{ "id": "5387ad8b-07c2-4933-80b6-ee538bdd91b5", "created_at": "2026-04-06T00:14:02.740579Z", "updated_at": "2026-04-10T03:33:20.091938Z", "deleted_at": null, "sha1_hash": "b4085bb3d44c2adbec0cf7cc1e88d47ba6efb25d", "title": "Familiar Feeling: A Malware Campaign Targeting the Tibetan Diaspora Resurfaces - The Citizen Lab", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1160891, "plain_text": "Familiar Feeling: A Malware Campaign Targeting the Tibetan Diaspora\r\nResurfaces - The Citizen Lab\r\nArchived: 2026-04-05 14:02:12 UTC\r\nKey Findings\r\nThis report analyzes a malware campaign active between January to March 2018 that targeted Tibetan activists,\r\njournalists, members of the Tibetan Parliament in exile, and the Central Tibetan Administration.\r\nWe detail a successful intrusion of a Tibetan NGO and provide a brief analysis of the operator’s actions post-infection.\r\nThis recent campaign, as well as a campaign we reported in 2016, both have connections to a wider operation called\r\n“Tropic Trooper”. The strength and meaning of these connections is assessed.\r\nWe examine the challenges associated with investigating closed espionage ecosystems and the importance of\r\naccurately describing the players and the harms they cause.\r\nIntroduction\r\nIn January 2018, a Tibetan activist received a mundane-looking email purporting to be program updates from a human rights\r\nNGO. Attached to the message were a PowerPoint presentation and a document. The activist, like many in the Tibetan\r\ndiaspora, had grown wary of unsolicited emails with attachments, and instead of opening the documents, shared the files\r\nwith Citizen Lab researchers.\r\nThe suspicion was warranted: the attachments were malicious. If clicked, the files would run recent exploits to infect\r\nWindows computers with custom malware. This email was the start of a malware campaign active between January to\r\nMarch 2018 that targeted Tibetan activists, journalists, members of the Tibetan Parliament in exile, and the Central Tibetan\r\nAdministration. We worked closely with the targeted groups to collect the malicious messages, and also engaged in incident\r\nresponse with a compromised organization. This collaboration enabled us to gain further insights into the tactics, techniques,\r\nand procedures used by the operators.\r\nThe campaign used social engineering to trick targets into opening exploit-laden PowerPoint (CVE-2017-0199) and\r\nMicrosoft Rich Text Format (RTF) documents (CVE-2017-11882) attached to e-mail messages. The malware includes a\r\nPowerShell payload we call DMShell++, a backdoor known as TSSL, and a post-compromise tool we call DSNGInstaller.\r\nWe call this recent campaign the “Resurfaced Campaign” because of connections to a 2016 campaign that targeted Tibetan\r\nParliamentarians (which we refer to as the “Parliamentary Campaign”). These connections suggest that the same group may\r\nbe involved or tools and infrastructure are being shared between multiple groups.\r\nTibetan Diaspora: A Highly Targeted Community\r\nThe threat of digital espionage has become a persistent reality for the Tibetan diaspora, which has been targeted by malware\r\ncampaigns for over a decade. Historically, these operations have relied heavily on malicious attachments that leverage\r\nknown exploits and basic Remote Access Trojans (RATs). This tactic may reflect a basic risk-reward calculation when\r\ntargeting under-resourced civil society groups: if they are using unpatched systems, why run the risk of exposing more\r\nsophisticated technical tools when simple ones will do? The operators instead appear to focus much of their innovation on\r\nclever social engineering paired with a “just enough” approach to tooling. The limited technical innovation that we observe\r\nmay be driven by the pragmatic need to continue to achieve access and permanence, rather than more sophisticated goals\r\nsuch as obscuring malware authorship or resisting decompiling.\r\nShifting Tactics?\r\nhttps://citizenlab.ca/2018/08/familiar-feeling-a-malware-campaign-targeting-the-tibetan-diaspora-resurfaces/\r\nPage 1 of 18\n\nSince 2016, the number of reported targeted malware campaigns against Tibetan groups has dropped significantly. In place\r\nof targeted malware, we have observed a shift to phishing designed to harvest credentials from online accounts. A notable\r\nexception to this change is the Parliamentary Campaign, which used known and patched exploits to deliver custom malware\r\ncalled KeyBoy. The Resurfaced Campaign is the first targeted malware activity against the Tibetan community we have\r\nobserved since the Parliamentary Campaign.\r\nFamiliar Connections\r\nThe Resurfaced Campaign used different exploits and payloads than the Parliamentary Campaign but shares other\r\nconnections. The two campaigns used similar spear phishing messages and both targeted Tibetan parliamentarians. One of\r\nthe e-mail addresses used to send spear phishing messages in the Resurfaced Campaign\r\n( tibetanparliarnent[@]yahoo.com ) was also used repeatedly during the Parliamentary Campaign.\r\nBased on the use of common tools and code similarities, both campaigns are also connected to a wider operation called\r\n“Tropic Trooper” that has been active since at least 2012 and was first reported by Trend Micro in 2015. Tropic Trooper has\r\ntargeted governments and companies in Taiwan and the Philippines and is usually identified through the use of specific\r\nmalware including Yahaoyah, Yahamam, and TSSL. The Resurfaced Campaign is linked to Tropic Trooper through its use of\r\nTSSL. The Parliamentary Campaign is linked through code similarities between Keyboy and Yahaoyah. Trend Micro noted\r\nYahoyah shared the same algorithm for encoding configuration files as versions of KeyBoy found in 2013.\r\nIf the same threat actor is behind the Resurfaced and Parliamentary Campaigns, the operators appear to have engaged in\r\nlimited and incremental changes to their tools. Nevertheless, these improvements are minor, and are unlikely to represent\r\nsignificant costs. The exploit code and PowerShell code used in the campaign were publicly available. Proofs of concept of\r\nthe exploits exist on Github, and DMShell++ (the PowerShell payload) is based on example code posted online.\r\nClosed Espionage Ecosystems: An Analytical Challenge\r\nThese types of campaigns use custom built malware that originate from a closed espionage ecosystem in which the parties\r\ninvolved (e.g., developers who write the malware, operators who conduct the campaigns, and intelligence customers who\r\nincentivize the activity) are difficult to identify and fully segment. Intelligence customers may be actively managing the\r\ndevelopment of tools and selection of targets or may be passive consumers who the operators know are interested in and will\r\npay for information from certain targets. The cost and effort put into closed espionage ecosystems is harder to quantify than\r\ncommoditized malware kits (such as cybercrime tools repurposed for espionage) or government exclusive malware (such as\r\nproducts from NSO Group) which have defined prices and markets.\r\n“Actors” in closed espionage ecosystems are abstractions typically identified by the use of common tools and infrastructure.\r\nThis level of attribution can help cluster incidents together into recognizable patterns and indicators. However, many\r\nburglars can, at different times, use the same crowbar. For example, seemingly disparate campaigns and threat actors may be\r\nlinked through what FireEye describes as a “digital quartermaster”, which refers to a resource of malware development and\r\ninfrastructure that is shared amongst multiple campaigns and groups. Knowing what tools and tactics are leveraged in\r\nmalware campaigns can provide insight into technical capabilities and allow an analyst to track activities over time, but this\r\nknowledge alone does not explain how information collected by the operators is ultimately used by the intelligence customer\r\nnor the types of harm that can follow for civil society.\r\nThis report is organized into the following sections:\r\nPart 1: Resurfaced Campaign describes the Resurfaced Campaign that targeted Tibetan groups between January and\r\nMarch 2018.\r\nPart 2: Investigating a Compromise describes a compromise of a Tibetan NGO and analyzes operator actions post-infection.\r\nPart 3: Familiar Connections highlights connections between the Parliamentary and Resurfaced Campaigns to an\r\noperation called “Tropic Trooper”.\r\nhttps://citizenlab.ca/2018/08/familiar-feeling-a-malware-campaign-targeting-the-tibetan-diaspora-resurfaces/\r\nPage 2 of 18\n\nPart 4: Closed Espionage Ecosystems and Identifying Harm discusses challenges in analyzing closed espionage\r\necosystems and situates our investigation within wider trends of digital espionage operations against the Tibetan diaspora.\r\nPart 1: Resurfaced Campaign\r\nThis section describes the Resurfaced Campaign that targeted Tibetan groups between January and March 2018.\r\nCampaign Overview\r\nWe observed the Resurfaced Campaign from January 16 to March 2, 2018 and collected seven spear phishing emails sent to\r\nTibetan activists, journalists, members of the Tibetan Parliament in exile, and the Central Tibetan Administration (CTA).\r\nThe messages were sent from email addresses that mimicked staff of Tibetan NGOs or the CTA, and shared content on\r\nadvocacy activities, cultural events, and administrative announcements. We verified that some of this information was\r\npublicly available on social media, whereas other information may have been collected from public correspondence or\r\nprivate messages that could have been previously stolen by the operators. A January 22 spear phishing email was sent from\r\ntibetanparliarnent[@]yahoo.com , which was also used to send multiple spear phishing emails in the Parliamentary\r\nCampaign (see Figure 1).\r\nWhile both the Parliamentary Campaign and the Resurfaced Campaign used similar social engineering tactics and a\r\ncommon email address to send spear phishing messages, the Resurfaced campaign used a different, newer malware toolkit.\r\nIn six of the eight intrusion attempts, the operator sent a Microsoft PowerPoint file exploiting a vulnerability disclosed in\r\n2017 (CVE-2017-0199) designed to drop a payload written in Microsoft’s PowerShell scripting language from a remote\r\nserver. In two early intrusions attempts in January 2018, the operator also used an exploit for RTF documents (CVE-2017-\r\n11882).\r\nFigure 2 provides a timeline of the Resurfaced Campaign highlighting when spear phishing emails were sent and the\r\nexploits that were used.\r\nhttps://citizenlab.ca/2018/08/familiar-feeling-a-malware-campaign-targeting-the-tibetan-diaspora-resurfaces/\r\nPage 3 of 18\n\nInfection Chain: CVE-2017-0199 and DMShell++\r\nThe most common infection chain in the campaign was the use of a PowerPoint Open XML Slide Show file (PPSX)\r\nexploiting CVE-2017-0199 to load a remote payload we call DMShell++, a basic TCP reverse shell written in Microsoft’s\r\nPowerShell scripting language. We observed a very similar, albeit more simple, implementation of DMShell++ on a public\r\nposting on Wooyun (a Chinese hacker forum1) by an author with the username “DM_”. We refer to the version discovered in\r\nour investigation as “DMShell++” in reference to the Wooyun username combined with the fact that the Wooyun version has\r\nbeen incrementally updated with additional basic commands.\r\nWe observed versions of DMShell++ hosted on the domains enumerated in Table 1. However, we did not monitor these\r\ndomains continuously and therefore it is possible that the operator may have used additional configurations not listed in the\r\ntable.\r\nDate Observed Source C2 Configuration\r\nJanuary 18, 2018 commail[.]co:5453/qqqzqa\r\n27.126.186.222:6001\r\n27.126.186.222:6002\r\n27.126.186.222:6003\r\nJanuary 22, 2018 tibetnews[.]info:8026/qqqzqa\r\n103.55.24.196:80\r\n103.55.24.196:443\r\n45.127.97.222:443\r\nhttps://citizenlab.ca/2018/08/familiar-feeling-a-malware-campaign-targeting-the-tibetan-diaspora-resurfaces/\r\nPage 4 of 18\n\nDate Observed Source C2 Configuration\r\nFebruary 2, 2018 commail[.]co:5453/qqqzqa\r\n27.126.186.222:80\r\n27.126.186.222:443\r\n27.126.186.222:8080\r\nMarch 6, 2018 comemails[.]email:1234/hgf\r\n203.189.232.207:80\r\n203.189.232.207:443\r\n103.55.24.196:443\r\nTable 1\r\nList of C2 configurations observed in different DMShell++ samples\r\nThe versions of DMShell++ we observed had the same capabilities but different configurations for command and control.\r\nTable 2 provides an overview of capabilities of DMShell++ and how it could be used by an operator (technical details are\r\nincluded in Appendix A). This basic script gives the remote actor vast control over the victim computer. Initially deploying\r\ngeneric payloads hides true capabilities and intentions from defenders should the attempted intrusion be detected at this\r\nstage.\r\nCapability Purpose to the Operator\r\nCollect system\r\ninformation\r\nInternal IP address\r\nOperating system\r\n(OS) version\r\nUser name\r\nCollecting system information helps the operator assess if they have the\r\ncorrect target and learn about potential weaknesses in the computer’s OS.\r\nExecute remote\r\ncommands\r\nExecuting remote commands provides additional reconnaissance\r\ninformation that can help the operator determine their next steps.\r\nSend additional files\r\nThe ability to send additional files means the operator can download\r\nadditional tools with different capabilities.\r\nExtract data Stealing files from the target machine is likely the operator’s ultimate goal.\r\nTable 2\r\nOverview of DMShell++ capabilities\r\nInfection Chain: CVE-2017-11882 and DMShell++\r\nIn two spear phishing emails sent early in the campaign, the operator used a second exploit document in addition to the\r\nPPSX files described previously to deploy DMShell++. It is unclear why the operator used this secondary method. However,\r\ngiven the amount of time between patches being released for both vulnerabilities, as well as the different methods being\r\nused to execute the PowerShell payload, it is possible the operator wanted to maximize success while testing both\r\nexploitation methods.\r\nThe second document was a RTF document designed to exploit CVE-2017-11882. In this case, instead of loading the\r\nPowerShell script from a remote location, this exploit document followed a more traditional infection chain by attempting to\r\nwrite an executable (EXE) program to the target computer. The EXE program was designed to create a small PowerShell\r\nscript on the target computer to decode and execute an encoded version of DMShell++. This version of DMShell++ was\r\nhttps://citizenlab.ca/2018/08/familiar-feeling-a-malware-campaign-targeting-the-tibetan-diaspora-resurfaces/\r\nPage 5 of 18\n\nconfigured to use the same C2 infrastructure as the remote version downloaded by the PPSX file sent in the same spear\r\nphishing email ( 27.126.186[.]222 on ports 6001 , 6002, and 6003 ; Appendix D provides a detailed overview of the\r\nserver infrastructure). Figure 3 shows an overview of the CVE 2017-11822 and DMShell++ infection chain.\r\nInfection Chain: CVE-2017-11882 and TSSL Suite\r\nIn the spear phishing email sent on January 23 2018, the operator also included a RTF document designed to exploit CVE-2017-11882 and execute a payload embedded in the file. However, in this instance, the operator deployed an entirely\r\ndifferent set of tools.\r\nAs we analyzed the files written to disk as part of this infection chain, we observed multiple program database (PDB)\r\nstrings. When available, PDB strings can be indicative of the malware creator’s environment and namings for the developed\r\nmalware.\r\nD:\\Work\\Project\\VS\\house\\Apple\\Apple_20180115\\Release\\InstallClient.pdb\r\nD:\\Work\\Project\\VS\\house\\Apple\\Apple_20180115\\Release\\FakeRun.pdb\r\nThese PDB strings are consistent with a set of tools known as TSSL, which were previously described by Trend Micro and\r\nPwC and linked to KeyBoy and Tropic Trooper campaigns. The TSSL suite analysed in these reports includes a loader called\r\nFakeRun and a backdoor named TClient. While the samples we analyzed have a few differences from previously reported\r\ninstances (e.g., version numbers, storage of configuration data, method for launching payloads) we conclude that they are\r\nlikely based on the same source code (see Appendix B for a detailed comparative analysis of the samples). Figure 4 shows\r\nan overview of the CVE 2017-11882 and TSSL suite infection chain.\r\nhttps://citizenlab.ca/2018/08/familiar-feeling-a-malware-campaign-targeting-the-tibetan-diaspora-resurfaces/\r\nPage 6 of 18\n\nPart 2: Investigating a Compromise\r\nThis section describes a compromise of a Tibetan NGO and analyzes operator actions post-infection.\r\nThe fourth spear phishing email of the campaign was sent on January 23, 2018 to a range of targets working for Tibetan\r\nNGOs, media groups, and the CTA. The message appeared to be sent from the Director of the Tibet Museum, which is an\r\nofficial museum of the CTA. Attached to the email were RTF and PPSX messages that claimed to present information about\r\nthe National Museum of Tibet (see Figure 5). These files contained the CVE-2017-11882 and TSSL Suite infection chain.\r\nhttps://citizenlab.ca/2018/08/familiar-feeling-a-malware-campaign-targeting-the-tibetan-diaspora-resurfaces/\r\nPage 7 of 18\n\nOne NGO in particular was heavily targeted and had multiple staff members receive the email. A senior staff member of the\r\ngroup opened the attachment from a computer in their office and was compromised. Through incident response on the\r\norganization’s network, we observed post-infection actions taken by the operator and identified the use of a second\r\nbackdoor.\r\nNetwork logs show connections to the IP address 115.126.86[.]151 on ports 6001 , 8080 , and 8100 matching the\r\nconfiguration file of the TSSL implant. This backdoor was configured to communicate with the C2 server every 20 minutes,\r\nbut we quickly noticed during the analysis of networks logs that most connections were actually rejected by the C2 server.\r\nBased on these patterns, it appears the C2 server was disabled most of the day and active only for short windows.\r\nThe TClient sample was used until January 29 when a new backdoor was deployed on the infected system communicating\r\nwith a new C2 server listed in Table 3. We call the new backdoor “DSNGInstaller”, a name stemming from the payload’s\r\ninternal name combined with the irony that DSNG is an accepted acronym for Digital Satellite News Gathering. Both\r\nbackdoors were active until February 8 when the TClient sample was removed.\r\nSample MD5\r\nDSNGInstaller 67e866c461c285853b225d2b2c850c4f tibetfrum[.]info 27.126.176.169\r\nTable 3\r\nC2 configuration for the DSNGInstaller backdoor\r\nTable 4 provides an overview of DSNGInstaller’s capabilities (technical details are included in Appendix C). These features\r\nare similar to those provided by TClient.\r\nCapability Purpose to the Operator\r\nSystem\r\nReconnaissance\r\nList all volumes and\r\ndrives\r\nList running processes\r\nList files\r\nAdditional reconnaissance information helps the operator determine their next\r\naction.\r\nFile System Access\r\nCreate a file or\r\ndirectory\r\nInteracting with the file system allows the operator to use new tools and hide\r\nevidence of their actions.\r\nhttps://citizenlab.ca/2018/08/familiar-feeling-a-malware-campaign-targeting-the-tibetan-diaspora-resurfaces/\r\nPage 8 of 18\n\nCapability Purpose to the Operator\r\nDelete a file or\r\ndirectory\r\nSystem Control\r\nRun a process with\r\noutput\r\nRun a process without\r\noutput\r\nStop currently running\r\nprocesses\r\nRunning processes allows the operator to run their tools while stopping\r\nprocesses allows the operator to shutdown programs that may detect their\r\nactions.\r\nData exfiltration\r\nUpload a file to the C2\r\nserver\r\nStealing files from the target machine is the ultimate goal of the operator.\r\nTable 4\r\nCapabilities of the DSNGInstaller backdoor\r\nWhile it is unclear why the operator switched malware after multiple days of undetected success, we consider potential\r\nscenarios. It is possible the TSSL malware was detected by other targets where we do not have visibility, which caused the\r\noperator to shift to a lesser known tool with a lower detection rate. Another possible scenario is that the operator’s interface\r\nto the DSNGInstaller tool is more robust and thus preferable for expected long-term access. Finally, it is possible that\r\nDSNGIntaller is the tool of choice of another operator. This last scenario would represent a potential handoff of a\r\nsurveillance victim between multiple remote operators.\r\nPart 3: Familiar Connections\r\nThis section highlights connections between the Parliamentary and Resurfaced campaigns to an operation called “Tropic\r\nTrooper.”\r\nCampaign Connections\r\nThe tactics, techniques, and procedures used in the Resurfaced Campaign link it to the Parliamentary Campaign and to an\r\noperation called “Tropic Trooper”.\r\nTrend Micro released the first public report on Tropic Trooper in 2015, describing a malware campaign that targeted\r\ngovernment institutions, military agencies, and companies in Taiwan and the Philippines. The campaign exploited old\r\nvulnerabilities (CVE-2010-3333 and CVE-2012-0158) and used custom malware, which Trend Micro detects as\r\nTROJ_YAHOYAH and BKDR_YAHAMAM. Trend Micro noted that the Yahoyah malware used the same algorithm for\r\nencoding configuration files as the 2013 versions of KeyBoy analyzed by Rapid7, suggesting a link between these\r\ncampaigns or at least the developers of the malware.\r\nThe KeyBoy samples that were used in the 2016 Parliamentary Campaign had a significant change in the encoding of the\r\nconfiguration file compared to the samples described by Rapid7. In the 2013 version, the configuration file was encoded\r\nusing a simplified static-key based algorithm. The newer encoding algorithm removed the use of a static encryption key in\r\nfavour of a dynamically constructed lookup table. The main connection between the Resurfaced Campaign and the\r\nParliamentary Campaign is the reuse of a Yahoo email address ( Tibetanparliarnent[@]yahoo.com ) to send spear phishing\r\nemails to targets in the Tibetan community.\r\nhttps://citizenlab.ca/2018/08/familiar-feeling-a-malware-campaign-targeting-the-tibetan-diaspora-resurfaces/\r\nPage 9 of 18\n\nMost recently, in 2018 Trend Micro published an update on Tropic Trooper noting a new infection chain that included\r\ndifferent exploits (CVE-2017-11882, CVE-2018-0802) and the TSSL tool suite. Amongst the C2 servers observed was a\r\ndomain ( tibetnews[.]today ), which shares registrant information with the domains used in the Resurfaced campaign.\r\nFigure 6 provides an overview of the connections between these campaigns.\r\nEvaluating Connections\r\nThe relationships between campaigns is typically drawn through the use of common technical indicators (e.g., malware,\r\nserver infrastructure, etc). In some cases, these links are used to connect multiple campaigns to a “threat actor” or “group”\r\nwhich is thought to be carrying out the campaigns. These links can have varying levels of strength, which can lead to\r\ndifferent levels of confidence in attributing campaigns to a specific actor (see Table 5).\r\nConnection Type Description\r\nFirst-order\r\nconnections\r\nShared tools and infrastructure that are directly observed being used against\r\ntargets.\r\nThese connections typically form the core indicators or “problem set” of a\r\ncampaign.\r\nSecond-order\r\nconnections\r\nRelated samples of tools believed to be unique or C2 infrastructure overlaps where\r\nneither the tools or infrastructure were directly observed in use.\r\nNth-order\r\nconnections\r\nUnique characteristics of tools and infrastructure such as code reuse, development\r\ntechniques, or naming conventions.\r\nTABLE 5\r\nOverview of connection types and level of confidence.\r\nFirst-order connections typically require direct observation of malicious activity against a target and as a result may not be\r\nmade public (for example, if a security company obtains the data from a customer). By contrast, second and Nth-order\r\nhttps://citizenlab.ca/2018/08/familiar-feeling-a-malware-campaign-targeting-the-tibetan-diaspora-resurfaces/\r\nPage 10 of 18\n\nconnections can usually be normalized between researchers and used to make connections between campaigns. For example,\r\nKaspersky labelled a reportedly China-based threat group as Winnti after a tool they used. Over time, different campaigns\r\nand tools were grouped under the same name, for instance, Microsoft associated Winnti with multiple groups they name\r\n“BARIUM” and “LEAD”. While these differences in groupings stem from differing first-order connections, enough second\r\nand Nth-order connections have been identified to reference the collection of indicators as an umbrella of “Winnti”\r\nactivities, which ProtectWise recently did in a report. In these cases, indicators are available, but the strength of the\r\nconnections may not be readily apparent and can lead to very wide groupings and abstractions.\r\nFor Tropic Trooper, multiple security companies have released information that they claim link campaigns to the threat\r\nactor. The strength of the evidence behind these claims is not always clear but the majority appear to be second and/or Nth-order connections. Table 6 and Figure 7 detail the connections made in these reports.\r\nReport Description\r\nTropic Trooper\r\nConnection\r\nConnection Type\r\nPalo Alto\r\n(2016)\r\nCampaign using Yahoyah, PcShare, and\r\nPoison Ivy targeting Taiwanese government\r\nand fossil fuel provider\r\nUse of Yahoyah\r\nmalware\r\nOverlapping C2\r\ninfrastructure\r\nSecond-order,\r\npossibly first-order\r\nLookout\r\n(2017)\r\nDescription of Android malware called\r\nTitan\r\nOverlapping C2\r\ninfrastructure\r\nSecond-order\r\nTrend\r\nMicro\r\n(2018)\r\nCampaign using TSSL toolkit targeting\r\ngovernment and industry in Taiwan,\r\nPhilippines, and Hong Kong.\r\nTSSL toolkit Unknown*\r\ntable 6\r\nOverview of reports connecting malware campaigns to Tropic Trooper  *Note: This report is the first time\r\nTSSL toolkit is linked to Tropic Trooper. Trend Micro does not explain how they made the connection.\r\nhttps://citizenlab.ca/2018/08/familiar-feeling-a-malware-campaign-targeting-the-tibetan-diaspora-resurfaces/\r\nPage 11 of 18\n\nPart 4: Challenges of Analyzing Closed Ecosystems\r\nThis section discusses challenges in investigating closed espionage ecosystems and situates our investigation within wider\r\ntrends of digital espionage operations against the Tibetan diaspora.\r\nThe Resurfaced Campaign used a mix of new and previously-observed tools, which share technical characteristics with\r\ncampaigns previously attributed to Tropic Trooper. However, these links alone do not allow us to conclusively state that the\r\ncampaigns are run by the same actor. This ambiguity illustrates some of the analytical challenges posed when analyzing\r\nconnections between campaigns and theorizing about the roles of different actors in closed espionage ecosystems.\r\nResearchers need to use naming schemes and actor grouping to characterize digital espionage operations out of necessity.\r\nWhile names are critical, the process by which they are selected, as Florian Roth and others have pointed out, can lead to to\r\nmultiple names for the same group and potential confusion over what a name refers to. Differentiating between campaigns\r\nand the “threat actor” behind Tropic Trooper shows some of these challenges. Reports on Tropic Trooper have characterized\r\nit in varied and sometimes ambiguous ways (see Table 7). This variation points to some of the challenges inherent in\r\nconsistently using naming: do names refer to campaigns of malware activity, the “threat actors” behind them, or a common\r\ntool set? It is not always clear.\r\nReport Description\r\nTrend Micro\r\n(2015)\r\n“‘…Operation Tropic Trooper,’ an ongoing campaign…”\r\nPalo Alto (2016) “…a campaign called Tropic Trooper,…”\r\nLookout (2017)\r\n“…linked to the same actors behind Operation Tropic Trooper. Tropic Trooper is a\r\nlong running campaign…”\r\nTrend Micro\r\n(2018)\r\n“Tropic Trooper (also known as KeyBoy) levels its campaigns against … targets”\r\nTABLE 7\r\nDescriptions of Tropic Trooper in previous reports.\r\nPart of the complexity of naming stems from the multiple operational roles likely to be present in a major campaign. These\r\nroles may include malware developers, campaign operators, and intelligence taskers and consumers. The relationships\r\nbetween these roles may be simple or multi-layered. For example, a developer may double as an operator for a small task for\r\na customer. Malware developers may share tools with multiple operators acting independently from each other. Customers\r\nmay be active (i.e., directly involved in tasking operators) or passive (i.e., consuming information brought to them by the\r\noperators or brokers representing the operators). Unfortunately, in the case of the Resurfaced Campaign, we lack the\r\nvisibility into the organizational roles that would help us move from what we have observed to a more conclusive statement\r\nabout its relationship to Tropic Trooper. Meanwhile, an operator may use the same tools to work on multiple tasks for\r\nmultiple consumers. These complexities can create challenges when tools and infrastructure are the primary means for\r\nidentifying and linking campaign activities.\r\nReviewing the timeline of malware and infrastructure development in the Resurfaced Campaign illustrates these challenges.\r\nFigure 8 shows that while the infrastructure was setup months before the first spear phishing messages were sent, the\r\nmalware builds were all done shortly before the campaign started. The time difference between infrastructure setup and\r\nmalware build combined with the fact that our identified connections to Tropic Trooper are only code-based suggest that the\r\nmalware may be a resource that is shared between groups.\r\nhttps://citizenlab.ca/2018/08/familiar-feeling-a-malware-campaign-targeting-the-tibetan-diaspora-resurfaces/\r\nPage 12 of 18\n\nThe connections between the Resurfaced and Parliamentary Campaigns to Tropic Trooper highlight the difficulties of\r\ncharacterizing threat groups and how they interact with other players in a closed espionage ecosystem. While the campaigns\r\nare linked by shared tools and infrastructure (Nth-order connections), based on this information alone we cannot\r\nconclusively say that these activities are being conducted by a single group. Campaigns labelled as Tropic Trooper also have\r\ntargeted a range of government, industry, and civil society targets, which may indicate multiple intelligence consumers.\r\nA View Into Closed Espionage Ecosystems\r\nAlthough the relationship between developers, operators, and the final intelligence consumer is often unclear, recent\r\nindictments issued by the United States Department of Justice (DOJ) against espionage groups based in China provide a\r\nglimpse into how these groups interact.\r\nIn 2014, the DOJ charged five officers of the People’s Liberation Army with economic espionage offences. These officers\r\nare allegedly part of a threat group known as APT1, which Mandiant first identified as part of the 2nd Bureau of the People’s\r\nLiberation Army General Staff Department’s 3rd Department. APT1 targeted numerous government and Fortune 500\r\ncompanies, but was also found by Citizen Lab to have targeted Tibetan activists and a large international NGO. According to\r\nthe indictment, the intelligence consumers that APT1 serviced included the Chinese government and Chinese firms seeking\r\nintellectual property and information on competitors.\r\nIn another 2014 case, the DOJ charged a Chinese national named Su Bin with participating in a long term conspiracy to\r\ncompromise major U.S. defense contractors and sell stolen information on technology projects to entities in China. Su Bin\r\nworked with two unnamed conspirators who carried out the the intrusions. The indictment identified the conspirators as\r\nbeing located in China and related to “multiple organizations and entities in the PRC”. The conspirators received 2.2 million\r\nRMB (approximately $332,040 USD) to build up their operation, but the total cost of the activity was 6.8 million RMB\r\n(approximately $995,400 USD). The conspirators shared a report with each other that detailed targets, objectives, and\r\nsuccesses of an intrusion operation against one of their targets. The report included a description of “past achievements”\r\nincluding stealing files from the “democracy movement” (a reference to democracy activists in Hong Kong) and the\r\n“Tibetan independence movement”.\r\nThese cases offer rare glimpses into the interactions between developers, operators, and intelligence consumers showing that\r\nthe same million-dollar programs funded to conduct economic espionage operations may also incentivize the targeting of\r\ncivil society organizations. While the first type of operation may result in loss of intellectual property and financial loss, the\r\nsecond might result in direct harm to targeted individuals or their families.\r\nAddressing the Analytical Challenges\r\nSecurity researchers typically do not have the level of evidence and visibility cited in the DOJ indictments and have to rely\r\non available technical indicators to track groups and hypothesize their motivations and role within closed espionage\r\necosystems. A possible area for future work is using formal methods (i.e., mathematical techniques developed in computer\r\nhttps://citizenlab.ca/2018/08/familiar-feeling-a-malware-campaign-targeting-the-tibetan-diaspora-resurfaces/\r\nPage 13 of 18\n\nscience to describe properties of hardware and software systems) to connect technical indicators and link campaigns. Such\r\ntechniques may provide a more systematic way to link groups together and alleviate ambiguity. However, as we have\r\ndiscussed, identification of operators and malware developers is only one piece of the puzzle. Gaining an understanding of\r\nthe ultimate harm of digital espionage requires interacting with targeted communities.\r\nShowing Harm: Perspectives from Civil Society\r\nDigital espionage has become a commonplace threat for the Tibetan diaspora. Digital security awareness and best practices\r\nfor defense are now necessities for the community. Based on this experience, for Tibetans the harm of espionage operations\r\nis clear. Lobsang Gyatso Sither, a Tibetan digital security trainer, provides a perspective:\r\n“It’s important for the community to get away from the mindset of “I have nothing to hide” and think about the connections\r\nbetween us and how these can lead to harm. Tibetans in Exile are connected to each other through various organizations and\r\ncontacts. If you are compromised, you become the weakest link, and allow the spies to get information that can be used to\r\ntarget other Tibetans. Tibetans in Exile are also constantly in touch with Tibetans inside Tibet, where the harms can be\r\nsevere – including arrest, detention, and imprisonment.”\r\nIn recent years, we have seen operators shift tactics to basic credential phishing, making the Resurfaced Campaign notable\r\nfor being the first instance of a malware campaign targeting the community we have seen since 2016. The campaign used\r\nfamiliar tactics of clever social engineering combined with custom malware. In response to the persistent threat of digital\r\nespionage, Tibetan groups have launched grassroots efforts to increase digital security education, but changing behaviour\r\nand building capacity requires time and patience. At least one organization was compromised by the Resurfaced Campaign,\r\nwhich shows that familiar tactics are still being used because they still work. However, rather than being dissuaded by these\r\nthreats, Tibetans are continuing the hard and necessary work to empower their community and defend against digital\r\nespionage.\r\nAcknowledgements\r\nAuthors listed in alphabetical order. Ron Deibert provided supervision and guidance to the project.\r\nFeature image photo credit: Lhakpa Kyizom\r\nSpecial thanks to Tibet Action Institute, the participating Tibetan organizations, Lobsang Gyatso Sither, Lhakpa Kyizom,\r\nAdam Hulcoop, Jakub Dalek, and TNG.\r\nIndicators of Compromise\r\nIndicators of compromise are available on GitHub in multiple formats.\r\nAppendix A: DMShell++\r\nLoader\r\nWe identified two similar loaders for DMShell++ :\r\n1. A PowerShell script created by a Microsoft JScript file in %TEMP%{541DB837-073A-45F0-8A5D-2650065D1252}.ps1\r\nduring the exploitation of CVE-2017-0199. This script decodes the base64 encoded DMShell++ script and executes\r\nit.\r\n2. A PowerShell script dropped by the binary 11e0f3e1c7d8855ed7f1dcfce4b7702a during the execution of CVE-2017-\r\n11882. This PowerShell script decodes the base64 encoded payload stored in %TEMP%pfine and executes the\r\nDMShell++ payload.\r\nhttps://citizenlab.ca/2018/08/familiar-feeling-a-malware-campaign-targeting-the-tibetan-diaspora-resurfaces/\r\nPage 14 of 18\n\nPayload\r\nDMShell++ is a reverse TCP backdoor written in PowerShell. It uses PowerShell System.Net.Sockets to create three TCP\r\nstreams, one to each C2 address hardcoded in a PowerShell object:\r\nWhen a TCP stream is started, it first calls the function SendLoginInfo, which sends information about the system to the C2\r\nserver, under the form TOKEN|*|IP ADDRESS|*|WINDOWS VERSION|*|USER NAME . For example, on a virtual machine we used\r\nfor testing, the following packet was sent to the C2 server:\r\nOnce this first packet is sent, the script enters into an endless loop waiting for commands from the C2 servers. The same\r\ndelimiter |*| is again used and the script accepts four different commands:\r\nCMD: executes the shell command and returns the output\u003c\r\nFILERECEIVE: send the file at the given path\r\nFILEHEAD: receive information from a file to be downloaded from the C2 server. Data is received under the format\r\nFILEHEAD|*|FILENAME|FILEEXTENSION|FILESIZE\r\nFILESEND: receive data stream from the file\r\nAppendix B: TSSL Code Differences\r\nDuring the course of our investigation, we identified malware that is similar to malware in the TSSL suite described by\r\nTrend Micro in their 2018 Tropic Trooper report. This appendix describes the code differences between these two versions\r\nfor both the FakeRun loader and the TClient payload of the TSSL suite.\r\nComparing the InstallClient malware samples we found and those described by Trend Micro show slight modifications.\r\nBoth samples followed the same behavior path to install their payloads and setup persistence with the main difference being\r\nthe installation of their configuration information. The TrendMicro sample installed its configuration as an encrypted file\r\nwhile our sample stored its configuration as an encrypted and base64 encoded string in a Windows registry key. In addition,\r\nthe TrendMicro sample dropped its FakeRun sample with the sidebar.exe while our sample dropped the Windows\r\nwab32.exe binary to act as the loading program for its FakeRun sample. The FakeRun samples we compared performed\r\nthe same series of actions to spawn the final payload with differences being made to adjust for the binary names, config\r\nlocations, etc.\r\nhttps://citizenlab.ca/2018/08/familiar-feeling-a-malware-campaign-targeting-the-tibetan-diaspora-resurfaces/\r\nPage 15 of 18\n\nOur TClient sample appeared to be an older, less feature-rich version of the TClient reported by Trend Micro. Both samples\r\nappeared to report what seemed to be a version number as part of their initial C2 communication. Trend Micro’s sample\r\nreported a version number of 3.2.2.5 and our sample reported a version number of 0.1.4. Based on the similarities between\r\nthe samples, we assess that the two campaigns use malware from the same codebase, possibly forked at some point in the\r\npast. Based on the compile times of each sample, we analysed it appears that our samples were compiled approximately two\r\nhours after those detailed by Trend Micro.\r\nThe list of functionality common to both TClient samples includes:\r\nGet OS and user information\r\nOpen a backdoor shell\r\nRun commands on an open backdoor shell\r\nRestart the machine\r\nUninstall the malware\r\nList drives and devices\r\nManipulate files and directories\r\nUpload/Download files from the C2 server\r\nReport the current configuration settings\r\nThe Trend Micro TClient sample added the following functionality:\r\nLookup the victim’s IP address via myip.com[.]tw\r\nList/Kill running processes\r\nList installed programs\r\nModify file timestamps\r\nTake screenshots\r\nUpdate the configuration settings\r\nAppendix C: DSNG Installer\r\nLoader\r\nDSNGInstaller was discovered on a compromised system as osun.dll . It maintained persistence via a\r\nCurrentVersionRun registry key. The install location folder also contained a file which had logs from a keylogger. The\r\nloader stores configuration information as encrypted data in the binary itself and the final payload as a resource in PPKK.\r\nThe payload is encrypted with the blowfish cipher in ECB mode while the configuration is dropped and then decrypted by\r\nthe payload. The loader also contains code to gain persistence via the creation of a Windows service: KCOM Server Security\r\nGuard, though this was not used in the sample we discovered.\r\nPayload\r\nThe payload is a simple RAT that provides a limited number of capabilities to an operator. It can be started in one of two\r\nways: either with or without provided configuration options. The sample we discovered was passed configuration options at\r\nstart as arguments to one of its exported functions. This configuration information is passed to the RAT in an encrypted form\r\nusing the following algorithm:\r\nn = 0\r\nwhile n \u003c data_len:\r\ni = data[n++] ^ 0x5\r\ndata[n - 1] = i\r\nif n \u003e= data_len:\r\nbreak\r\nj = data[n++] ^ 0x27\r\ndata[n - 1] = j\r\nhttps://citizenlab.ca/2018/08/familiar-feeling-a-malware-campaign-targeting-the-tibetan-diaspora-resurfaces/\r\nPage 16 of 18\n\nA portion of the decrypted configuration used in the sample we discovered can be seen in the figure below:\r\nNetwork Communication\r\nDSNGInstaller uses a simple network communication protocol when connecting to its C2 server, which consists of a short\r\nheader followed by a payload encrypted with the same algorithm used to encrypt and decrypt the RAT’s configuration. The\r\nheader is defined as:\r\nn = 0\r\nwhile n \u003c data_len:\r\ni = data[n++] ^ 0x5\r\ndata[n - 1] = i\r\nif n \u003e= data_len:\r\nbreak\r\nj = data[n++] ^ 0x27\r\ndata[n - 1] = j\r\nThe \"id” is defined in the passed configuration, “uuid” is a uuid generated using the Windows API function\r\nUuidCreateSequential , and “ipv4” is the IPv4 address of the infected machine. “length” is the length in bytes of the\r\nfull message sent to the C2 server. “command” and “command_successful” are only used when sending or replying to a\r\ncommand from the C2 server. They correspond to the number used to identify a command and a Boolean value reporting the\r\nsuccess or failure of a given command. “id” is a character string that is \"693\" for our sample, which leads us to believe\r\nthis may be a campaign or victim identifier but we do not know for certain what its exact use is. Following the header is the\r\nencrypted payload of the C2 communication.\r\nWe also discovered code to proxy all of DSNGInstaller network communication over HTTP, with and without user\r\ncredentials. However, this functionality did not appear to be used anywhere by the malware. It appears to be an artifact of\r\nadditional development work that was either unused or incomplete when the malware was deployed.\r\nAppendix D: Server Infrastructure\r\nThe server infrastructure that we observed in the campaign is listed in the table below:\r\nSamples Domains IPs\r\nCVE-2017-0199\r\ncommail[.]co\r\ntibetnews[.]info\r\ncomemails[.]email\r\n27.126.186.222\r\n103.55.24.196\r\n203.189.232.207\r\nDMShell++   27.126.186.222\r\n103.55.24.196\r\nhttps://citizenlab.ca/2018/08/familiar-feeling-a-malware-campaign-targeting-the-tibetan-diaspora-resurfaces/\r\nPage 17 of 18\n\nSamples Domains IPs\r\n45.127.97.222\r\n203.189.232.207\r\n103.55.24.196\r\nDMShell++ backdoor   27.126.186.222\r\nTSSL Backdoor tibetnews[.]today 115.126.86.151\r\nThe majority of these domains (with the exception of comemails[.]email ) share the same whois registration information:\r\nName: huang ning\r\nEmail: bqfkdrmnhh0623[@]gmail.com\r\nPhone number: 8677687877\r\nFurther searches on this whois information revealed an additional three domains with the same registration information:\r\nDomain Registrar Creation Date\r\ntibethouse[.]info GoDaddy 2018-01-03\r\ndaynew[.]today GoDaddy 2017-12-27\r\ndaynews[.]today GoDaddy 2017-12-27\r\nWe found 12 SSL certificates that were created for these domains. Through a search of historical data available on\r\nCensys.io, we found that three of the certificates were deployed between August and December 2018:\r\nIP\r\nHosting\r\nProvider\r\nSubdomain Certificate Dates\r\n115.126.86.29\r\nForewin\r\nTelecom\r\ngoogle.comemails[.]email 6A4690F454C91FDC559A223D43F0A77D40B59B2A\r\nSepte\r\n2017\r\n115.126.98.78\r\nForewin\r\nTelecom\r\nmail.google.commail[.]co E55CEA25ECC118FD798F84EB5395BE0678BDBC51\r\nAugu\r\nand\r\nDecem\r\n2017\r\n118.99.59.214\r\nForewin\r\nTelecom\r\ngoogle.comemail.email cdd2fd64a4996b7d901d4a899d660cc5ff118e73\r\nAugu\r\nand\r\nSepte\r\n2017\r\nSource: https://citizenlab.ca/2018/08/familiar-feeling-a-malware-campaign-targeting-the-tibetan-diaspora-resurfaces/\r\nhttps://citizenlab.ca/2018/08/familiar-feeling-a-malware-campaign-targeting-the-tibetan-diaspora-resurfaces/\r\nPage 18 of 18", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://citizenlab.ca/2018/08/familiar-feeling-a-malware-campaign-targeting-the-tibetan-diaspora-resurfaces/" ], "report_names": [ "familiar-feeling-a-malware-campaign-targeting-the-tibetan-diaspora-resurfaces" ], "threat_actors": [ { "id": "49822165-5541-423d-8808-1c0a9448d588", "created_at": "2022-10-25T16:07:23.384093Z", "updated_at": "2026-04-10T02:00:04.575678Z", "deleted_at": null, "main_name": "Barium", "aliases": [ "Brass Typhoon", "Pigfish", "Starchy Taurus" ], "source_name": "ETDA:Barium", "tools": [ "Agent.dhwf", "Agentemis", "Barlaiy", "BleDoor", "Cobalt Strike", "CobaltStrike", "Destroy RAT", "DestroyRAT", "Kaba", "Korplug", "POISONPLUG", "PlugX", "RbDoor", "RedDelta", "RibDoor", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Winnti", "Xamtrav", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "dabb6779-f72e-40ca-90b7-1810ef08654d", "created_at": "2022-10-25T15:50:23.463113Z", "updated_at": "2026-04-10T02:00:05.369301Z", "deleted_at": null, "main_name": "APT1", "aliases": [ "APT1", "Comment Crew", "Comment Group", "Comment Panda" ], "source_name": "MITRE:APT1", "tools": [ "Seasalt", "ipconfig", "Cachedump", "PsExec", "GLOOXMAIL", "Lslsass", "PoisonIvy", "WEBC2", "Mimikatz", "gsecdump", "Pass-The-Hash Toolkit", "Tasklist", "xCmd", "pwdump" ], "source_id": "MITRE", "reports": null }, { "id": "cf7fc640-acfe-41c4-9f3d-5515d53a3ffb", "created_at": "2023-01-06T13:46:38.228042Z", "updated_at": "2026-04-10T02:00:02.883048Z", "deleted_at": null, "main_name": "APT1", "aliases": [ "PLA Unit 61398", "Comment Crew", "Byzantine Candor", "Comment Group", "GIF89a", "Group 3", "TG-8223", "Brown Fox", "ShadyRAT", "G0006", "COMMENT PANDA" ], "source_name": "MISPGALAXY:APT1", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "61ea51ed-a419-4b05-9241-5ab0dbba25fc", "created_at": "2023-01-06T13:46:38.354607Z", "updated_at": "2026-04-10T02:00:02.939761Z", "deleted_at": null, "main_name": "APT23", "aliases": [ "BRONZE HOBART", "G0081", "Red Orthrus", "Earth Centaur", "PIRATE PANDA", "KeyBoy", "Tropic Trooper" ], "source_name": "MISPGALAXY:APT23", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bef7800a-a08f-4e21-b65c-4279c851e572", "created_at": "2022-10-25T15:50:23.409336Z", "updated_at": "2026-04-10T02:00:05.319608Z", "deleted_at": null, "main_name": "Tropic Trooper", "aliases": [ "Tropic Trooper", "Pirate Panda", "KeyBoy" ], "source_name": "MITRE:Tropic Trooper", "tools": [ "USBferry", "ShadowPad", "PoisonIvy", "BITSAdmin", "YAHOYAH", "KeyBoy" ], "source_id": "MITRE", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "578f8e62-2bb4-4ce4-a8b7-6c868fa29724", "created_at": "2022-10-25T16:07:24.344358Z", "updated_at": "2026-04-10T02:00:04.947834Z", "deleted_at": null, "main_name": "Tropic Trooper", "aliases": [ "APT 23", "Bronze Hobart", "Earth Centaur", "G0081", "KeyBoy", "Operation Tropic Trooper", "Pirate Panda", "Tropic Trooper" ], "source_name": "ETDA:Tropic Trooper", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "ByPassGodzilla", "CHINACHOPPER", "CREDRIVER", "China Chopper", "Chymine", "Darkmoon", "Gen:Trojan.Heur.PT", "KeyBoy", "Neo-reGeorg", "PCShare", "POISONPLUG.SHADOW", "Poison Ivy", "RoyalRoad", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Swor", "TSSL", "USBferry", "W32/Seeav", "Winsloader", "XShellGhost", "Yahoyah", "fscan", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "86182dd7-646c-49c5-91a6-4b62fd2119a7", "created_at": "2025-08-07T02:03:24.617638Z", "updated_at": "2026-04-10T02:00:03.738499Z", "deleted_at": null, "main_name": "BRONZE HOBART", "aliases": [ "APT23", "Earth Centaur ", "KeyBoy ", "Pirate Panda ", "Red Orthrus ", "TA413 ", "Tropic Trooper " ], "source_name": "Secureworks:BRONZE HOBART", "tools": [ "Crowdoor", "DSNGInstaller", "KeyBoy", "LOWZERO", "Mofu", "Pfine", "Sepulcher", "Xiangoop Loader", "Yahaoyah" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434442, "ts_updated_at": 1775792000, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b4085bb3d44c2adbec0cf7cc1e88d47ba6efb25d.pdf", "text": "https://archive.orkl.eu/b4085bb3d44c2adbec0cf7cc1e88d47ba6efb25d.txt", "img": "https://archive.orkl.eu/b4085bb3d44c2adbec0cf7cc1e88d47ba6efb25d.jpg" } }