Home/ Threat Actors/ Tropic Trooper

🇨🇳Tropic Trooper

🇨🇳 Tropic Trooper is a tracked threat actor in the Clankerusecase corpus. CN-aligned. Primary motivation: State. We map 14 detection use cases to this actor across 40 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G0081) ↗

14Use cases

0Articles

40Techniques

0IOCs

About this actor (MITRE)

[Tropic Trooper](https://attack.mitre.org/groups/G0081) is an unaffiliated threat group that has led targeted campaigns against targets in Taiwan, the Philippines, and Hong Kong. [Tropic Trooper](https://attack.mitre.org/groups/G0081) focuses on targeting government, healthcare, transportation, and high-tech industries and has been active since 2011.(Citation: TrendMicro Tropic Trooper Mar 2018)(Citation: Unit 42 Tropic Trooper Nov 2016)(Citation: TrendMicro Tropic Trooper May 2020)

Known aliases

Tropic TrooperPirate PandaKeyBoy

Top techniques

T1016 · System Network Configuration Discovery T1020 · Automated Exfiltration T1027.003 · Steganography

All other tracked techniques

T1027.013 · Encrypted/Encoded File T1033 · System Owner/User Discovery T1036.005 · Match Legitimate Resource Name or Location T1046 · Network Service Discovery T1049 · System Network Connections Discovery T1052.001 · Exfiltration over USB T1055.001 · Dynamic-link Library Injection T1057 · Process Discovery T1059.003 · Windows Command Shell T1070.004 · File Deletion T1071.001 · Web Protocols T1071.004 · DNS T1078.003 · Local Accounts T1082 · System Information Discovery T1083 · File and Directory Discovery T1091 · Replication Through Removable Media T1105 · Ingress Tool Transfer T1106 · Native API T1119 · Automated Collection T1132.001 · Standard Encoding T1135 · Network Share Discovery T1140 · Deobfuscate/Decode Files or Information T1203 · Exploitation for Client Execution T1204.002 · Malicious File T1221 · Template Injection T1505.003 · Web Shell T1518 · Software Discovery T1518.001 · Security Software Discovery T1543.003 · Windows Service T1547.001 · Registry Run Keys / Startup Folder T1547.004 · Winlogon Helper DLL T1564.001 · Hidden Files and Directories T1566.001 · Spearphishing Attachment T1573 · Encrypted Channel T1573.002 · Asymmetric Cryptography T1574.001 · DLL T1680 · Local Storage Discovery

Detection use cases (14)

Tropic Trooper (Pirate Panda) DLL side-loading via signed binary executed from user-writable path AI · profile SΣ Tropic Trooper IIS webshell post-exploit (w3wp.exe spawning recon/cmd) — China Chopper variant AI · profile SΣ Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Developer package install spawning script-host with non-registry C2 within 5 minutes MITRE match Developer/Data-tooling Daemon Spawns Shell Child Seconds After POST to Runner/Exec Endpoint MITRE match Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) MITRE match Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command execution MITRE match Low-Code / AI Workflow Runtime Sandbox-Escape — Server Process Spawns Shell + Public Egress MITRE match Non-Browser Process Reads Browser Credential / Cookie SQLite Then Egresses to Public Destination Within 10 Minutes MITRE match Package Manager / Dev-Tool Auto-Execution Triggers Non-Registry Egress or Credential-Store Access MITRE match Package Manager Install Spawning Outbound Egress to Non-Registry Infrastructure Within 5 Minutes MITRE match Package manager lifecycle hook spawns network-fetching shell or runtime MITRE match Post-Auth Privilege Boundary Crossing on Edge/Management Appliances (low-priv -> admin within 10m) MITRE match