Tropic Trooper APT Takes Aim at Home Routers, Japanese Targets

THREAT INTELLIGENCE CYBERATTACKS & DATA BREACHES PERIMETER ENDPOINT SECURITY NEWS Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia Pacific Tropic Trooper APT Takes Aim at Home Routers, Japanese Targets The Chinese state-sponsored cyber threat is known for moving fast and trying odd attack vectors; now it's branching out in tools, victimology, and TTPs. Tara Seals,Managing Editor, News,Dark Reading April 23, 2026 5 Min Read SOURCE: MARC ANDERSON VIA ALAMY STOCK PHOTO BLACK HAT ASIA – Singapore – The China-linked advanced persistent threat (APT) known as Tropic Trooper appears to be changing up its tactics, techniques, and procedures (TTPs), with an odd spear-phishing effort that involved compromising a target's home Wi-Fi network. Tropic Trooper (aka Pirate Panda, KeyBoy, APT23, Bronze Hobart, and Earth Centaur) has been active since at least 2011. The group historically spies on government, military, healthcare, transportation, and high‑tech organizations in Taiwan, the Philippines, and Hong Kong, with researchers recently also finding one singular campaign in the Mideast. But its latest efforts are aimed at specific individuals in new geographies like Japan, Taiwan, and South Korea, according to recent analysis, indicating an expansion of not just operational modus operandi, but also victim profiles. According to threat researchers at Japan-based security firm Itochu Cyber & Intelligence, one of the hallmarks of the group is a penchant for using unconventional intrusion vectors, such as physically deploying fake Wi-Fi access points in targeted offices; it's also known for the rapid adoption of novel and open source malware, making it difficult for researchers to keep up with its evolution. That's held true in its most recent campaigns too, where Itochu and Zscaler investigations have uncovered a variety of creative approaches and new malware elements within its attack chain.    Related:Africa Relinquishes Cyberattack Lead to Latin America — For Now Cyber Compromise via Home Wi-Fi Router In a session this week at Black Hat Asia in Singapore entitled Tropic Trooper Reloaded: Unraveling the Invisible Supply Chain Mystery, Itochu researchers Suguru Ishimaru and Satoshi Kamekawa detailed a supply chain compromise in which malware was delivered through what seemed like ghostly activity; i.e., there was no indication of where it originated.  "We found a complex infection chain delivering a Cobalt Strike beacon that uses a watermark (520), which Tropic Trooper has used since 2024; so, it can be used as an identifier for the group's activity," explained Ishimaru, from the stage. "But it was a supply chain mystery — the victim appeared to have downloaded a legitimate executable (youdaodict.exe) to update a well-known dictionary app, and there were two very small files in the downloaded update, including a very suspicious .xml file [that was the source of the infection]. We were unsure though of how the update had been compromised in the first place." LOADING... A follow-up investigation indicated that unauthorized changes had been made to the target's home router, resulting in the malware infection. Related:Russia's Forest Blizzard Nabs Rafts of Logins via SOHO Routers "One year later, the same host was compromised again, with the same infection routine, so we resumed the investigation, and found there to be tampering with the DNS for the software update," Ishimaru explained. "There was the legitimate domain and executable, but the actual IP was changed. Where was the DNS hijacking happening? We traced it back to the victim's home router, which was compromised, and the DNS settings were overwritten to point to an attacker's server in an 'evil twin' attack." It shows that Tropic Trooper is interested in targeting personal devices outside of the office environment, he added, which layers on a new risk profile for the APT. However, that was just the tip of the proverbial iceberg when it comes to the APT mixing up its strategy. Tropic Trooper: An Evolving Malware Toolset for Cyberespionage The investigation yielded additional fruit, according to Itochu's Kamekawa.  "We hunted for artifacts and discovered an exposed Amazon S3 bucket containing 48 files with new malware sets and phishing pages that mimicked authentication pages for Signal and other apps," he explained during the session. "It's clear that Tropic Trooper is targeting high-profile individuals with tailored decoy files in Japan, Taiwan, and South Korea; these are new targets showing they're expanding their operations scope." Related:Iran Hacktivists Make Noise but Have Little Impact on War Since the APT sometimes reuses IP addresses and file names, the research team brute-forced the command-and-control (C2) file names, and it eventually uncovered fresh malware families lurking inside the group's cyberattack arsenal.  "In all, we obtained five different .dat files, which were encrypted payloads," Kamekawa explained. "We decrypted these and found new malware, including DaveShell and Donut loader, which are two open source loaders being observed for first time in Tropic Trooper activity; Merlin Agent and Apollo Agent, which are a Go-based remote access Trojans (RATs) that are part of the Mythics Agents open source C2 framework; and C6DOOR, a simple [custom] backdoor compiled with Go." In addition, Tropic Trooper is still using its older, known tools, including the EntryShell backdoor, heavily obfuscated Xiangoop loader variants [PDF] (a distinctive, custom malware family), and the aforementioned watermarked Cobalt Strike beacon.  Meanwhile, Zscaler ThreatLabz has also been tracking the group's latest activity, and this week detailed its discovery of a malicious ZIP archive containing military-themed document lures. These, dovetailing with Itochu's finding, targeted Chinese-speaking individuals in Japan, South Korea, and Japan. The campaign that ThreatLabz researchers observed used a trojanized SumatraPDF binary to deploy an AdaptixC2 Beacon and ultimately VS Code on targeted machines. In all, it's clear that Tropic Trooper continues to iterate its toolset at a rapid pace, and is casting a wider net geographically, meaning that organizations in the region need to be on their toes. The Zscaler blog includes a long list of indicators of compromise (IoCs) to monitor for the activity.   "Based on our 2025 investigation, several new malware families, toolsets, and notable artifacts, including decoys were identified, providing fresh insight into the group's expanding geographic footprint and targeted industries," Itochu researchers explained in their supporting materials for the Black Hat Asia session. "Recent activity has revealed a marked shift toward open source-based tools within the infection chain. These findings highlight a rapid change in the actor's tooling strategy, demonstrating its ability to pivot quickly and overhaul their methods within a short period of time." Read more about: Black Hat NewsDR Global Asia Pacific About the Author Tara Seals Managing Editor, News, Dark Reading Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports The Agentic SOC: Exploring the Practitioner Mindset as AI Permeates SecOps The Total Economic Impact™ Of Google SecOps The Business Value of Google Threat Intelligence The Total Economic Impact™ Of Google SecOps AI-driven SecOps: Transforming Financial Services Security Access More Research Webinars Implementing CTEM: Beyond Vulnerability Management Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning Zero Trust Architecture for Cloud environments: Implementation Roadmap Tips for Managing Cloud Security in a Hybrid Environment? Security in the AI Age More Webinars You May Also Like THREAT INTELLIGENCE Hackers Target Cybersecurity Firm Outpost24 in 7-Stage Phish by Jai Vijayan MAR 17, 2026 THREAT INTELLIGENCE Iran's Cyber-Kinetic War Doctrine Takes Shape by Alexander Culafi MAR 06, 2026 THREAT INTELLIGENCE React2Shell Exploits Flood the Internet as Attacks Continue by Rob Wright DEC 12, 2025 THREAT INTELLIGENCE Chinese Gov't Fronts Trick the West to Obtain Cyber Tech by Nate Nelson, Contributing Writer OCT 06, 2025 Editor's Choice VULNERABILITIES & THREATS EDR-Killer Ecosystem Expansion Requires Stronger BYOVD Defenses byRob Wright APR 14, 2026 8 MIN READ СLOUD SECURITY CSA: CISOs Should Prepare for Post-Mythos Exploit Storm byAlexander Culafi APR 13, 2026 6 MIN READ СLOUD SECURITY Navigating the Unique Security Risks of Asia's Digital Supply Chain byAlexander Culafi APR 15, 2026 3 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection LOADING... Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Implementing CTEM: Beyond Vulnerability Management THURS, MAY 21, 2026 AT 1PM EST Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning MON, MAY 11, 2026 AT 1:00PM ET Tips for Managing Cloud Security in a Hybrid Environment? THURS, MAY 7, 2026 AT 1PM EST Zero Trust Architecture for Cloud environments: Implementation Roadmap TUES, MAY 12, 2026 AT 1PM EST Security in the AI Age TUES, APRIL 28, 2026 AT 1PM EST More Webinars White Papers Reinventing the SOC with agentic AI Enhancing SecOps with Google Threat Intelligence Enhancing SecOps with Google Threat Intelligence Enhancing SecOps with Google Threat Intelligence Reinventing the SOC with agentic AI Explore More White Papers BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE Experience cutting-edge cybersecurity insights in this four-day event featuring expert Briefings on the latest research, Arsenal tool demos, a vibrant Business Hall, networking opportunities, and more. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass. GET YOUR PASS