S0388: YAHOYAH
YAHOYAH is a Trojan used by Tropic Trooper as a second-stage backdoor.[1]
Analyst context for executives and security teams
YAHOYAH matters because ATT&CK describes it as a Windows Trojan used as a second-stage backdoor by Tropic Trooper. For leaders, the key point is not the malware name itself, but the role: a second-stage backdoor implies an earlier compromise may already have occurred and the intruder is preparing for persistence, command-and-control, discovery, and tool transfer. Organizations with exposure to the sectors and regions noted in the Tropic Trooper relationship should treat related detections as incident-triage signals, not isolated malware alerts.
Executive priority
Prioritize this as an incident response and visibility-readiness question: can the organization prove it would see a Windows host performing encoded/obfuscated file handling, web-based command-and-control, system and security-tool discovery, and inbound tool transfer? Budget and control discussions should focus on endpoint telemetry, proxy/network logging, malware containment procedures, and evidence retention. Because ATT&CK provides no official detection text for YAHOYAH, executives should ask for validation evidence rather than assurance based on signatures alone.
Technical view
For SOC, detection engineering, and IR teams, validate coverage around the ATT&CK relationships for this malware on Windows: T1027.013 Encrypted/Encoded File, T1071.001 Web Protocols, T1082 System Information Discovery, T1105 Ingress Tool Transfer, T1140 Deobfuscate/Decode Files or Information, and T1518.001 Security Software Discovery. Treat alerts involving web protocol C2-like traffic plus host discovery, security software discovery, decoding/deobfuscation activity, or new file transfer onto a Windows endpoint as higher-priority correlation candidates. Since official detection guidance is not supplied, local baselining and relationship-driven analytics are required.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- EDR file creation, modification, and execution events
- Network proxy, firewall, and web gateway logs for HTTP/S or other web protocol traffic
- DNS and destination reputation/context logs
- Host telemetry showing operating system, patch, hardware, or environment discovery
Detection direction
- Do not rely on the malware name alone; build correlations around the related behaviors ATT&CK supplies.
- Tune for unusual Windows endpoints initiating web protocol traffic followed by discovery activity or file ingress.
- Look for encoded/encrypted artifacts that are later decoded, unpacked, or otherwise transformed before execution.
- Correlate system information discovery with security software discovery, as this combination can indicate adversary decision-making before follow-on actions.
- Review false positives from legitimate software inventory, security tooling, software deployment, and administrative scripts before escalating broad discovery detections.
Mitigation priorities
- Ensure Windows endpoints have current prevention, EDR, and logging coverage appropriate for malware containment and investigation.
- Restrict and monitor unapproved outbound web traffic where business processes allow, especially from systems that should not directly reach the internet.
- Harden controls around downloaded tools and externally transferred files, including execution control and inspection where feasible.
- Maintain least privilege and application control practices to limit what a second-stage backdoor can execute after initial compromise.
- Protect and monitor security tooling from discovery, tampering, or evasion attempts through configuration management and alerting.
Analyst notes and limits
The strongest decision value comes from the relationship context: YAHOYAH is identified as a second-stage Windows backdoor used by Tropic Trooper and associated with obfuscation, deobfuscation, web protocols, system discovery, security software discovery, and ingress tool transfer. This supports a behavior-based defensive posture rather than a signature-only approach.
ATT&CK does not provide official detection text, aliases, labels, or explicit tactics for the malware object itself. The malware platform is Windows, while several related techniques list broader ATT&CK platforms; coverage statements should therefore be validated in the local Windows environment. No claim is made here about current activity, confirmed exposure, or guaranteed detection.
YAHOYAH
YAHOYAH is a Trojan used by Tropic Trooper as a second-stage backdoor.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1082 | System Information Discovery | YAHOYAH checks for the system’s Windows OS version and hostname.CitationTrendMicro TropicTrooper 2015 |
| Enterprise | T1105 | Ingress Tool Transfer | YAHOYAH uses HTTP GET requests to download other files that are executed in memory.CitationTrendMicro TropicTrooper 2015 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | YAHOYAH checks for antimalware solution processes on the system.CitationTrendMicro TropicTrooper 2015 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | YAHOYAH decrypts downloaded files before execution.CitationTrendMicro TropicTrooper 2015 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | YAHOYAH uses HTTP for C2.CitationTrendMicro TropicTrooper 2015 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | YAHOYAH encrypts its configuration file using a simple algorithm.CitationTrendMicro TropicTrooper 2015 |
Groups, software, and campaigns
G0081: Tropic Trooper
Tropic Trooper is an unaffiliated threat group that has led targeted campaigns against targets in Taiwan, the Philippines, and Hong Kong. Tropic Trooper focuses on targeting government, healthcare, transportation, and high-tech industries and has been active since 2011.[1][2][3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | 674e36760948… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
TrendMicro TropicTrooper 2015
Alintanahin, K. (2015). Operation Tropic Trooper: Relying on Tried-and-Tested Flaws to Infiltrate Secret Keepers. Retrieved June 14, 2019.
Open source URL -
[2]
mitre-attack S0388Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.