{
	"id": "3783c63a-f45c-4e54-861a-864dd12583e4",
	"created_at": "2026-04-06T00:18:43.497143Z",
	"updated_at": "2026-04-10T03:33:20.076384Z",
	"deleted_at": null,
	"sha1_hash": "6d53d93b12d72bb8d31ed12ead0661a1d017ffeb",
	"title": "Tropic Trooper Goes Mobile With Titan Surveillanceware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 80929,
	"plain_text": "Tropic Trooper Goes Mobile With Titan Surveillanceware\r\nBy Lookout\r\nPublished: 2017-11-16 · Archived: 2026-04-02 10:40:32 UTC\r\nLookout researchers have recently observed cybercriminals evolving the way they operate to reflect the multitude\r\nof platforms people now use to access information: you may read and triage email on a smartphone, switch to a\r\nlaptop to crank out some work, then flip over to a tablet to catch up on social media or watch a video. To the\r\nattackers, it's a numbers game. The more devices they can reach, the more likely they are to compromise a target.\r\nGiven the rise of mobile productivity, this means that we are seeing a growing number of attackers add mobile\r\ncapabilities to their toolkits.\r\nThe latest threat to follow this trend is Titan, a family of sophisticated Android surveillanceware apps surfaced by\r\nLookout's automated analysis that, based on command and control infrastructure, is linked to the same actors\r\nbehind Operation Tropic Trooper. Tropic Trooper is a long running campaign, first reported in 2016, that executed\r\ntargeted desktop attacks against enterprises and military units in Taiwan and the Philippines. All Lookout\r\ncustomers are protected from Titan.\r\nCapabilities\r\nTitan usually comes with busybox and various native libraries that provide a range of functionality, from\r\nautomated gathering of a user's data to being able to execute attacker specified instructions as superuser. Over\r\ntime, Titan has evolved considerably with a distinct trend of malicious code shifting first from Java to native\r\nlibraries, then moving into second stage components. Analysis of Titan variants found that they contained the\r\nfollowing capabilities:\r\nRetrieve call history\r\nRetrieve text messages\r\nRetrieve contact information\r\nRetrieve a list of Installed packages\r\nTrack device location\r\nTake a photo with the device camera when a user is first present or when instructed by an attacker\r\nRecord all calls or only calls to attacker specified numbers\r\nBlock text messages to attacker specified numbers\r\nTake a screenshot\r\nSend a text message\r\nExecute attacker specified commands as root\r\nUpload specific files\r\nDownload attacker specified files\r\nhttps://blog.lookout.com/titan-mobile-threat\r\nPage 1 of 4\n\nTitan hasn't been seen to trojanize legitimate applications and doesn't contain any legitimate functionality. The\r\nauthors of Titan have instead opted to simply use the icon of a legitimate app. Application icons used included:\r\nZalo - a vietnamese Messaging Application,\r\n91 - an unofficial Chinese App Store that was bought by Baidu in 2013 for 1.9 billion,\r\nYY - a popular Chinese social network,\r\nRenren - formerly Xiaonei Network, this is a social network primarily used by Chinese college students,\r\n58 - an online Chinese marketplace,\r\nWeChat - a popular Chinese messaging app, and\r\nFloatingMenu - an application for handling shortcuts and gestures.\r\nInfrastructure\r\nSeveral domains and IP addresses associated to this family are no longer live however further research is being\r\nconducted into 108.61.xxx.xxx which, at the time of writing, is live, running PHP, and exposing information that\r\nmay provide additional leads. Some Titan variants have been seen to iterate through a list of possible command\r\nand control servers when beaconing out. Domains and IPs that Titan has, or is currently, using are listed below.\r\nDomain / IP\r\nPort\r\nmysupport.dnset.com\r\n3350 or 3351\r\nmysupport.zyns.com\r\n3350 or 3351\r\n122.10.94.64\r\n3350 or 3351\r\n202.153.193.73\r\n9006\r\nandroidshome.com\r\n9006\r\nwww.mark40.25u.com\r\n9006\r\n113.10.221.89\r\nhttps://blog.lookout.com/titan-mobile-threat\r\nPage 2 of 4\n\n9006\r\n108.61.xxx.xxx\r\n80\r\nAs a family that is actively being improved, and given its links to targeted attacks against enterprises and defense\r\ninstitutions, Lookout is continuing to track Titan variants, associated server infrastructure, and geographical\r\nregions where they're being deployed.\r\nSHA-1s\r\ne9d4a39e763471c406490e19c22b98d9fa5a9151\r\n3373a1a3151c3ae67903b7503828055c339e988f\r\ndbc73a8cc28fa0bab441ed75e51da206e49cf9e2\r\n1a50b9853e0dc9cc9d7e90e5076dda632589fe9f\r\n80b303c0e09c36084b1e91367465ad621c29c0ad\r\nbfc6390f016715f9adb0876840a76079df4ae3dd\r\n843df2fd5d9c86bd08c90b9e405481ec75d1eb90\r\n6f68376cda0578a6df6ec3059ffda85cda7a0bec\r\n75be9cdcbc3cdcf1bede3c80214995758d5b9c61\r\nef2dd1b8ce479276c72e17da217e74f1ce9a2ee1\r\n2af65847aad4a976ed72a67c489daf3a100c0d65\r\n5df3b5f59709a3e02386e9297ae2f1b1ef1a6ac3\r\n2aa2f48ea856803b19925a7d0abb3a443f31d095\r\n3ec97bd2e8105fcb530b249e86a4aa7e35e52e44\r\na2e60c28259e0982a1eb7768fa2433f84e64a817\r\nWant to learn more about threats like Titan and our Threat Advisory services? Contact Lookout today.\r\nMichael Flossman\r\nHead of Threat Intelligence\r\nMichael is Head of Threat Intelligence at Lookout where he works on reverse engineering sophisticated mobile\r\nthreats while tracking their evolution, the campaigns they are used in, and the actors behind them. He has hands-on experience in vulnerability research, incident response, security assessments, pen-testing, reverse engineering\r\nhttps://blog.lookout.com/titan-mobile-threat\r\nPage 3 of 4\n\nand the prototyping of automated analysis solutions. When not analysing malware there’s a good chance he’s off\r\nsnowboarding, diving, or looking for flaws in popular mobile apps.\r\nSource: https://blog.lookout.com/titan-mobile-threat\r\nhttps://blog.lookout.com/titan-mobile-threat\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://blog.lookout.com/titan-mobile-threat"
	],
	"report_names": [
		"titan-mobile-threat"
	],
	"threat_actors": [
		{
			"id": "61ea51ed-a419-4b05-9241-5ab0dbba25fc",
			"created_at": "2023-01-06T13:46:38.354607Z",
			"updated_at": "2026-04-10T02:00:02.939761Z",
			"deleted_at": null,
			"main_name": "APT23",
			"aliases": [
				"BRONZE HOBART",
				"G0081",
				"Red Orthrus",
				"Earth Centaur",
				"PIRATE PANDA",
				"KeyBoy",
				"Tropic Trooper"
			],
			"source_name": "MISPGALAXY:APT23",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "bef7800a-a08f-4e21-b65c-4279c851e572",
			"created_at": "2022-10-25T15:50:23.409336Z",
			"updated_at": "2026-04-10T02:00:05.319608Z",
			"deleted_at": null,
			"main_name": "Tropic Trooper",
			"aliases": [
				"Tropic Trooper",
				"Pirate Panda",
				"KeyBoy"
			],
			"source_name": "MITRE:Tropic Trooper",
			"tools": [
				"USBferry",
				"ShadowPad",
				"PoisonIvy",
				"BITSAdmin",
				"YAHOYAH",
				"KeyBoy"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "578f8e62-2bb4-4ce4-a8b7-6c868fa29724",
			"created_at": "2022-10-25T16:07:24.344358Z",
			"updated_at": "2026-04-10T02:00:04.947834Z",
			"deleted_at": null,
			"main_name": "Tropic Trooper",
			"aliases": [
				"APT 23",
				"Bronze Hobart",
				"Earth Centaur",
				"G0081",
				"KeyBoy",
				"Operation Tropic Trooper",
				"Pirate Panda",
				"Tropic Trooper"
			],
			"source_name": "ETDA:Tropic Trooper",
			"tools": [
				"8.t Dropper",
				"8.t RTF exploit builder",
				"8t_dropper",
				"ByPassGodzilla",
				"CHINACHOPPER",
				"CREDRIVER",
				"China Chopper",
				"Chymine",
				"Darkmoon",
				"Gen:Trojan.Heur.PT",
				"KeyBoy",
				"Neo-reGeorg",
				"PCShare",
				"POISONPLUG.SHADOW",
				"Poison Ivy",
				"RoyalRoad",
				"SPIVY",
				"ShadowPad Winnti",
				"SinoChopper",
				"Swor",
				"TSSL",
				"USBferry",
				"W32/Seeav",
				"Winsloader",
				"XShellGhost",
				"Yahoyah",
				"fscan",
				"pivy",
				"poisonivy"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "86182dd7-646c-49c5-91a6-4b62fd2119a7",
			"created_at": "2025-08-07T02:03:24.617638Z",
			"updated_at": "2026-04-10T02:00:03.738499Z",
			"deleted_at": null,
			"main_name": "BRONZE HOBART",
			"aliases": [
				"APT23",
				"Earth Centaur ",
				"KeyBoy ",
				"Pirate Panda ",
				"Red Orthrus ",
				"TA413 ",
				"Tropic Trooper "
			],
			"source_name": "Secureworks:BRONZE HOBART",
			"tools": [
				"Crowdoor",
				"DSNGInstaller",
				"KeyBoy",
				"LOWZERO",
				"Mofu",
				"Pfine",
				"Sepulcher",
				"Xiangoop Loader",
				"Yahaoyah"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434723,
	"ts_updated_at": 1775792000,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6d53d93b12d72bb8d31ed12ead0661a1d017ffeb.pdf",
		"text": "https://archive.orkl.eu/6d53d93b12d72bb8d31ed12ead0661a1d017ffeb.txt",
		"img": "https://archive.orkl.eu/6d53d93b12d72bb8d31ed12ead0661a1d017ffeb.jpg"
	}
}