Pirate Panda", "KeyBoy" ], "source_name": "MITRE:Tropic Trooper", "tools": [ "USBferry", "ShadowPad", "PoisonIvy", "BITSAdmin", "YAHOYAH", "KeyBoy" ], "source_id": "MITRE", "reports": null }, { "id": "578f8e62-2bb4-4ce4-a8b7-6c868fa29724", "created_at": "2022-10-25T16:07:24.344358Z", "updated_at": "2026-04-10T02:00:04.947834Z", "deleted_at": null, "main_name": "Tropic Trooper", "aliases": [ "APT 23", "Bronze Hobart", "Earth Centaur", "G0081", "KeyBoy", "Operation Tropic Trooper", "Pirate Panda", "Tropic Trooper" ], "source_name": "ETDA:Tropic Trooper", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "ByPassGodzilla", "CHINACHOPPER", "CREDRIVER", "China Chopper", "Chymine", "Darkmoon", "Gen:Trojan.Heur.PT", "KeyBoy", "Neo-reGeorg", "PCShare", "POISONPLUG.SHADOW", "Poison Ivy", "RoyalRoad", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Swor", "TSSL", "USBferry", "W32/Seeav", "Winsloader", "XShellGhost", "Yahoyah", "fscan", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "86182dd7-646c-49c5-91a6-4b62fd2119a7", "created_at": "2025-08-07T02:03:24.617638Z", "updated_at": "2026-04-10T02:00:03.738499Z", "deleted_at": null, "main_name": "BRONZE HOBART", "aliases": [ "APT23", "Earth Centaur ", "KeyBoy ", "Pirate Panda ", "Red Orthrus ", "TA413 ", "Tropic Trooper " ], "source_name": "Secureworks:BRONZE HOBART", "tools": [ "Crowdoor", "DSNGInstaller", "KeyBoy", "LOWZERO", "Mofu", "Pfine", "Sepulcher", "Xiangoop Loader", "Yahaoyah" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434311, "ts_updated_at": 1775826680, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6086288717103d6b1c55ed76db5a6078d07d3a30.pdf", "text": "https://archive.orkl.eu/6086288717103d6b1c55ed76db5a6078d07d3a30.txt", "img": "https://archive.orkl.eu/6086288717103d6b1c55ed76db5a6078d07d3a30.jpg" } }