3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Tropic Trooper

Tropic Trooper

ID: 2133ffcf00c7bf36a8264d4b2285eadd58343
Cybercrime State-Sponsored
Threat types: Intrusion, Espionage, Malware
Taiwan
Updated: 2026-03-05
Created: 2025-10-21
Progress: 41% Completeness: 28% Freshness: 70%
Operation zone:
Aliases Limited alias preview
No aliases registered.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

Tropic Trooper is an unaffiliated threat group that has led targeted campaigns against targets in Taiwan, the Philippines, and Hong Kong. Tropic Trooper focuses on targeting government, healthcare, transportation, and high-tech industries and has been active since 2011. Ref: https://attack.mitre.org/groups/G0081/


Technique Technique name Tactics Evidence
T1027.003 Steganography TA0005
  • Obfuscated Files or Information: Steganography - Tropic Trooper has used JPG files with encrypted payloads to mask their backdoor routines and evade detection. · ref
T1027.013 Encrypted/Encoded File TA0005
  • Obfuscated Files or Information: Encrypted/Encoded File - Tropic Trooper has encrypted configuration files. · ref
T1036.005 Match Legitimate Resource Name or Location TA0005
  • Masquerading: Match Legitimate Resource Name or Location - Tropic Trooper has hidden payloads in Flash directories and fake installer files. · ref
T1052.001 Exfiltration over USB TA0010
  • Exfiltration Over Physical Medium: Exfiltration over USB - Tropic Trooper has exfiltrated data using USB storage devices. · ref
T1055.001 Dynamic-link Library Injection TA0004 TA0005
  • Process Injection: Dynamic-link Library Injection - Tropic Trooper has injected a DLL backdoor into dllhost.exe and svchost.exe. · ref
T1059.003 Windows Command Shell TA0002
  • Command and Scripting Interpreter: Windows Command Shell - Tropic Trooper has used Windows command scripts. · ref
T1070.004 File Deletion TA0005
  • Indicator Removal: File Deletion - Tropic Trooper has deleted dropper files on an infected system using command scripts. · ref
T1071.001 Web Protocols TA0011
  • Application Layer Protocol: Web Protocols - Tropic Trooper has used HTTP in communication with the C2. · ref
T1071.004 DNS TA0011
  • Application Layer Protocol: DNS - Tropic Trooper's backdoor has communicated to the C2 over the DNS protocol. · ref
T1078.003 Local Accounts TA0001 TA0003 TA0004 TA0005
  • Valid Accounts: Local Accounts - Tropic Trooper has used known administrator account credentials to execute the backdoor directly. · ref
T1132.001 Standard Encoding TA0011
  • Data Encoding: Standard Encoding - Tropic Trooper has used base64 encoding to hide command strings delivered from the C2. · ref
T1204.002 Malicious File TA0002
  • User Execution: Malicious File - Tropic Trooper has lured victims into executing malware via malicious e-mail attachments. · ref
T1505.003 Web Shell TA0003
  • Server Software Component: Web Shell - Tropic Trooper has started a web service in the target host and wait for the adversary to connect, acting as a web shell. · ref
T1518.001 Security Software Discovery TA0007
  • Security Software Discovery - Tropic Trooper can search for anti-virus software running on the system. · ref
T1543.003 Windows Service TA0003 TA0004
  • Create or Modify System Process: Windows Service - Tropic Trooper has installed a service pointing to a malicious DLL dropped to disk. · ref
T1547.001 Registry Run Keys / Startup Folder TA0003 TA0004
  • Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder - Tropic Trooper has created shortcuts in the Startup folder to establish persistence. · ref
T1547.004 Winlogon Helper DLL TA0003 TA0004
  • Boot or Logon Autostart Execution: Winlogon Helper DLL - Tropic Trooper has created the Registry key HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell and sets the value to establish persistence. · ref
T1564.001 Hidden Files and Directories TA0005
  • Hide Artifacts: Hidden Files and Directories - Tropic Trooper has created a hidden directory under C:\ProgramData\Apple\Updates\ and C:\Users\Public\Documents\Flash\. · ref
T1566.001 Spearphishing Attachment TA0001
  • Phishing: Spearphishing Attachment - Tropic Trooper sent spearphishing emails that contained malicious Microsoft Office and fake installer file attachments. · ref
T1573.002 Asymmetric Cryptography TA0011
  • Asymmetric Cryptography - Tropic Trooper has used SSL to connect to C2 servers. · ref
T1574.001 DLL TA0003 TA0004 TA0005
  • Hijack Execution Flow: DLL - Tropic Trooper has been known to side-load DLLs using a valid version of a Windows Address Book and Windows Defender executable with one of their tools. · ref
Strategic Intelligence
Limited preview
No content.
Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Empty Limited preview
No content yet.
IOC Appendix now
Saved successfully.
OSINT Library
Empty Limited preview
No content yet.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.