A China-linked advanced persistent threat group known as Tropic Trooper is modifying how it operates, introducing unusual attack methods and expanding both its target base and technical toolkit. Recent observations show the group experimenting with new intrusion paths, including an incident where a victim’s personal home Wi-Fi network became the entry point.
The activity was discussed during a session at Black Hat Asia, where researchers explained that the group is no longer limiting itself to conventional enterprise-focused attacks.
Tropic Trooper, also tracked under names such as Pirate Panda, APT23, Bronze Hobart, and Earth Centaur, has been active since at least 2011. Earlier campaigns primarily focused on sectors including government, military, healthcare, transportation, and high-technology organizations located in Taiwan, the Philippines, and Hong Kong. More recently, analysts identified a separate campaign in the Middle East. Current findings now show that the group is directing efforts toward specific individuals in countries such as Japan, South Korea, and Taiwan, indicating that both its geographic reach and victim selection strategy are expanding.
Researchers from Itochu Cyber & Intelligence noted that one defining characteristic of the group is its willingness to rely on unconventional access techniques. In earlier cases, this included placing fake Wi-Fi access points inside targeted office environments. The group is also known for quickly adopting newly available or open-source malware, which allows it to change its attack chains frequently and complicates tracking efforts. Recent investigations conducted alongside Zscaler confirm that these patterns continue, with multiple new tools and creative delivery mechanisms observed.
Compromise Originating from a Home Router
During the conference session titled “Tropic Trooper Reloaded: Unraveling the Invisible Supply Chain Mystery,” researchers Suguru Ishimaru and Satoshi Kamekawa described a case that initially appeared difficult to trace. The infection chain delivered a Cobalt Strike beacon carrying a watermark value “520,” a marker previously associated with Tropic Trooper activity since 2024.
The affected user had downloaded what appeared to be a legitimate update file named youdaodict.exe for a widely used dictionary application. However, the update package contained two small additional files, one of which was an XML file that triggered the infection. At first, investigators could not determine how the software update itself had been altered.
Further analysis revealed that unauthorized changes had been made to the victim’s home router. Nearly a year later, the same system was compromised again using an identical infection process. This prompted a deeper investigation, which uncovered manipulation of DNS settings tied to the software update process.
Although the domain name and application appeared legitimate, the underlying IP address had been redirected. Researchers traced this manipulation back to the home router, where DNS configurations had been modified to point toward an attacker-controlled server. This technique aligns with what is commonly known as an “evil twin” scenario, where legitimate traffic is silently redirected without the user’s awareness.
This case demonstrates that the group is not limiting itself to corporate environments and is willing to exploit personal infrastructure to reach its targets.
Expansion of Malware and Targeting Strategy
The investigation revealed additional infrastructure linked to the group. Researchers identified a publicly accessible Amazon S3 bucket containing 48 fil
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: