A China-linked advanced persistent threat group known as Tropic Trooper is modifying how it operates, introducing unusual attack methods and expanding both its target base and technical toolkit. Recent observations show the group experimenting with new intrusion paths, including an incident where a victim’s personal home Wi-Fi network became the entry point.
The activity was discussed during a session at Black Hat Asia, where researchers explained that the group is no longer limiting itself to conventional enterprise-focused attacks.
Tropic Trooper, also tracked under names such as Pirate Panda, APT23, Bronze Hobart, and Earth Centaur, has been active since at least 2011. Earlier campaigns primarily focused on sectors including government, military, healthcare, transportation, and high-technology organizations located in Taiwan, the Philippines, and Hong Kong. More recently, analysts identified a separate campaign in the Middle East. Current findings now show that the group is directing efforts toward specific individuals in countries such as Japan, South Korea, and Taiwan, indicating that both its geographic reach and victim selection strategy are expanding.
Researchers from Itochu Cyber & Intelligence noted that one defining characteristic of the group is its willingness to rely on unconventional access techniques. In earlier cases, this included placing fake Wi-Fi access points inside targeted office environments. The group is also known for quickly adopting newly available or open-source malware, which allows it to change its attack chains frequently and complicates tracking efforts. Recent investigations conducted alongside Zscaler confirm that these patterns continue, with multiple new tools and creative delivery mechanisms observed.
Compromise Originating from a Home Router
During the conference session titled “Tropic Trooper Reloaded: Unraveling the Invisible Supply Chain Mystery,” researchers Suguru Ishimaru and Satoshi Kamekawa described a case that initially appeared difficult to trace. The infection chain delivered a Cobalt Strike beacon carrying a watermark value “520,” a marker previously associated with Tropic Trooper activity since 2024.
The affected user had downloaded what appeared to be a legitimate update file named youdaodict.exe for a widely used dictionary application. However, the update package contained two small additional files, one of which was an XML file that triggered the infection. At first, investigators could not determine how the software update itself had been altered.
Further analysis revealed that unauthorized changes had been made to the victim’s home router. Nearly a year later, the same system was compromised again using an identical infection process. This prompted a deeper investigation, which uncovered manipulation of DNS settings tied to the software update process.
Although the domain name and application appeared legitimate, the underlying IP address had been redirected. Researchers traced this manipulation back to the home router, where DNS configurations had been modified to point toward an attacker-controlled server. This technique aligns with what is commonly known as an “evil twin” scenario, where legitimate traffic is silently redirected without the user’s awareness.
This case demonstrates that the group is not limiting itself to corporate environments and is willing to exploit personal infrastructure to reach its targets.
Expansion of Malware and Targeting Strategy
The investigation revealed additional infrastructure linked to the group. Researchers identified a publicly accessible Amazon S3 bucket containing 48 files, including new malware samples and phishing pages designed to imitate authentication interfaces for applications such as Signal.
The evidence suggests that Tropic Trooper is focusing on carefully selected individuals, using tailored decoy content in regions including Japan, Taiwan, and South Korea. This represents a change from earlier campaigns that were more organization-centric.
Because the group occasionally reuses IP addresses and file naming patterns, researchers attempted to reconstruct parts of its command-and-control environment through brute-force techniques. This effort led to the discovery of several encrypted payloads stored as .dat files.
After decrypting these files, analysts identified multiple malware components. These included DaveShell and Donut loader, both open-source tools not previously linked to Tropic Trooper. They also identified Merlin Agent and Apollo Agent, which are remote access trojans written in Go and associated with the Mythic command-and-control framework. In addition, a custom backdoor named C6DOOR was found, also developed using the Go programming language.
At the same time, the group continues to deploy previously known tools. These include the EntryShell backdoor, heavily obfuscated variants of the Xiangoop loader, and the previously mentioned Cobalt Strike beacon with the identifiable watermark.
Parallel Campaigns and Delivery Methods
Researchers from Zscaler’s ThreatLabz team reported a related campaign involving a malicious ZIP archive containing documents designed to resemble military-related material. These files were used to lure Chinese-speaking individuals located in Japan and South Korea.
In this campaign, attackers used a modified version of the SumatraPDF application to install an AdaptixC2 beacon. The infection chain eventually resulted in the deployment of Visual Studio Code on compromised systems, likely to support further malicious activity.
Operational Pattern and Security Implications
Taken together, these findings show that Tropic Trooper is rapidly updating its tools and experimenting with different attack paths while extending its reach across multiple regions. Researchers involved in the Black Hat Asia session stated that recent investigations conducted in 2025 revealed several previously unseen malware families, tools, and decoy materials, offering deeper visibility into the group’s activities.
They also observed increased reliance on open-source components within the attack chain. This approach allows the group to modify its methods quickly without relying entirely on custom-built malware.
The pace at which these changes are being introduced demonstrates that the group can adjust its operations within short timeframes, making detection and defense more difficult for targeted organizations and individuals.
