Back

Tropic Trooper Expands Tactics with Multi-Stage Attacks on Japanese and Taiwanese Targets

Severity: High (Score: 75.5)

Sources: www.zscaler.com, www.virusbulletin.com, Darkreading, attack.mitre.org

Summary

On March 12, 2026, Zscaler ThreatLabz reported a campaign by the Tropic Trooper APT targeting Chinese-speaking individuals in Taiwan, Japan, and South Korea. The attack involved a malicious ZIP archive containing military-themed document lures, which included a trojanized version of the SumatraPDF reader. This trojan deploys an AdaptixC2 Beacon agent, facilitating remote access through Visual Studio Code tunnels. Concurrently, Darkreading reported Tropic Trooper's new tactics, including compromising home routers and utilizing spear-phishing techniques. The group has historically targeted government and military sectors but is now expanding its victimology. The recent campaigns indicate a shift in operational methods and tools, raising concerns about the group's evolving threat landscape. The full scope of the impact remains under investigation, with researchers noting the use of unconventional intrusion vectors. Key Points: • Tropic Trooper is targeting Chinese-speaking individuals in Taiwan, Japan, and South Korea. • The attack involves a trojanized SumatraPDF reader that deploys an AdaptixC2 Beacon agent. • The group is expanding its tactics to include router compromises and spear-phishing efforts.

Key Entities

  • Apt23 (apt_group)
  • Bronze Hobart (apt_group)
  • Earth Centaur (apt_group)
  • KeyBoy (apt_group)
  • Pirate Panda (apt_group)
  • Malware (attack_type)
  • Phishing (attack_type)
  • Supply Chain Attack (attack_type)
  • Tropic Trooper Campaign (campaign)
  • China (country)
  • Japan (country)
  • Philippines (country)
  • Singapore (country)
  • South Korea (country)
  • CVE-2012-0158 (cve)
  • CVE-2017-11882 (cve)
  • CVE-2018-0802 (cve)
  • CWE-798 - Use of Hard-coded Credentials (cwe)
  • ipinfo.io (domain)
  • Government (industry)
  • Healthcare (industry)
  • High-tech (industry)
  • Manufacturing (industry)
  • Technology (industry)
  • AdaptixC2 Beacon (malware)
  • Apollo Agent (malware)
  • C6door (malware)
  • CrowDoor (malware)
  • DaveShell (malware)
  • Cobalt Strike Beacon (tool)
  • VS Code (tool)
  • McAfee Executable (tool)
  • McVsoCfg.dll (tool)
  • Mythics Agents (tool)
  • 2d7cc3646c287d6355def362916c6d26 (md5)
  • 3238d2f6b9ea9825eb61ae5e80e7365c (md5)
  • 67fcf5c21474d314aa0b27b0ce8befb2 (md5)
  • 71fa755b6ba012e1713c9101c7329f8d (md5)
  • 7adf76418856966effc9ccf8a21d1b12 (md5)
  • T1021 - Remote Services (mitre_attack)
  • T1027 - Obfuscated Files Or Information (mitre_attack)
  • T1046 - Network Service Discovery (mitre_attack)
  • T1055 - Process Injection (mitre_attack)
  • T1057 - Process Discovery (mitre_attack)
  • Amazon S3 (platform)
  • Windows (platform)
  • GitHub (platform)
  • Visual Studio Code (platform)
  • 19e3c4df728e3e657cb9496cd4aaf69648470b63 (sha1)
  • 2c65433696037f4ce0f8c9a1d78bdd6835c1b94d (sha1)
  • 343be0f2077901ea5b5b9fb97d97892ac1a907e6 (sha1)
  • 401cc16d79d94c32da3f66df21d66ffd71603c14 (sha1)
  • 6c68dc2e33780e07596c3c06aa819ea460b3d125 (sha1)
  • 3936f522f187f8f67dda3dc88abfd170f6ba873af81fc31bbf1fdbcad1b2a7fb (sha256)
  • 3c29c72a59133dd9eb23953211129fd8275a11b91a3b8dddb3c6e502b6b63edb (sha256)
  • 47c7ce0e3816647b23bb180725c7233e505f61c35e7776d47fd448009e887857 (sha256)
  • 6eaea92394e115cd6d5bab9ae1c6d088806229aae320e6c519c2d2210dbc94fe (sha256)
  • a4f2131eb497afe5f78d8d6e534df2b8d75c5b9b565c3ec17a323afe5355da26 (sha256)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed