Tropic Trooper
Essential information
- Confidence
- 100/100
- Published
- 16/12/2025 19:39
- Modified
- 27/03/2026 01:13
- Updated at
- 27/03/2026 01:13
- Revoked
- No
- Author / Source
- The MITRE Corporation
- Resource level
- —
- Primary motivation
- —
- Related entities
- 2 reports, 52 attack patterns (mitre), 14 malware, 1 sectors, 1 countries, 20 indicators, 1 tool
Aliases
Pirate Panda KeyBoy
Description
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.
Reports (2)
-
17 MITREs 4 Malwares 14 Observables 1 APT
-
19 MITREs 5 Malwares 7 Observables 1 APT
Attack patterns (MITRE) (52)
-
T1573 usesEncrypted Channel MITRE
-
T1021 usesRemote Services MITRE
-
T1574.001 usesDLL MITRE
-
T1218 usesSystem Binary Proxy Execution MITRE
-
T1059.003 usesWindows Command Shell MITRE
-
T1046 usesNetwork Service Discovery MITRE
-
T1070.004 usesFile Deletion MITRE
-
T1140 usesDeobfuscate/Decode Files or Information MITRE
-
T1020 usesAutomated Exfiltration MITRE
-
T1036 usesMasquerading MITRE
-
T1543.003 usesWindows Service MITRE
-
T1204.002 usesMalicious File MITRE
Malware (14)
-
EntryShell usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
TOSHIS usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
POISONPLUG.SHADOW usesThe MITRE Corporation Confidence 100
[ShadowPad](https://attack.mitre.org/software/S0596) is a modular backdoor that was first identified in a supply chain compromise of the NetSarang software in mid-July 2017. The malware was originally thought to be…
First seen 01/01/1970 · Last seen 16/11/5138 · -
China Chopper usesFamily The MITRE Corporation Confidence 100
[China Chopper](https://attack.mitre.org/software/S0020) is a [Web Shell](https://attack.mitre.org/techniques/T1505/003) hosted on Web servers to provide access back into an enterprise network that does not rely on an infected system calling back…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Neo-reGeorg usesThe MITRE Corporation Confidence 100
[Neo-reGeorg](https://attack.mitre.org/software/S1189) is an open-source web shell designed as a restructuring of [reGeorg](https://attack.mitre.org/software/S1187) with improved usability, security, and fixes for exising [reGeorg](https://attack.mitre.org/software/S1187) bugs.(Citation: GitHub Neo-reGeorg 2019)
First seen 01/01/1970 · Last seen 16/11/5138 · -
YAHOYAH usesFamily The MITRE Corporation Confidence 100
[YAHOYAH](https://attack.mitre.org/software/S0388) is a Trojan used by [Tropic Trooper](https://attack.mitre.org/groups/G0081) as a second-stage backdoor.(Citation: TrendMicro TropicTrooper 2015)
First seen 01/01/1970 · Last seen 16/11/5138 · -
CobaltStrike Beacon usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
USBferry usesFamily The MITRE Corporation Confidence 100
[USBferry](https://attack.mitre.org/software/S0452) is an information stealing malware and has been used by [Tropic Trooper](https://attack.mitre.org/groups/G0081) in targeted attacks against Taiwanese and Philippine air-gapped military environments. [USBferry](https://attack.mitre.org/software/S0452) shares an overlapping codebase…
First seen 01/01/1970 · Last seen 16/11/5138 · -
AdaptixC2 Beacon usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
PoisonIvy usesFamily The MITRE Corporation Confidence 100
[PoisonIvy](https://attack.mitre.org/software/S0012) is a popular remote access tool (RAT) that has been used by many groups.(Citation: FireEye Poison Ivy)(Citation: Symantec Elderwood Sept 2012)(Citation: Symantec Darkmoon Aug 2005)
First seen 01/01/1970 · Last seen 16/11/5138 · -
CrowDoor usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
ByPassGodzilla usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Sectors (1)
-
Government targets
Countries (1)
-
Malaysia targets
Indicators (20)
-
stix 100/100 Revoked· Valid until 09/12/2025 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 09/12/2025 · Source: AlienVault
-
stix 100/100· Valid until 19/04/2027 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 22/05/2026 · Source: AlienVault
-
stix 100/100· Valid until 19/04/2027 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 22/05/2026 · Source: AlienVault
-
stix 100/100· Valid until 19/04/2027 · Source: AlienVault
-
stix 100/100· Valid until 19/04/2027 · Source: AlienVault
-
stix 100/100· Valid until 19/04/2027 · Source: AlienVault
Tool (1)
-
BITSAdmin usesThe MITRE Corporation Confidence 100
[BITSAdmin](https://attack.mitre.org/software/S0190) is a command line tool used to create and manage [BITS Jobs](https://attack.mitre.org/techniques/T1197). (Citation: Microsoft BITSAdmin)