{ "id": "dc3b6e26-f1fe-4a52-aa16-2826f33c3487", "created_at": "2026-04-06T00:08:19.037204Z", "updated_at": "2026-04-10T03:33:20.14908Z", "deleted_at": null, "sha1_hash": "df30aebd709abcf1541ec658a365200859c49507", "title": "Sequel: Gifts from Tropical Pirates - Who is the Sender? Look for the Attacker Group", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2512698, "plain_text": "Sequel: Gifts from Tropical Pirates - Who is the Sender? Look for the\r\nAttacker Group\r\nPublished: 2023-10-06 · Archived: 2026-04-05 21:04:38 UTC\r\nBackground\r\nWhat is Tropic Trooper?\r\nThe Need for Attribution\r\nOverall picture of the campaign\r\nSimilarities to previous samples\r\nSimilarities between EntryShell and KeyBoy\r\nRelationship between the new malware CrowDoor and FamousSparrow\r\nWhat is FamousSparrow?\r\nA new malware CrowDoor\r\nSummary\r\nSpecial thanks\r\nIoCs\r\nBackground\r\nIn our previous post, we investigated an attack campaign by an APT actor called Tropic Trooper (aka Pirate Panda,\r\nKeyBoy), and disclosed that they used spear phishing emails to infect victims with malware.\r\nIn addition, an infection flow and malware’s behavior were disclosed too. We have continued to observe their activities since\r\nthen.\r\nThis post provides how we attributed this attack campaign to Tropic Trooper based on our malware analysis.\r\nWhat is Tropic Trooper?\r\nTropic Trooper is a cyber espionage group known for conducting cyber attacks in the Asia-Pacific region. They target\r\ngovernment, healthcare, transportation, and high-tech industries, and have been active since 2011.\r\nReferences are listed as follows.\r\nTropic Trooper, Pirate Panda, KeyBoy, Group G0081 | MITRE ATT\u0026CK®\r\nOperation Tropic Trooper: Relying on Tried-and-Tested Flaws to Infiltrate Secret Keepers\r\nCyber Espionage (Targeted Attacks) Aimed at Japan in FY2022\r\nWe believe this attack campaign linked to the Tropic Trooper, has been targeting companies in East Asia since May 2023\r\nuntil now. We estimate that semiconductor and rare metal related industries are particularly targeted.\r\nOur analysis has confirmed that the malware EntryShell shares many similarities with the malware KeyBoy.\r\nThe Need for Attribution\r\nAttribution is the process of identifying the threat group responsible for a targeted attack. This is often done by analyzing the\r\nmalware used in the attack, as specific groups often have exclusive access to the certain malware.\r\nBy identifying the group responsible for a targeted attack, organizations can learn from the report about past attacks by that\r\ngroup and take steps to mitigate future attacks.\r\nFor example, understanding the threat group profile can help organizations to take more effective countermeasures, such as\r\npreventing damage escalation during an attack and taking preventive and detection measures in advance.\r\nAdditionally, obtaining the latest information on the attacker's activities can make it possible to take even more proactive\r\nmeasures.\r\nOverall picture of the campaign\r\nIn our previous analysis, we discussed a malware with two functions: Installer (infection) and Loader (loading). With the\r\nloader, it loads the Cobalt Strike Beacon.\r\nIn addition to the malware, we also collected and analyzed over 200 samples and related files associated with this malware\r\nusing paid intelligence services and public information.\r\nWe found that the Loader loads other malware or uses new malware. In this section, we will confirm the infection flow.\r\nhttps://blog-en.itochuci.co.jp/entry/2023/10/06/173200\r\nPage 1 of 6\n\nFigure 1. Overall picture of the campaign\r\nFirst, the attacker attempted to break in a target device in the 1st s tage (Intrusion) by sending malware via email or SMS.\r\nThe malware has two functions: Installer (infect) and Loader (load).This malware is responsible for the initial infection, and\r\nit deploys fileless malware such as Cobalt Strike Beacon and EntryShell in memory as a payload.\r\nWe named this malware Xiangoop Loader. It has two forms: Xiangoop Loader with Installer (used in the 1st stage and initial\r\ninfection) and Xiangoop simple Loader (used in the 2nd stage).\r\nAfter the initial infection (1st stage), in the 2nd stage, the attacker used remote access to investigate the target device further,\r\nmove laterally to other devices or servers, and load Cobalt Strike Beacon or EntryShell using Xiangoop Loader.\r\nWe also found that a different type of malware called CrowDoor was loaded from an existing SparrowDoor Loader in the\r\n2nd stage.\r\nMalware for 1st Stage Malware for 2nd Stage\r\nMalware attached to an email and used in initial infection Malware used in intrusion\r\nXiangoop Loader with Installer\r\nHas Installer and Loader function\r\nCopies itself to the Windows 'public' folder and kicks\r\nCobalt Strike Beacon or EntryShell is used as secondary\r\nsample\r\nXiangoop simple Loader\r\nHas only Loader function\r\nInstalled in any location by attacker\r\nCobalt Strike Beacon or EntryShell is used as secondary\r\nsample\r\nSparrowDoor Loader + CrowDoor\r\nHas a remote control function\r\nSimilarities to previous samples\r\nThe detailed analysis of each malware is available in the VB2023 presentation materials.\r\nVirus Bulletin :: Unveiling activities of Tropic Trooper 2023: deep analysis of Xiangoop Loader and EntryShell payload\r\nIn this section, we will discuss the similarities to previous specimens that were revealed by the analysis of these malware.\r\nWe will focus on two areas:\r\nSimilarities between EntryShell and KeyBoy\r\nRelationship between the new malware CrowDoor and FamousSparrow\r\nSimilarities between EntryShell and KeyBoy\r\nWe focused on the EntryShell malware used in this attack campaign; EntryShell is the malware loaded by the Xiangoop\r\nLoader Family.\r\nThe EntryShell we discovered is decrypted and deployed in memory by the Xiangoop Loader using DLL side loading, just\r\nlike the Cobalt Strike Beacon introduced in the previous post.\r\nhttps://blog-en.itochuci.co.jp/entry/2023/10/06/173200\r\nPage 2 of 6\n\nFigure 2. Sample infection flow by EntryShell\r\nFirst, let's analyze the strings embedded in the EntryShell.\r\nWe noticed some characteristic strings that seemed to be error messages. The Yara rule for detecting KeyBoy that was\r\ncreated in 2016 detects those strings.\r\nrules/malware/APT_KeyBoy.yar at master · Yara-Rules/rules · GitHub\r\nFigure 3. Compare with characteristic error codes and the Yara rule for KeyBoy\r\nWhat is Yara\r\nYara is a tool that helps malware researchers identify and classify malware samples.\r\nIt can quickly scan large amounts of files that match the patterns described in the rules. Yara rules can be flexibly\r\nwritten to describe patterns of text or binary and how they are combined.\r\nGitHub - VirusTotal/yara: The pattern matching swiss knife\r\nAnalysis of strings embedded EntryShell revealed that it contains hexadecimal strings represented as ASCII characters. We\r\nwill investigate where these strings are used in the malware program.\r\nThe strings are first converted to binary data and then decrypted using AES ECB mode. The AES key, \"afkngaikfaf\"\r\n(padding is actually required), is hard-coded in another location in the sample.\r\nhttps://blog-en.itochuci.co.jp/entry/2023/10/06/173200\r\nPage 3 of 6\n\nFigure 4. Decrypting an encrypted string that embed in EntryShell\r\nChecking the decrypted string, it matches the string defined in the Yara rule that detect previous versions of KeyBoy.\r\nWe also found that the encrypted string are mainly used in EntryShell backdoor function and its command ID.\r\nFigure 5. Compare with decrypted strings from EntryShell and the yara rule for KeyBoy\r\nAttackers were aware of the existence of this Yara rule, and they were encrypting characteristic strings in EntryShell that are\r\nlikely to be detected by that Yara rule in order not to be detected by security products.\r\nThe analysis confirmed that EntryShell is very similar to KeyBoy malware. Not only that, but we have also confirmed that\r\ncompared to KeyBoy, EntryShell has updated and added functionality to its communication parts, malware configuration\r\nstructure, and backdoors.\r\nBased on this, we concluded that EntryShell is a malware upgrade from KeyBoy.\r\nThere is a report that KeyBoy was handled by Tropic Trooper, but there are no reports of KeyBoy being used by other threat\r\nactors. Therefore, KeyBoy can be said to be Tropic Trooper-specific malware.\r\nRelationship between the new malware CrowDoor and FamousSparrow\r\nAnalysis of this attack campaign revealed a new RAT malware named CrowDoor.\r\nThe loader that loads the fileless malware CrowDoor is SparrowDoor Loader, which is used by the FamousSparrow attack\r\ngroup.\r\nWhat is FamousSparrow?\r\nFamousSparrow is a targeted attacker group reported by ESET in 2021. They are known to use a distinctive malware set\r\ncalled SparrowDoor.\r\nhttps://blog-en.itochuci.co.jp/entry/2023/10/06/173200\r\nPage 4 of 6\n\nFamousSparrow: A suspicious hotel guest\r\nA new malware CrowDoor\r\nSample infection flow by CrowDoor is shown below.\r\nFigure 6. Sample infection flow by CrowDoor\r\nAnalysis of 2nd from the right loader shellcode in Figure 6 confirms that it matches the patterns of the Yara rules that detect\r\nthe SparrowDoor Loader previously created.\r\nFurthermore, comparison with previous samples shows that this shellcode uses the same code as the SparrowDoor Loader.\r\nFigure 7. Comparison Loader shellcode strings in CrowDoor infection flow to Yara rules for detecting\r\nSparrowDoor Loader shellcode\r\nThe PE file of CrowDoor that is deployed in memory by the above Loader shellcode has a sequence of 0s at the beginning\r\nand lacks the magic numbers “PE”. This is very similar to SparrowDoor, as written in the ESET blog.\r\nFigure 8. Similarities between Memory-deployed SparrowDoor PE and CrowDoor PE\r\nWe have also found command similarities between CrowDoor and SparrowDoor samples.\r\nhttps://blog-en.itochuci.co.jp/entry/2023/10/06/173200\r\nPage 5 of 6\n\nFigure 9: Similarities between SparrowDoor and CrowDoor samples\r\nWe confirmed that CrowDoor was installed by the attacker after using the Xiangoop Loader Family.\r\nBased on this, we believe that there is some connection between Tropic Trooper, which uses the Xiangoop Loader Family,\r\nand FamousSparrow, which uses the SparrowDoor.\r\nSummary\r\nXiangoop Loader Family is likely associated with Tropic Trooper based on the characteristics of the samples it calls\r\nA sample of the SparrowDoor Loader was used in an attack that also used the Xiangoop Loader Family. This sample\r\nis reported to be used by FamousSparrow.\r\nThis suggests that Tropic Trooper and FamousSparrow are either the same group or are closely related.\r\nSpecial thanks\r\nThe analysis of this case was conducted in cooperation with the Security Research Center of Macnica, Inc. We thank the\r\ncompany for its cooperation.\r\nIoCs\r\nfile name\r\nmalware\r\ntype\r\nMD5 SHA1 SHA256\r\nMcVsoCfg.dll\r\nXiangoop\r\nLoader\r\nbb01bc33b0475fb2624d906760ebe290 808f3cb47960e1b08c8b22dad780528d7fec966d ACF4422360CA41B\r\nNTUSER.EXE\r\nlegitimate\r\nexe\r\nc214cc5b78616b44918ce62c8a2aa773 aa0018ef4bc398cf3e7c6b2dd9109c173d12b368 563d732c54221fcdd\r\nsetting.dat\r\nBLOB\r\nEntryShell\r\ncccc4cf8267815cf7ae1f924ef2d9b83 0031ddf8a700a43641ad988fb867d2c399dd6bba da2963b338ab5324c\r\ndatast.dll\r\nLoader of\r\nSparrowDoor\r\nLoader\r\na213873eb55dc092ddf3adbeb242bd44 3650899c669986e5f4363fdbd6cf5b78a6fcd484 23dea3a74e3ff6a367\r\ndatastate.dll\r\nSparrowDoor\r\nLoader\r\n8a900f742d0e3cd3898f37dbc3d6e054 6ddadecd10ef562fa4845794f5cba250606a366c 658e9b9947b01eaa3\r\nsqlite3.dll legitimate dll 2a589d796e2c4b8a47a8388471880cbb 721080c5e76aee6f0376ad122343181c1e0da61a 7d02140c3ff14cd5a0\r\nWinStore\r\nBLOB\r\nCrowDoor\r\n90afb6d2dfd161ce7752226b8a52e609 e6da2bc32444d84bb1adb80ce01aa3340e5f203c 4f0cf8835d28188662\r\nWinStore.exe\r\nlegitimate\r\nexe\r\n5e352887630542e60eeb844a1c7ac034 b736fdda75a489e3cb8f0c1ae73adee07309ddb9 a47bf32ee0fd6b3c09\r\nSource: https://blog-en.itochuci.co.jp/entry/2023/10/06/173200\r\nhttps://blog-en.itochuci.co.jp/entry/2023/10/06/173200\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog-en.itochuci.co.jp/entry/2023/10/06/173200" ], "report_names": [ "173200" ], "threat_actors": [ { "id": "f67fb5b3-b0d4-484c-943e-ebf12251eff6", "created_at": "2022-10-25T16:07:23.605611Z", "updated_at": "2026-04-10T02:00:04.685162Z", "deleted_at": null, "main_name": "FamousSparrow", "aliases": [ "Earth Estries" ], "source_name": "ETDA:FamousSparrow", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "f0eca237-f191-448f-87d1-5d6b3651cbff", "created_at": "2024-02-06T02:00:04.140087Z", "updated_at": "2026-04-10T02:00:03.577326Z", "deleted_at": null, "main_name": "GhostEmperor", "aliases": [ "OPERATOR PANDA", "FamousSparrow", "UNC2286", "Salt Typhoon", "RedMike" ], "source_name": "MISPGALAXY:GhostEmperor", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "61ea51ed-a419-4b05-9241-5ab0dbba25fc", "created_at": "2023-01-06T13:46:38.354607Z", "updated_at": "2026-04-10T02:00:02.939761Z", "deleted_at": null, "main_name": "APT23", "aliases": [ "BRONZE HOBART", "G0081", "Red Orthrus", "Earth Centaur", "PIRATE PANDA", "KeyBoy", "Tropic Trooper" ], "source_name": "MISPGALAXY:APT23", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bef7800a-a08f-4e21-b65c-4279c851e572", "created_at": "2022-10-25T15:50:23.409336Z", "updated_at": "2026-04-10T02:00:05.319608Z", "deleted_at": null, "main_name": "Tropic Trooper", "aliases": [ "Tropic Trooper", "Pirate Panda", "KeyBoy" ], "source_name": "MITRE:Tropic Trooper", "tools": [ "USBferry", "ShadowPad", "PoisonIvy", "BITSAdmin", "YAHOYAH", "KeyBoy" ], "source_id": "MITRE", "reports": null }, { "id": "d390d62a-6e11-46e5-a16f-a88898a8e6ff", "created_at": "2024-12-28T02:01:54.899899Z", "updated_at": "2026-04-10T02:00:04.880446Z", "deleted_at": null, "main_name": "Salt Typhoon", "aliases": [ "Earth Estries", "FamousSparrow", "GhostEmperor", "Operator Panda", "RedMike", "Salt Typhoon", "UNC2286" ], "source_name": "ETDA:Salt Typhoon", "tools": [ "Agentemis", "Backdr-NQ", "Cobalt Strike", "CobaltStrike", "Crowdoor", "Cryptmerlin", "Deed RAT", "Demodex", "FamousSparrow", "FuxosDoor", "GHOSTSPIDER", "HemiGate", "MASOL RAT", "Mimikatz", "NBTscan", "NinjaCopy", "ProcDump", "PsExec", "PsList", "SnappyBee", "SparrowDoor", "TrillClient", "WinRAR", "Zingdoor", "certutil", "certutil.exe", "cobeacon", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "578f8e62-2bb4-4ce4-a8b7-6c868fa29724", "created_at": "2022-10-25T16:07:24.344358Z", "updated_at": "2026-04-10T02:00:04.947834Z", "deleted_at": null, "main_name": "Tropic Trooper", "aliases": [ "APT 23", "Bronze Hobart", "Earth Centaur", "G0081", "KeyBoy", "Operation Tropic Trooper", "Pirate Panda", "Tropic Trooper" ], "source_name": "ETDA:Tropic Trooper", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "ByPassGodzilla", "CHINACHOPPER", "CREDRIVER", "China Chopper", "Chymine", "Darkmoon", "Gen:Trojan.Heur.PT", "KeyBoy", "Neo-reGeorg", "PCShare", "POISONPLUG.SHADOW", "Poison Ivy", "RoyalRoad", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Swor", "TSSL", "USBferry", "W32/Seeav", "Winsloader", "XShellGhost", "Yahoyah", "fscan", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "86182dd7-646c-49c5-91a6-4b62fd2119a7", "created_at": "2025-08-07T02:03:24.617638Z", "updated_at": "2026-04-10T02:00:03.738499Z", "deleted_at": null, "main_name": "BRONZE HOBART", "aliases": [ "APT23", "Earth Centaur ", "KeyBoy ", "Pirate Panda ", "Red Orthrus ", "TA413 ", "Tropic Trooper " ], "source_name": "Secureworks:BRONZE HOBART", "tools": [ "Crowdoor", "DSNGInstaller", "KeyBoy", "LOWZERO", "Mofu", "Pfine", "Sepulcher", "Xiangoop Loader", "Yahaoyah" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434099, "ts_updated_at": 1775792000, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/df30aebd709abcf1541ec658a365200859c49507.pdf", "text": "https://archive.orkl.eu/df30aebd709abcf1541ec658a365200859c49507.txt", "img": "https://archive.orkl.eu/df30aebd709abcf1541ec658a365200859c49507.jpg" } }