Tropic Trooper Expands Espionage to Middle East, Targets Human Rights Organizations

Tropic Trooper - China Chopper web shell

The cyber espionage group Tropic Trooper, also known as KeyBoy and Pirate Panda, has been observed shifting its focus to the Middle East, according to a recent report by Kaspersky Labs. The group, known for its attacks on government, healthcare, and high-tech industries in Taiwan, the Philippines, and Hong Kong, has now been linked to a persistent campaign targeting a government entity in the Middle East since June 2023.

In 2024, Tropic Trooper launched persistent campaigns against Middle Eastern government bodies, with a particular focus on entities involved in human rights studies. This shift marks a strategic expansion of the group’s typical targets. The group’s activity first came to light in June 2024, when a variant of the notorious China Chopper web shell, commonly associated with Chinese-speaking threat actors, was detected on a public web server hosting an open-source content management system (CMS) called Umbraco. This infection sparked further investigation, uncovering a variety of malware implants and post-exploitation tools aimed at cyber espionage.

The initial infection involved a variant of the China Chopper web shell, used to gain remote control over compromised servers. However, Tropic Trooper’s tactics did not stop there. Further analysis revealed the use of DLL search-order hijacking, where malicious DLLs were loaded from legitimate vulnerable executables. This tactic allowed the attackers to deploy the Crowdoor loader, linked to the previously discovered SparrowDoor backdoor, further enhancing their ability to maintain persistence and escalate their operations.

Once inside the compromised systems, Tropic Trooper employed various post-exploitation tools to achieve lateral movement and evade detection. Tools such as Fscan, which is used for network vulnerability scanning and exploitation, and Swor, a penetration testing tool, were observed. These tools enabled the attackers to gather information, move deeper into the network, and execute their objectives without triggering alarms from security systems.

Kaspersky Labs attributed this activity with high confidence to Tropic Trooper, highlighting the overlap in tactics and malware samples from previous campaigns. The discovery of such sophisticated techniques targeting Middle Eastern government entities demonstrates the evolving threat landscape posed by APT groups like Tropic Trooper. As the group continues to adapt and refine its approach, organizations must remain vigilant and proactive in their cybersecurity defenses, particularly when dealing with critical infrastructure and sensitive governmental operations.

Related Posts: