{ "id": "688652a3-fb50-4c37-b460-a0f1df332aa3", "created_at": "2026-04-06T00:09:40.949634Z", "updated_at": "2026-04-10T03:33:20.012486Z", "deleted_at": null, "sha1_hash": "c312eb909488fffe707b0b92b951e3bc858e07a4", "title": "Tropic Trooper’s USBferry Targets Air-Gapped Networks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 96829, "plain_text": "Tropic Trooper’s USBferry Targets Air-Gapped Networks\r\nBy By: Joey Chen May 12, 2020 Read time: 6 min (1574 words)\r\nPublished: 2020-05-12 · Archived: 2026-04-05 14:04:35 UTC\r\nTropic Trooper, a threat actor group that targets government, military, healthcare, transportation, and high-tech\r\nindustries in Taiwan, the Philippines, and Hong Kong, has been active since 2011. The group was reportedly using\r\nspear-phishing emailsopen on a new tab with weaponized attachments to exploit known vulnerabilities. Primarily\r\nmotivated by information theft and espionage, the group has also been seen adopting different strategies such as\r\nfine-tuning tools with new behaviors and going mobileopen on a new tab with surveillanceware.\r\nWe found that Tropic Trooper’s latest activities center on targeting Taiwanese and the Philippine military’s\r\nphysically isolated networks through a USBferry attack (the name derived from a sample found in a related\r\nresearch). We also observed targets among military/navy agencies, government institutions, military hospitals, and\r\neven a national bank. The group employs USBferry, a USB malware that performs different commands on specific\r\ntargets, maintains stealth in environments, and steals critical data through USB storage. We started tracking this\r\nparticular campaign in 2018, and our analysis shows that it uses a fake executable decoy and a USB trojan\r\nstrategy to steal information.\r\nBased on data from the Trend Micro™ Smart Protection Network™ security infrastructure, USBferry attacks have\r\nbeen active since 2014. We found the group was focused on stealing defense-, ocean-, and ship-related documents\r\nfrom target networks, which led us to believe that Tropic Trooper’s main purpose is to exfiltrate confidential\r\ninformation or intelligence.\r\nintel\r\nFigure 1. A sample scenario of the USBferry attack\r\nTropic Trooper is well aware that military or government organizations may have more robust security in their\r\nphysically isolated environments (i.e., the use of biometrics or USB use in a quarantined machine before an air-gapped environment). The group then targets potentially unsecured related organizations that could serve as\r\njumping-off points for attacks. For instance, we observed Tropic Trooper move from a military hospital to the\r\nmilitary’s physically isolated network.\r\nThis blog post provides an overview of the USB malware called USBferry and its capabilities, as well as the other\r\ntools used to infiltrate physically isolated environments. Further details, including indicators of compromise\r\n(IoCs), can be read in the technical briefopen on a new tab.\r\nA USB malware called USBferry\r\nWe first encountered the malware from a PricewaterhouseCoopers report that mentionedopen on a new tab a\r\nsample related to Tropic Trooper but did not include a detailed analysis. We looked into it further and discovered\r\nmany versions of it, including several program database (PDB) strings. For one thing, the USBferry malware\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/tropic-troopers-back-usbferry-attack-targets-air-gapped-environments/\r\nPage 1 of 5\n\nalready has at least three versions, with different variants and components, at the time of writing. Here are the\r\nnoteworthy points we gathered during analysis:\r\nThe first version has a small component of TROJ_YAHOYAHopen on a new tab. The malware tries to\r\ncheck if the target machine has a USB plug-in and copies the USBferry installer into the USB storage. The\r\nactivities vary in target environments; some execute commands, source target files or folder lists, and copy\r\nfiles from physically isolated hosts to compromised hosts, among other things.\r\nintel\r\nFigure 2. USBferry malware’s first version, where the EXE file is the USBferry malware and the DLL file is trojan\r\nTROJ_YAHOYAH\r\nThe second version has the same capabilities as the first and combines components into one executable.\r\nThis version also changes the malware location and its name to UF, an abbreviation for USBferry.\r\nintel\r\nFigure 3. USBferry malware’s second version combined into one file\r\nThe third version retains the previous versions’ capabilities and improves its stealth in the target\r\nenvironment by residing in the rundll32.exe memory.\r\nintel\r\nFigure 4. USBferry malware’s third version becomes resident in memory\r\nHow USBferry targets air-gapped systems\r\nIn our technical briefopen on a new tab, we broke down how Tropic Trooper has changed the way it uses the\r\nabovementioned USBferry versions in attacks. The group achieves infection by employing the USB worm\r\ninfection strategy and ferrying a malware installer via USB into an air-gapped host machine.\r\nintel\r\nFigure 5. USBferry malware using USB worm infection strategy\r\nHere we will discuss the notable changes in the group’s latest attack chain that uses version UF1.0 20160226\r\n(detected by Trend Micro as TROJ_USBLODR.ZAHB-A):\r\nintel\r\nFigure 6. USBferry attack scenario, version UF1.0 20160226\r\n1. The decoy file first drops a flash_en.inf DLL file, which is a USBferry loader, and tries to load the\r\nencrypted USBferry malware\r\n2. The encrypted USBferry malware is embedded in the loader resource section, and the loader drops it into\r\nthe C:\\Users\\Public\\Documents\\Flash folder and names it flash.dat\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/tropic-troopers-back-usbferry-attack-targets-air-gapped-environments/\r\nPage 2 of 5\n\n3. After the encrypted payload is loaded, the loader injects a malicious DLL into rundll32.exe. The USBferry\r\nmalware also loads a C\u0026C configuration file and flash_en.dat, which is also located in the\r\nC:\\Users\\Public\\Documents\\Flash\r\n4. The USBferry malware then tries to connect to the download site and uses a Windows command to\r\ncollect/copy target host data\r\nThis version checks for network connectivity; if it finds that the network is unavailable, it tries to collect\r\ninformation from the target machine and copy the collected data into USB storage. This way, the USB exfiltrates\r\nthe information and sends it back to the C\u0026C server.\r\nBackdoors and other tools used by Tropic Trooper\r\nSome backdoors used by Tropic Trooper use injection to execute its routines, while others execute directly and run\r\nitself consistently. The group also uses steganography to mask their backdoor routines and evade anti-malware and\r\nnetwork perimeter detection. To find the full list of the backdoors we analyzed, check out our technical briefopen\r\non a new tab. Here we will tackle some of the noteworthy backdoors Tropic Trooper used.\r\nWelCome To Svchost 3.2 20110818’s backdoor (detected as BKDR_SVCSHELL.ZAHC-A) - This\r\nbackdoor bears similarities with a payload we discussedopen on a new tab in our previous research. Based\r\non the malware version number, this backdoor’s first version was developed in or before 2011. This means\r\nthat Tropic Trooper’s activities have been ongoing for at least ten years now.\r\nintel\r\nFigure 7. The backdoor version name, registered service name, and malware components’ filenames\r\nWelcome To IDShell 1.0 20150310’s backdoor (detected as BKDR_IDSHELL.ZTFC-A) - The purpose of\r\nthis backdoor, which has two types, including a steganography jpg version, is to recon the target machine.\r\nLike other versions, it uses the DNS protocol to communicate with the backdoor controller. The traffic is\r\nencrypted to evade detection.\r\nintel\r\nFigure 8. The backdoor’s communication traffic\r\nHey! Welcome Server 2.0’s backdoor (detected as BKDR_TEBSHELL.ZTGK) – This is the latest\r\nversion of the backdoor, available in 32-bit and 64-bit versions, which uses an invisible web shell for\r\nremote control and network security evasion. It runs the process as a service, hides backdoor\r\ncommunication in normal traffic, and uses customized TCP protocol. It also improves the way it handles\r\nwrong input commands and unauthorized access.\r\nintel\r\nFigure 9. The executable version will install and name it as a Windows service, change registry to disable error\r\ndisplay, and launch the service\r\nTropic Trooper also used other tools in their attacks, such as:\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/tropic-troopers-back-usbferry-attack-targets-air-gapped-environments/\r\nPage 3 of 5\n\nCommand-line remote control listener/port relay tool, which has different versions that can communicate\r\nwith the backdoor.\r\nBackdoor payload/steganography payload execution loaders, which have two versions that can be used to\r\nsuccessfully load the encrypted payload and subsequently delete itself and the payload.\r\nPort scanning tools, which are available on the internet.\r\nThe overview provided above highlights how putting critical information in physically isolated networks is not a\r\nbulletproof solution for defending against cyberespionage. Steganography isn’t just used to deliver encrypted\r\npayloads; it can also be used to transfer information to a C\u0026C server. Multiple hacking tools and components can\r\nalso help facilitate successful attacks on different networks and environments. Threat actors like Tropic Trooper\r\ncan also use an invisible web shell to hide its C\u0026C server location and make incident response tricky.\r\nMITRE ATT\u0026CK Matrix\r\nintel\r\nBest practices and Trend Micro solutions\r\nThe latest developments with Tropic Trooper indicate that they are well-prepared to target government institutions\r\nand military agencies for stolen intelligence. The group also takes a long time to perform reconnaissance and\r\nconsequently infiltrate physically isolated networks. This research also underscores how threat actors could see\r\npotentially vulnerable targets as launch points for extending their attack attempts to other, more critical targets.\r\nUnderstanding attack tactics and techniques can provide the needed context for assessing potential impact and\r\nadopting defensive strategies. Here are some measures that organizations can practice to thwart advanced\r\npersistent threats with security that employs actionable threat intelligence, network-wide visibility, and timely\r\nthreat protection:\r\nEnforce the principle of least privilege. Employ network segmentationopen on a new tab and data\r\ncategorization to deter lateral movement and mitigate exposure.\r\nKeep the system and its applications up-to-date. Weaknesses in the network can serve as entry points for\r\nattacks. Enforce a strong patch managementopen on a new tab policy and consider virtual patching for\r\nlegacy systems.\r\nRegularly monitor your perimeter. Adopt cross-layer detection and responseproducts across gateways,\r\nendpoints, networks, and servers to protect against a wide range of cybersecurity threats. Firewallsnews\r\narticle and intrusion detection and prevention systemsproducts can help defend against network-based\r\nattacks.\r\nOrganizations can take advantage of the Trend Micro Apex One™open on a new tab solution, which provides\r\nactionable insights, expanded investigative capabilities, and centralized visibility across the network through a\r\nvariety of threat detection capabilities such as behavioral analysis that protects against malicious scripts, injection,\r\nransomware, memory, and browser attacks.\r\nA multilayered security solution such as Trend Micro™ Deep Discovery™products can also be considered; it\r\nprovides in-depth analysis and proactive response to attacks using exploits and other similar threats through\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/tropic-troopers-back-usbferry-attack-targets-air-gapped-environments/\r\nPage 4 of 5\n\nspecialized engines, custom sandboxing, and seamless correlation across the entire attack lifecycle, allowing it to\r\ndetect these attacks even without any engine or pattern updates.\r\nRead our technical briefopen on a new tab, which discusses in full our analyses of Tropic Trooper’s recent\r\nactivities, the USBferry malware, and IoCs.\r\nSource: https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-troopers-back-usbferry-attack-targets-air-gapped-environments/\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/tropic-troopers-back-usbferry-attack-targets-air-gapped-environments/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-troopers-back-usbferry-attack-targets-air-gapped-environments/" ], "report_names": [ "tropic-troopers-back-usbferry-attack-targets-air-gapped-environments" ], "threat_actors": [ { "id": "61ea51ed-a419-4b05-9241-5ab0dbba25fc", "created_at": "2023-01-06T13:46:38.354607Z", "updated_at": "2026-04-10T02:00:02.939761Z", "deleted_at": null, "main_name": "APT23", "aliases": [ "BRONZE HOBART", "G0081", "Red Orthrus", "Earth Centaur", "PIRATE PANDA", "KeyBoy", "Tropic Trooper" ], "source_name": "MISPGALAXY:APT23", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bef7800a-a08f-4e21-b65c-4279c851e572", "created_at": "2022-10-25T15:50:23.409336Z", "updated_at": "2026-04-10T02:00:05.319608Z", "deleted_at": null, "main_name": "Tropic Trooper", "aliases": [ "Tropic Trooper", "Pirate Panda", "KeyBoy" ], "source_name": "MITRE:Tropic Trooper", "tools": [ "USBferry", "ShadowPad", "PoisonIvy", "BITSAdmin", "YAHOYAH", "KeyBoy" ], "source_id": "MITRE", "reports": null }, { "id": "578f8e62-2bb4-4ce4-a8b7-6c868fa29724", "created_at": "2022-10-25T16:07:24.344358Z", "updated_at": "2026-04-10T02:00:04.947834Z", "deleted_at": null, "main_name": "Tropic Trooper", "aliases": [ "APT 23", "Bronze Hobart", "Earth Centaur", "G0081", "KeyBoy", "Operation Tropic Trooper", "Pirate Panda", "Tropic Trooper" ], "source_name": "ETDA:Tropic Trooper", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "ByPassGodzilla", "CHINACHOPPER", "CREDRIVER", "China Chopper", "Chymine", "Darkmoon", "Gen:Trojan.Heur.PT", "KeyBoy", "Neo-reGeorg", "PCShare", "POISONPLUG.SHADOW", "Poison Ivy", "RoyalRoad", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Swor", "TSSL", "USBferry", "W32/Seeav", "Winsloader", "XShellGhost", "Yahoyah", "fscan", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "86182dd7-646c-49c5-91a6-4b62fd2119a7", "created_at": "2025-08-07T02:03:24.617638Z", "updated_at": "2026-04-10T02:00:03.738499Z", "deleted_at": null, "main_name": "BRONZE HOBART", "aliases": [ "APT23", "Earth Centaur ", "KeyBoy ", "Pirate Panda ", "Red Orthrus ", "TA413 ", "Tropic Trooper " ], "source_name": "Secureworks:BRONZE HOBART", "tools": [ "Crowdoor", "DSNGInstaller", "KeyBoy", "LOWZERO", "Mofu", "Pfine", "Sepulcher", "Xiangoop Loader", "Yahaoyah" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434180, "ts_updated_at": 1775792000, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c312eb909488fffe707b0b92b951e3bc858e07a4.pdf", "text": "https://archive.orkl.eu/c312eb909488fffe707b0b92b951e3bc858e07a4.txt", "img": "https://archive.orkl.eu/c312eb909488fffe707b0b92b951e3bc858e07a4.jpg" } }