Tropic Trooper APT Takes Aim at Home Routers, Japanese Targets TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsСloud SecurityHackers Use AI for Exploit Development, Attack AutomationHackers Use AI for Exploit Development, Attack AutomationbyAlexander CulafiMay 11, 20264 Min ReadСloud SecurityAfter Replacing TeamPCP Malware, 'PCPJack' Steals Cloud SecretsAfter Replacing TeamPCP Malware, 'PCPJack' Steals Cloud SecretsbyNate NelsonMay 7, 20265 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificLatin AmericaSee AllThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryThreat IntelligenceCyberattacks & Data BreachesPerimeterEndpoint SecurityNewsBreaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia PacificTropic Trooper APT Takes Aim at Home Routers, Japanese TargetsThe Chinese state-sponsored cyber threat is known for moving fast and trying odd attack vectors; now it's branching out in tools, victimology, and TTPs.Tara Seals,Managing Editor, News,Dark ReadingApril 24, 20265 Min ReadSource: Marc Anderson via Alamy Stock PhotoBLACK HAT ASIA – Singapore – The China-linked advanced persistent threat (APT) known as Tropic Trooper appears to be changing up its tactics, techniques, and procedures (TTPs), with an odd spear-phishing effort that involved compromising a target's home Wi-Fi network.Tropic Trooper (aka Pirate Panda, KeyBoy, APT23, Bronze Hobart, and Earth Centaur) has been active since at least 2011. The group historically spies on government, military, healthcare, transportation, and high‑tech organizations in Taiwan, the Philippines, and Hong Kong, with researchers recently also finding one singular campaign in the Mideast. But its latest efforts are aimed at specific individuals in new geographies like Japan, Taiwan, and South Korea, according to recent analysis, indicating an expansion of not just operational modus operandi, but also victim profiles.According to threat researchers at Japan-based security firm Itochu Cyber & Intelligence, one of the hallmarks of the group is a penchant for using unconventional intrusion vectors, such as physically deploying fake Wi-Fi access points in targeted offices; it's also known for the rapid adoption of novel and open source malware, making it difficult for researchers to keep up with its evolution. That's held true in its most recent campaigns too, where Itochu and Zscaler investigations have uncovered a variety of creative approaches and new malware elements within its attack chain.   Related:Africa Relinquishes Cyberattack Lead to Latin America — For NowCyber Compromise via Home Wi-Fi RouterIn a session this week at Black Hat Asia in Singapore entitled Tropic Trooper Reloaded: Unraveling the Invisible Supply Chain Mystery, Itochu researchers Suguru Ishimaru and Satoshi Kamekawa detailed a supply chain compromise in which malware was delivered through what seemed like ghostly activity; i.e., there was no indication of where it originated. "We found a complex infection chain delivering a Cobalt Strike beacon that uses a watermark (520), which Tropic Trooper has used since 2024; so, it can be used as an identifier for the group's activity," explained Ishimaru, from the stage. "But it was a supply chain mystery — the victim appeared to have downloaded a legitimate executable (youdaodict.exe) to update a well-known dictionary app, and there were two very small files in the downloaded update, including a very suspicious .xml file [that was the source of the infection]. We were unsure though of how the update had been compromised in the first place."A follow-up investigation indicated that unauthorized changes had been made to the target's home router, resulting in the malware infection.Related:Russia's Forest Blizzard Nabs Rafts of Logins via SOHO Routers"One year later, the same host was compromised again, with the same infection routine, so we resumed the investigation, and found there to be tampering with the DNS for the software update," Ishimaru explained. "There was the legitimate domain and executable, but the actual IP was changed. Where was the DNS hijacking happening? We traced it back to the victim's home router, which was compromised, and the DNS settings were overwritten to point to an attacker's server in an 'evil twin' attack."It shows that Tropic Trooper is interested in targeting personal devices outside of the office environment, he added, which layers on a new risk profile for the APT. However, that was just the tip of the proverbial iceberg when it comes to the APT mixing up its strategy.Tropic Trooper: An Evolving Malware Toolset for CyberespionageThe investigation yielded additional fruit, according to Itochu's Kamekawa. "We hunted for artifacts and discovered an exposed Amazon S3 bucket containing 48 files with new malware sets and phishing pages that mimicked authentication pages for Signal and other apps," he explained during the session. "It's clear that Tropic Trooper is targeting high-profile individuals with tailored decoy files in Japan, Taiwan, and South Korea; these are new targets showing they're expanding their operations scope."Related:Iran Hacktivists Make Noise but Have Little Impact on WarSince the APT sometimes reuses IP addresses and file names, the research team brute-forced the command-and-control (C2) file names, and it eventually uncovered fresh malware families lurking inside the group's cyberattack arsenal. "In all, we obtained five different .dat files, which were encrypted payloads," Kamekawa explained. "We decrypted these and found new malware, including DaveShell and Donut loader, which are two open source loaders being observed for first time in Tropic Trooper activity; Merlin Agent and Apollo Agent, which are a Go-based remote access Trojans (RATs) that are part of the Mythics Agents open source C2 framework; and C6DOOR, a simple [custom] backdoor compiled with Go."In addition, Tropic Trooper is still using its older, known tools, including the EntryShell backdoor, heavily obfuscated Xiangoop loader variants [PDF] (a distinctive, custom malware family), and the aforementioned watermarked Cobalt Strike beacon. Meanwhile, Zscaler ThreatLabz has also been tracking the group's latest activity, and this week detailed its discovery of a malicious ZIP archive containing military-themed document lures. These, dovetailing with Itochu's finding, targeted Chinese-speaking individuals in Japan, South Korea, and Japan. The campaign that ThreatLabz researchers observed used a trojanized SumatraPDF binary to deploy an AdaptixC2 Beacon and ultimately VS Code on targeted machines.In all, it's clear that Tropic Trooper continues to iterate its toolset at a rapid pace, and is casting a wider net geographically, meaning that organizations in the region need to be on their toes. The Zscaler blog includes a long list of indicators of compromise (IoCs) to monitor for the activity.  "Based on our 2025 investigation, several new malware families, toolsets, and notable artifacts, including decoys were identified, providing fresh insight into the group's expanding geographic footprint and targeted industries," Itochu researchers explained in their supporting materials for the Black Hat Asia session. "Recent activity has revealed a marked shift toward open source-based tools within the infection chain. These findings highlight a rapid change in the actor's tooling strategy, demonstrating its ability to pivot quickly and overhaul their methods within a short period of time."Read more about:Black Hat NewsDR Global Asia PacificAbout the AuthorTara SealsManaging Editor, News, Dark ReadingTara Seals is an award-winning journalist with 25+ years of experience as a reporter, analyst, and editor in the cybersecurity, communications, and technology spaces. As managing editor, she runs the newsroom at Dark Reading, leading a team of staff writers and freelance contributors. She also heads up strategy for a variety of in-depth, multichannel news coverage initiatives. Prior to joining Dark Reading in 2022, Tara was editor-in-chief at cybersecurity stalwart Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for other titles at Virgo Publishing (now part of Informa TechTarget), as executive editor and editor-in-chief at publications focused on communications service providers, channel partners, and enterprise mobile and video technology. In 2026, she was awarded a regional Azbee award for her in-depth coverage of the ongoing North Korean fake worker cyber campaign. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family, and is on a never-ending quest for good Mexican food in the Northeast.See more from Tara SealsWant more Dark Reading stories in your Google search results?Add Us NowMore InsightsIndustry ReportsHow Enterprises Are Developing Secure ApplicationsInside RSAC 2026: security leaders reveal the risks redefining your defense strategyHow Enterprises Are Harnessing Emerging Technologies in CybersecurityDitch the Data Center: Understanding Flexible Cloud Infrastructure Security Management2025 State of MalwareAccess More ResearchWebinarsThe New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud WorkspacePrompt Injection Is Just the Start: Securing LLMs in AI SystemsAnatomy of a Data Breach: What to Do if it Happens to YouHow Well Can You See What's in Your Cloud?Implementing CTEM: Beyond Vulnerability ManagementMore WebinarsEditor's ChoiceThreat IntelligenceFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberbyDark Reading Editorial TeamMay 6, 202631 Min ReadCyber RiskPhysical Cargo Theft Gets a Boost From CybercriminalsPhysical Cargo Theft Gets a Boost From CybercriminalsbyRobert LemosMay 4, 20265 Min ReadWant more Dark Reading stories in your Google search results?Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeRSAC 2026: key news & insightsAt RSAC 2026, Dark Reading captured critical intelligence on AI, new attack methods, geopolitics, and much moreGet Your RecapWebinarsThe New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud WorkspaceWed, June 24,2026 at 1pm ESTPrompt Injection Is Just the Start: Securing LLMs in AI SystemsTues, May 26, 2026, at 1pm ESTAnatomy of a Data Breach: What to Do if it Happens to YouJune 18th, 2026 | 11:00am -5:00pm ET | Doors Open at 10:30am ETHow Well Can You See What's in Your Cloud?Thurs, June 4, 2026 at 1:00pm ESTImplementing CTEM: Beyond Vulnerability ManagementThurs, May 21, 2026 at 1pm ESTMore WebinarsBlack Hat USA | Mandalay Bay, Las VegasThe premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass.GET YOUR PASSDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of UseYour Privacy Choices

The Chinese state-sponsored cyber threat group, Tropic Trooper (also known as Pirate Panda, KeyBoy, APT23, Bronze Hobart, and Earth Centaur), is exhibiting a significant shift in its tactics, techniques, and procedures (TTPs), as detailed by researchers at Itochu Cyber & Intelligence. This evolution includes a concerning trend of targeting home routers, specifically in Japan, Taiwan, and South Korea, expanding beyond its traditional focus on government, military, healthcare, and high-tech organizations. The group’s modus operandi has become increasingly sophisticated, characterized by unconventional intrusion vectors such as deploying fake Wi-Fi access points, rapid adoption of open-source malware, and a growing emphasis on exploiting personal devices outside of typical office environments, thereby broadening its risk profile.

Itochu and Zscaler investigations revealed a complex infection chain involving a Cobalt Strike beacon with a distinctive watermark (520) initially observed in 2024, alongside the discovery of an Amazon S3 bucket containing new malware sets and phishing pages mimicking authentication pages for applications like Signal. This targeted approach leverages tailored decoy files to engage high-profile individuals, specifically expanding their operational scope. Further investigation by the research team through brute-force techniques uncovered five distinct .dat encrypted payloads, including new malware families like DaveShell and Donut loader, alongside established tools such as EntryShell, Xiangoop loader variants, and the Merlin Agent/Apollo Agent RATs, all utilizing the Mythics Agents C2 framework. The group's adaptation to open-source tools and its ability to rapidly iterate its toolset underscores its dynamic nature and capacity to quickly shift strategies.

Notably, the attack chain in this instance began with a seemingly legitimate software update to a dictionary app downloaded through a compromised DNS setting on the victim's home router. This highlights the increasing danger of supply chain attacks and the potential for adversaries to infiltrate trusted software sources. The use of an “evil twin” attack, where the attacker hijacked the legitimate DNS settings, demonstrates the group’s growing sophistication in leveraging readily available infrastructure to escalate compromises.

Researchers at Zscaler ThreatLabz corroborated these findings, identifying malicious ZIP archives containing military-themed document lures, further emphasizing the group's targeting of Chinese-speaking individuals in the affected regions. This campaign utilized a trojanized SumatraPDF binary to deploy an AdaptixC2 Beacon and ultimately VS Code, illustrating a layered attack approach. The continuous evolution of Tropic Trooper's toolset and expanding geographic scope necessitate a heightened awareness and robust security posture within organizations operating in the regions of interest. The research team indicated a marked shift toward open-source tools in their infection chain, emphasizing the need for ongoing monitoring and detection capabilities to identify these emerging threats.