Tropic Trooper Attacks Government Organizations to Steal Sensitive Data

Tropic Trooper (aka KeyBoy, Pirate Panda, and APT23) is a sophisticated cyberespionage APT group, and it has been active since 2011.

This APT group primarily targets government institutions, military agencies, healthcare, transportation, and high-tech industries in Taiwan, the Philippines, and Hong Kong.

Cybersecurity analysts at Kaspersky Lab recently discovered that Tropic Trooper has been actively attacking government organizations to steal sensitive data.

Technical analysis

In a December 2024 report, the Chinese-speaking threat actor Tropic Trooper was accused of carrying out a complex cyberespionage attack against a government agency in the Middle East.

The operation lasted from June 2023 and incorporated a variant of the China Chopper web shell which was newly developed along with the Crowdoor loader.

The attackers compromised the Umbraco CMS, which is based on .NET, to send out malicious malware to targets.

They carried out DLL search-order hijacking, which is a form of DLL loader that would load malicious DLL files such as “datast.dll” and “VERSION.dll” through the use of legitimate executables.

The attack chain was also extended to incorporate additional features such as Base64 encoding, RC4 obfuscation (key: ‘fYTUdr643$3u’), and JavaScript dynamic evaluation.

These threat actors had exploited CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207 issues in Microsoft Exchange as well as CVE-2023-26360 in Adobe ColdFusion.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial

Crowdoor has employed post-exploitation tools to facilitate lateral movement and the Crowdoor payload persisted through a Windows service called WinStore or the HKCU\Software\Microsoft\Windows\CurrentVersion\Run registry key.

The payload loaded into the colorcpl.exe process and established the C2 server, being an address “blog.techmersion[.]com” on port 443.

Here below we have mentioned all the tools used:-

• Fscan
• Swor
• Neo-reGeorg
• ByPassGodzilla

The attack showcased evolving tactics, including the use of future-dated timestamps like “May 26, 2027,” and the total development of malware variants, which illustrate final moves to use cyberwards against governmental agencies engaged in human rights-related works.

Tropic Trooper is possibly associated with FamousSparrow, targeted Middle Eastern government institutions and Malaysian government institutions using DLL search-order hijacking and features like RC4 key sharing loaders, China Chopper web shell with tools like Crowdoor and SparrowDoor, Kaspersky said.

Targets included the Centre for Middle Eastern Studies which publishes Israeli and Hamas conflict studies and operationalized post-exploitation tools such as Fscan in addition to other strategies that highlight the difference in operational skill sets across attack stages.

IoCs

What Does MITRE ATT&CK Expose About Your Enterprise Security? - Watch Free Webinar!