Kaspersky’s Global Research and Analysis Team (GReAT) has discovered a new Advanced Persistent Threat (APT) campaign carried out by the Tropic Trooper group. This operation has been targeting a governmental entity in the Middle East for over a year, aiming to conduct cyberespionage. To gain unauthorized access and maintain persistence within the targeted network, the attackers are exploiting the China Chopper web shell, GReAT experts found on a publicly accessible open-source web server used for content management.
Tropic Trooper (also known as KeyBoy and Pirate Panda) is an Advanced Persistent Threat (APT) group that has been active since at least 2011. Historically, the group has focused on sectors such as government, healthcare, transportation, and high-tech industries in regions like Taiwan, the Philippines, and Hong Kong. However, Kaspersky’s recent investigation has uncovered that in 2024, Tropic Trooper launched persistent cyber campaigns targeting a governmental entity in the Middle East, beginning at least in June 2023.
In June 2024, Kaspersky’s telemetry detected a new variant of the infamous China Chopper web shell. Further investigation by Kaspersky’s Global Research & Analysis Team (GReAT) revealed that this shell was embedded as a module within the Umbraco CMS—a widely-used public web server hosting a content management system. The attackers exploited this platform to gain a wide range of malicious capabilities, including data theft, full remote control, malware deployment, and advanced detection evasion, with the ultimate aim of cyberespionage.
Sherif Magdy, Senior Security Researcher at Kaspersky’s GReAT, commented: “Notable is the variation in skill sets employed during different stages of the attack, as well as their tactics following failure. When the attackers realized their backdoors had been detected, they attempted to upload newer versions to evade detection, inadvertently increasing the likelihood of these new samples being detected in the near future.”
Furthermore, Kaspersky identified new DLL search-order hijacking implants, which were loaded from a legitimate but vulnerable executable due to the lack of a full path specification to the required DLL. This attack chain attempted to deploy the Crowdoor loader, named after the SparrowDoor backdoor detailed by ESET. When Kaspersky’s security measures blocked the initial Crowdoor loader, the attackers quickly pivoted to a previously unreported variant with a similar impact.
Kaspersky’s experts attribute this activity to the Chinese-speaking threat actor known as Tropic Trooper with high confidence. Their findings reveal significant overlaps in the techniques reported in recent Tropic Trooper campaigns. The samples analyzed by GReAT also show a strong correlation with those previously linked to Tropic Trooper.
Kaspersky observed this targeted intrusion in a government entity in the Middle East. Simultaneously, a subset of these samples was detected targeting a government entity in Malaysia. These incidents align with the typical targets and geographical focus described in recent reports on Tropic Trooper.
“Tropic Trooper APT typically targets government, healthcare, transportation, and high-tech industries. The presence of this group’s tactics, techniques, and procedures (TTPs) within critical governmental entities in the Middle East, particularly those involved in human rights studies, indicates a strategic shift in their operations. This insight can aid the threat intelligence community in better understanding the motives of this actor,” adds Sherif Magdy.