G0081: Tropic Trooper
Tropic Trooper is an unaffiliated threat group that has led targeted campaigns against targets in Taiwan, the Philippines, and Hong Kong. Tropic Trooper focuses on targeting government, healthcare, transportation, and high-tech industries and has been active since 2011.[1][2][3]
Analyst context for executives and security teams
Tropic Trooper is a long-running threat group in ATT&CK associated with targeted campaigns against government, healthcare, transportation, and high-tech organizations in Taiwan, the Philippines, and Hong Kong. For leaders, the practical issue is not the name of the group but the defensive pattern: ATT&CK links this group to remote access tools, backdoors, discovery activity, command-and-control over web and DNS protocols, automated exfiltration, and USB-based exfiltration relevant to air-gapped environments.
Executive priority
Prioritize this as a resilience and assurance use case where the organization operates in, supports, or resembles the sectors and regions described by ATT&CK, or where sensitive environments depend on segmentation or air gaps. Executives should ask whether security teams can prove visibility across Windows endpoints, command-line activity, removable media, DNS/web egress, local account use, and data movement. This object also supports audit and risk discussions around air-gapped operations, third-party/supply-chain exposure, and whether incident responders can investigate both connected and disconnected systems.
Technical view
ATT&CK does not provide a detection section for Tropic Trooper itself, so coverage should be validated through the linked software and techniques. Relationship context points to Windows-focused malware/tools including PoisonIvy, BITSAdmin, KeyBoy, YAHOYAH, USBferry, and ShadowPad, plus behaviors such as discovery, Windows command shell execution, DLL injection, masquerading, file deletion, local account abuse, web/DNS command-and-control, automated exfiltration, and exfiltration over USB. SOC and IR teams should map detections to these behaviors rather than relying on group-name alerts.
Likely telemetry
- Endpoint process creation and command-line telemetry, especially cmd.exe and administrative utilities
- Windows DLL load, process injection, and suspicious process access events where available
- File creation, modification, deletion, and unusual executable placement or naming patterns
- DNS query logs and web proxy/firewall egress logs for command-and-control analysis
- BITS job creation and usage telemetry on Windows systems
Detection direction
- Build behavior-based detections around the related ATT&CK techniques rather than expecting a single Tropic Trooper signature.
- Validate visibility for discovery commands and enumeration of users, processes, files, network configuration, network connections, and services.
- Tune web and DNS command-and-control analytics to reduce false positives from normal business traffic while retaining visibility into rare domains, unusual query patterns, and abnormal egress from sensitive hosts.
- Review removable media monitoring for environments that rely on air gaps; USB-based exfiltration is specifically represented through the USBferry and Exfiltration over USB relationships.
- Correlate local account use with unusual execution, discovery, or data movement because local accounts are listed as an abused access mechanism in the related techniques.
Mitigation priorities
- Start with asset and data prioritization for government, healthcare, transportation, high-tech, military, or air-gapped environments when relevant to the organization.
- Harden and monitor local accounts, especially administrative and shared local credentials; reduce reuse and ensure investigation-ready authentication logs.
- Restrict and monitor removable media use in sensitive and segmented environments, with documented exceptions and evidence collection procedures.
- Ensure endpoint controls capture command execution, suspicious DLL activity, file deletion, and unexpected tool use such as BITSAdmin.
- Control egress through DNS and web gateways, and retain logs long enough to support incident response and threat hunting.
Analyst notes and limits
The group object has no official ATT&CK detection text, no tactics listed on the group object itself, and no group-level platforms specified. The technical guidance is therefore derived from the supplied relationships to software and techniques. The related software is Windows-focused, but several related techniques list additional platforms; local validation should determine which apply in the environment.
This take does not assert current activity, attribution beyond the ATT&CK group description, customer exposure, or guaranteed detection coverage. External references are cited by ATT&CK, but their detailed contents were not used beyond the supplied fields. Organizations need their own telemetry, asset criticality, geography, sector exposure, and incident history to determine priority.
Tropic Trooper
Tropic Trooper is an unaffiliated threat group that has led targeted campaigns against targets in Taiwan, the Philippines, and Hong Kong. Tropic Trooper focuses on targeting government, healthcare, transportation, and high-tech industries and has been active since 2011.[1][2][3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1543.003 | Windows Service Sub-technique | Tropic Trooper has installed a service pointing to a malicious DLL dropped to disk.CitationPWC KeyBoys Feb 2017 |
| Enterprise | T1070.004 | File Deletion Sub-technique | Tropic Trooper has deleted dropper files on an infected system using command scripts.CitationTrendMicro Tropic Trooper May 2020 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | Tropic Trooper sent spearphishing emails that contained malicious Microsoft Office and fake installer file attachments.CitationUnit 42 Tropic Trooper Nov 2016CitationTrendMicro TropicTrooper 2015CitationCitizenLab Tropic Trooper Aug 2018CitationAnomali Pirate Panda April 2020CitationTrendMicro Tropic Trooper May 2020 |
| Enterprise | T1105 | Ingress Tool Transfer | Tropic Trooper has used a delivered trojan to download additional files.CitationTrendMicro Tropic Trooper May 2020 |
| Enterprise | T1057 | Process Discovery | Tropic Trooper is capable of enumerating the running processes on the system using |
| Enterprise | T1204.002 | Malicious File Sub-technique | Tropic Trooper has lured victims into executing malware via malicious e-mail attachments.CitationAnomali Pirate Panda April 2020 |
| Enterprise | T1573 | Encrypted Channel | Tropic Trooper has encrypted traffic with the C2 to prevent network detection.CitationTrendMicro Tropic Trooper May 2020 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Tropic Trooper has used HTTP in communication with the C2.CitationAnomali Pirate Panda April 2020CitationTrendMicro Tropic Trooper May 2020 |
| Enterprise | T1564.001 | Hidden Files and Directories Sub-technique | Tropic Trooper has created a hidden directory under |
| Enterprise | T1221 | Template Injection | Tropic Trooper delivered malicious documents with the XLSX extension, typically used by OpenXML documents, but the file itself was actually an OLE (XLS) document.CitationUnit 42 Tropic Trooper Nov 2016 |
| Enterprise | T1033 | System Owner/User Discovery | Tropic Trooper used |
| Enterprise | T1046 | Network Service Discovery | Tropic Trooper used |
| Enterprise | T1016 | System Network Configuration Discovery | Tropic Trooper has used scripts to collect the host's network topology.CitationTrendMicro Tropic Trooper May 2020 |
| Enterprise | T1052.001 | Exfiltration over USB Sub-technique | Tropic Trooper has exfiltrated data using USB storage devices.CitationTrendMicro Tropic Trooper May 2020 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Tropic Trooper has created shortcuts in the Startup folder to establish persistence.CitationAnomali Pirate Panda April 2020CitationTrendMicro Tropic Trooper May 2020 |
| Enterprise | T1505.003 | Web Shell Sub-technique | Tropic Trooper has started a web service in the target host and wait for the adversary to connect, acting as a web shell.CitationTrendMicro Tropic Trooper May 2020 |
| Enterprise | T1573.002 | Asymmetric Cryptography Sub-technique | Tropic Trooper has used SSL to connect to C2 servers.CitationTrendMicro Tropic Trooper Mar 2018CitationTrendMicro Tropic Trooper May 2020 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Tropic Trooper has used Windows command scripts.CitationTrendMicro Tropic Trooper May 2020 |
| Enterprise | T1106 | Native API | Tropic Trooper has used multiple Windows APIs including HttpInitialize, HttpCreateHttpHandle, and HttpAddUrl.CitationTrendMicro Tropic Trooper May 2020 |
| Enterprise | T1574.001 | DLL Sub-technique | Tropic Trooper has been known to side-load DLLs using a valid version of a Windows Address Book and Windows Defender executable with one of their tools.CitationCitizenLab KeyBoy Nov 2016CitationAnomali Pirate Panda April 2020 |
| Enterprise | T1083 | File and Directory Discovery | Tropic Trooper has monitored files' modified time.CitationTrendMicro Tropic Trooper May 2020 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Tropic Trooper has encrypted configuration files.CitationTrendMicro Tropic Trooper Mar 2018CitationTrendMicro Tropic Trooper May 2020 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | Tropic Trooper has hidden payloads in Flash directories and fake installer files.CitationTrendMicro Tropic Trooper May 2020 |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | Tropic Trooper has used base64 encoding to hide command strings delivered from the C2.CitationTrendMicro Tropic Trooper May 2020 |
| Enterprise | T1078.003 | Local Accounts Sub-technique | Tropic Trooper has used known administrator account credentials to execute the backdoor directly.CitationTrendMicro Tropic Trooper May 2020 |
| Enterprise | T1680 | Local Storage Discovery | Tropic Trooper has detected a target system’s system volume information.CitationTrendMicro TropicTrooper 2015CitationTrendMicro Tropic Trooper May 2020 |
| Enterprise | T1547.004 | Winlogon Helper DLL Sub-technique | Tropic Trooper has created the Registry key |
| Enterprise | T1203 | Exploitation for Client Execution | Tropic Trooper has executed commands through Microsoft security vulnerabilities, including CVE-2017-11882, CVE-2018-0802, and CVE-2012-0158.CitationTrendMicro Tropic Trooper Mar 2018CitationUnit 42 Tropic Trooper Nov 2016 |
| Enterprise | T1071.004 | DNS Sub-technique | Tropic Trooper's backdoor has communicated to the C2 over the DNS protocol.CitationTrendMicro Tropic Trooper May 2020 |
| Enterprise | T1119 | Automated Collection | Tropic Trooper has collected information automatically using the adversary's USBferry attack.CitationTrendMicro Tropic Trooper May 2020 |
| Enterprise | T1055.001 | Dynamic-link Library Injection Sub-technique | Tropic Trooper has injected a DLL backdoor into dllhost.exe and svchost.exe.CitationTrendMicro Tropic Trooper Mar 2018CitationTrendMicro Tropic Trooper May 2020 |
| Enterprise | T1020 | Automated Exfiltration | Tropic Trooper has used a copy function to automatically exfiltrate sensitive data from air-gapped systems using USB storage.CitationTrendMicro Tropic Trooper May 2020 |
| Enterprise | T1135 | Network Share Discovery | Tropic Trooper used |
| Enterprise | T1082 | System Information Discovery | Tropic Trooper has detected a target system’s OS version.CitationTrendMicro TropicTrooper 2015CitationTrendMicro Tropic Trooper May 2020 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | Tropic Trooper can search for anti-virus software running on the system.CitationUnit 42 Tropic Trooper Nov 2016 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Tropic Trooper used shellcode with an XOR algorithm to decrypt a payload. Tropic Trooper also decrypted image files which contained a payload.CitationUnit 42 Tropic Trooper Nov 2016CitationTrendMicro Tropic Trooper May 2020 |
| Enterprise | T1049 | System Network Connections Discovery | Tropic Trooper has tested if the localhost network is available and other connection capability on an infected system using command scripts.CitationTrendMicro Tropic Trooper May 2020 |
| Enterprise | T1027.003 | Steganography Sub-technique | Tropic Trooper has used JPG files with encrypted payloads to mask their backdoor routines and evade detection.CitationTrendMicro Tropic Trooper May 2020 |
| Enterprise | T1518 | Software Discovery | Tropic Trooper's backdoor could list the infected system's installed software.CitationTrendMicro Tropic Trooper May 2020 |
| Enterprise | T1091 | Replication Through Removable Media | Tropic Trooper has attempted to transfer USBferry from an infected USB device by copying an Autorun function to the target machine.CitationTrendMicro Tropic Trooper May 2020 |
Groups, software, and campaigns
S0452: USBferry
USBferry is an information stealing malware and has been used by Tropic Trooper in targeted attacks against Taiwanese and Philippine air-gapped military environments. USBferry shares an overlapping codebase with YAHOYAH, though it has several features which makes it a distinct piece of malware.[1]
S0596: ShadowPad
S0012: PoisonIvy
S0190: BITSAdmin
S0388: YAHOYAH
YAHOYAH is a Trojan used by Tropic Trooper as a second-stage backdoor.[1]
S0387: KeyBoy
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.6 | Current bundle | 4dc7c4354ca7… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
TrendMicro Tropic Trooper Mar 2018
Horejsi, J., et al. (2018, March 14). Tropic Trooper’s New Strategy. Retrieved November 9, 2018.
Open source URL -
[2]
Unit 42 Tropic Trooper Nov 2016
Ray, V. (2016, November 22). Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy. Retrieved November 9, 2018.
Open source URL -
[3]
TrendMicro Tropic Trooper May 2020
Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.
Open source URL -
[4]
Crowdstrike Pirate Panda April 2020
Busselen, M. (2020, April 7). On-demand Webcast: CrowdStrike Experts on COVID-19 Cybersecurity Challenges and Recommendations. Retrieved May 20, 2020.
Open source URL -
[5]
KeyBoy
(Citation: Unit 42 Tropic Trooper Nov 2016)(Citation: TrendMicro Tropic Trooper Mar 2018)
-
[6]
Pirate Panda
(Citation: Crowdstrike Pirate Panda April 2020)
-
[7]
Tropic Trooper
(Citation: TrendMicro Tropic Trooper Mar 2018)(Citation: Unit 42 Tropic Trooper Nov 2016)
-
[8]
mitre-attack G0081Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.