Kaspersky has discovered that an advanced persistent threat (APT) group, Tropic Trooper, also known as KeyBoy and Pirate Panda, has been linked to a series of targeted attacks on a government entity in the Middle East.
This is a strategic expansion for the group, which has historically focused on sectors like government, healthcare, transportation, and high-tech industries in Taiwan, the Philippines, and Hong Kong. It is now targeting a governmental entity related to human rights studies.
New Targets, New Tactics
The intrusion campaign began in June last year and was detected in June 2024 when cybersecurity researchers observed a new variant of the China Chopper web shell on a public web server hosting the Umbraco content management system (CMS). The infection triggered multiple alerts from security systems, leading to a deeper investigation.
Researchers uncovered several post-exploitation tools and malware sets that pointed to Tropic Trooper. A fundamental discovery was the use of DLL search-order hijacking implants designed to load the Crowdoor loader, a method that echoes tactics previously seen in Tropic Trooper operations. When the attackers’ initial attempts were thwarted, they adapted quickly, deploying a new, unreported variant of the loader.
Strategic Focus on Human Rights Content
What makes this attack particularly interesting is its focus on governmental entities involved in human rights studies, specifically related to the ongoing Israel-Hamas conflict. The attack appeared to be highly targeted, with the entire system publishing human rights content becoming the sole focus of the intrusion.
This shift in targeting could indicate a broader strategy for Tropic Trooper, active since 2011. By aiming at entities connected to sensitive geopolitical issues, the group may be seeking to gather intelligence that aligns with broader regional interests.
Attribution and Analysis
The research team attributes this campaign to Tropic Trooper with high confidence, citing overlaps in techniques and code similarities with previous attacks attributed to the group. In addition, the investigation highlighted potential connections between Tropic Trooper and another threat group known as FamousSparrow, reported by ESET in 2021 further complicating the threat landscape.
The use of both advanced and relatively simple tools in the attack highlights the group’s adaptability. While some elements of the operation demonstrated high levels of sophistication, others, like the use of publicly available tools for network exploitation, were noisier and more easily detected.
Conclusion
The Tropic Trooper attack on a Middle Eastern government entity highlights the evolving nature of cyber threats in the region. As APT groups like Tropic Trooper continue to expand their focus, understanding their tactics, techniques, and procedures (TTPs) becomes increasingly critical for the global threat intelligence community. A more detailed analysis of this campaign is available through a private Threat Intelligence Portal, with an additional report forthcoming. For more information, interested parties can contact intelreports@kaspersky.com.
About the Author
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.
