Tropic Trooper APT Takes Aim at Home Routers, Japanese Targets - Dark Reading

Threat IntelligenceCyberattacks & Data BreachesPerimeterEndpoint SecurityNewsBreaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia PacificTropic Trooper APT Takes Aim at Home Routers, Japanese TargetsThe Chinese state-sponsored cyber threat is known for moving fast and trying odd attack vectors; now it's branching out in tools, victimology, and TTPs.Tara Seals,Managing Editor, News,Dark ReadingApril 24, 20265 Min ReadSource: Marc Anderson via Alamy Stock PhotoBLACK HAT ASIA – Singapore – The China-linked advanced persistent threat (APT) known as Tropic Trooper appears to be changing up its tactics, techniques, and procedures (TTPs), with an odd spear-phishing effort that involved compromising a target's home Wi-Fi network.Tropic Trooper (aka Pirate Panda, KeyBoy, APT23, Bronze Hobart, and Earth Centaur) has been active since at least 2011. The group historically spies on government, military, healthcare, transportation, and high‑tech organizations in Taiwan, the Philippines, and Hong Kong, with researchers recently also finding one singular campaign in the Mideast. But its latest efforts are aimed at specific individuals in new geographies like Japan, Taiwan, and South Korea, according to recent analysis, indicating an expansion of not just operational modus operandi, but also victim profiles.According to threat researchers at Japan-based security firm Itochu Cyber & Intelligence, one of the hallmarks of the group is a penchant for using unconventional intrusion vectors, such as physically deploying fake Wi-Fi access points in targeted offices; it's also known for the rapid adoption of novel and open source malware, making it difficult for researchers to keep up with its evolution. That's held true in its most recent campaigns too, where Itochu and Zscaler investigations have uncovered a variety of creative approaches and new malware elements within its attack chain.   Related:Chinese APTs Share Linux Backdoor in Central Asia Telco AttacksCyber Compromise via Home Wi-Fi RouterIn a session this week at Black Hat Asia in Singapore entitled Tropic Trooper Reloaded: Unraveling the Invisible Supply Chain Mystery, Itochu researchers Suguru Ishimaru and Satoshi Kamekawa detailed a supply chain compromise in which malware was delivered through what seemed like ghostly activity; i.e., there was no indication of where it originated. "We found a complex infection chain delivering a Cobalt Strike beacon that uses a watermark (520), which Tropic Trooper has used since 2024; so, it can be used as an identifier for the group's activity," explained Ishimaru, from the stage. "But it was a supply chain mystery — the victim appeared to have downloaded a legitimate executable (youdaodict.exe) to update a well-known dictionary app, and there were two very small files in the downloaded update, including a very suspicious .xml file [that was the source of the infection]. We were unsure though of how the update had been compromised in the first place."A follow-up investigation indicated that unauthorized changes had been made to the target's home router, resulting in the malware infection.Related:Africa Relinquishes Cyberattack Lead to Latin America — For Now"One year later, the same host was compromised again, with the same infection routine, so we resumed the investigation, and found there to be tampering with the DNS for the software update," Ishimaru explained. "There was the legitimate domain and executable, but the actual IP was changed. Where was the DNS hijacking happening? We traced it back to the victim's home router, which was compromised, and the DNS settings were overwritten to point to an attacker's server in an 'evil twin' attack."It shows that Tropic Trooper is interested in targeting personal devices outside of the office environment, he added, which layers on a new risk profile for the APT. However, that was just the tip of the proverbial iceberg when it comes to the APT mixing up its strategy.Tropic Trooper: An Evolving Malware Toolset for CyberespionageThe investigation yielded additional fruit, according to Itochu's Kamekawa. "We hunted for artifacts and discovered an exposed Amazon S3 bucket containing 48 files with new malware sets and phishing pages that mimicked authentication pages for Signal and other apps," he explained during the session. "It's clear that Tropic Trooper is targeting high-profile individuals with tailored decoy files in Japan, Taiwan, and South Korea; these are new targets showing they're expanding their operations scope."Related:Russia's Forest Blizzard Nabs Rafts of Logins via SOHO RoutersSince the APT sometimes reuses IP addresses and file names, the research team brute-forced the command-and-control (C2) file names, and it eventually uncovered fresh malware families lurking inside the group's cyberattack arsenal. "In all, we obtained five different .dat files, which were encrypted payloads," Kamekawa explained. "We decrypted these and found new malware, including DaveShell and Donut loader, which are two open source loaders being observed for first time in Tropic Trooper activity; Merlin Agent and Apollo Agent, which are a Go-based remote access Trojans (RATs) that are part of the Mythics Agents open source C2 framework; and C6DOOR, a simple [custom] backdoor compiled with Go."In addition, Tropic Trooper is still using its older, known tools, including the EntryShell backdoor, heavily obfuscated Xiangoop loader variants [PDF] (a distinctive, custom malware family), and the aforementioned watermarked Cobalt Strike beacon. Meanwhile, Zscaler ThreatLabz has also been tracking the group's latest activity, and this week detailed its discovery of a malicious ZIP archive containing military-themed document lures. These, dovetailing with Itochu's finding, targeted Chinese-speaking individuals in Japan, South Korea, and Japan. The campaign that ThreatLabz researchers observed used a trojanized SumatraPDF binary to deploy an AdaptixC2 Beacon and ultimately VS Code on targeted machines.In all, it's clear that Tropic Trooper continues to iterate its toolset at a rapid pace, and is casting a wider net geographically, meaning that organizations in the region need to be on their toes. The Zscaler blog includes a long list of indicators of compromise (IoCs) to monitor for the activity.  "Based on our 2025 investigation, several new malware families, toolsets, and notable artifacts, including decoys were identified, providing fresh insight into the group's expanding geographic footprint and targeted industries," Itochu researchers explained in their supporting materials for the Black Hat Asia session. "Recent activity has revealed a marked shift toward open source-based tools within the infection chain. These findings highlight a rapid change in the actor's tooling strategy, demonstrating its ability to pivot quickly and overhaul their methods within a short period of time."Read more about:Black Hat NewsDR Global Asia PacificAbout the AuthorTara SealsManaging Editor, News, Dark ReadingTara Seals is an award-winning journalist with 25+ years of experience as a reporter, analyst, and editor in the cybersecurity, communications, and technology spaces. As managing editor, she runs the newsroom at Dark Reading, leading a team of staff writers and freelance contributors. She also heads up strategy for a variety of in-depth, multichannel news coverage initiatives. Prior to joining Dark Reading in 2022, Tara was editor-in-chief at cybersecurity stalwart Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for other titles at Virgo Publishing (now part of Informa TechTarget), as executive editor and editor-in-chief at publications focused on communications service providers, channel partners, and enterprise mobile and video technology. In 2026, she was awarded a regional Azbee award for her in-depth coverage of the ongoing North Korean fake worker cyber campaign. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family, and is on a never-ending quest for good Mexican food in the Northeast.See more from Tara SealsWant more Dark Reading stories in your Google search results?Add Us NowMore InsightsIndustry ReportsHow Organizations Are Managing Incident ResponseHow Enterprises Are Developing Secure ApplicationsInside RSAC 2026: security leaders reveal the risks redefining your defense strategyEssential News & Insights from Black Hat USA 2025How Enterprises Are Harnessing Emerging Technologies in CybersecurityAccess More ResearchWebinarsThe Frontier AI Era: Why Cybersecurity Must Move at Machine SpeedBuild vs. Buy: The Hidden Cost of Building Your Own AI Security StackDefending in the Shadow Era: When the CVE Feed Goes DarkBuilding SecOps That Make the Most of Every DollarAI-Powered Credential Security: Intelligence Without ExposureMore WebinarsEditor's ChoiceCybersecurity Operations20 Leaders Who Built the CISO Era: 2 Decades of Change20 Leaders Who Built the CISO Era: 2 Decades of ChangebyDark Reading Editorial TeamMay 12, 202641 Min ReadApplication SecurityIt's Patch Tuesday for Microsoft & Not a Zero-Day In SightIt's Patch Tuesday for Microsoft & Not a Zero-Day In SightbyJai VijayanMay 12, 20265 Min ReadWant more Dark Reading stories in your Google search results?Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeWebinarsThe Frontier AI Era: Why Cybersecurity Must Move at Machine SpeedTuesday, June 23, 2026 1:00 PM EDTBuild vs. Buy: The Hidden Cost of Building Your Own AI Security StackThurs, June 25, 2026, at 1pm ESTDefending in the Shadow Era: When the CVE Feed Goes DarkTues, June 16, 2026 at 1pm ESTBuilding SecOps That Make the Most of Every DollarThurs, July 9, 2026 at 1pm ESTAI-Powered Credential Security: Intelligence Without ExposureWed, June 17, 2026, at 1pm ESTMore WebinarsBlack Hat USA | Mandalay Bay, Las VegasThe premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass.GET YOUR PASS