Kaspersky’s Global Research and Analysis Team (GReAT) has discovered a new Advanced Persistent Threat (APT) campaign carried out by the Tropic Trooper group. This operation has been targeting a governmental entity in the Middle East for over a year, aiming to conduct cyberespionage. To gain unauthorized access and maintain persistence within the targeted network, the attackers are exploiting the China Chopper web shell, GReAT experts found on a publicly accessible open-source web server used for content management.

Tropic Trooper (also known as KeyBoy and Pirate Panda) is an Advanced Persistent Threat (APT) group that has been active since at least 2011. Historically, the group has focused on sectors such as government, healthcare, transportation, and high-tech industries in regions like Taiwan, the Philippines, and Hong Kong. However, Kaspersky's recent investigation has uncovered that in 2024, Tropic Trooper launched persistent cyber campaigns targeting a governmental entity in the Middle East, beginning at least in June 2023.

In June 2024, Kaspersky’s telemetry detected a new variant of the infamous China Chopper web shell. Further investigation by Kaspersky’s Global Research & Analysis Team (GReAT) revealed that this shell was embedded as a module within the Umbraco CMS—a widely-used public web server hosting a content management system. The attackers exploited this platform to gain a wide range of malicious capabilities, including data theft, full remote control, malware deployment, and advanced detection evasion, with the ultimate aim of cyberespionage.

Sherif Magdy, Senior Security Researcher at Kaspersky’s GReAT, commented: “Notable is the variation in skill sets employed during different stages of the attack, as well as their tactics following failure. When the attackers realized their backdoors had been detected, they attempted to upload newer versions to evade detection, inadvertently increasing the likelihood of these new samples being detected in the near future.”

Furthermore, Kaspersky identified new dynamic-link library (DLL) search-order hijacking implants, which were loaded from a legitimate but vulnerable executable due to the lack of a full path specification to the required DLL. This attack chain attempted to deploy the Crowdoor loader, named after the SparrowDoor backdoor detailed by ESET. When Kaspersky's security measures blocked the initial Crowdoor loader, the attackers quickly pivoted to a previously unreported variant with a similar impact.

Kaspersky's experts attribute this activity to the Chinese-speaking threat actor known as Tropic Trooper with high confidence. Their findings reveal significant overlaps in the techniques reported in recent Tropic Trooper campaigns. The samples analyzed by GReAT also show a strong correlation with those previously linked to Tropic Trooper.

Kaspersky observed this targeted intrusion in a government entity in the Middle East. Simultaneously, a subset of these samples was detected targeting a government entity in Malaysia. These incidents align with the typical targets and geographical focus described in recent reports on Tropic Trooper.

“Tropic Trooper APT typically targets government, healthcare, transportation, and high-tech industries. The presence of this group’s tactics, techniques, and procedures (TTPs) within critical governmental entities in the Middle East, particularly those involved in human rights studies, indicates a strategic shift in their operations. This insight can aid the threat intelligence community in better understanding the motives of this actor,” adds Sherif Magdy.

Read the full report about the Tropic Trooper campaign on Securelist.

In order to avoid falling victim to a targeted attack by a known or unknown threat actor, Kaspersky researchers recommend implementing the following measures:

  • Provide your SOC team with access to the latest threat intelligence (TI). Kaspersky Threat Intelligence is a single point of access for the company’s TI, providing it with cyberattack data and insights gathered by Kaspersky spanning over 20 years.
  • Upskill your cybersecurity team to tackle the latest targeted threats with Kaspersky online training developed by GReAT experts.
  • For endpoint level detection, investigation, and timely remediation of incidents, implement EDR solutions such as Kaspersky Next.
  • In addition to adopting essential endpoint protection, implement a corporate-grade security solution that detects advanced threats on the network level at an early stage, such as Kaspersky Anti Targeted Attack Platform.
  • As many targeted attacks start with phishing or other social engineering techniques, introduce security awareness training and teach practical skills to your team – for example, through the Kaspersky Automated Security Awareness Platform.

About Kaspersky

Kaspersky is a global cybersecurity and digital privacy company founded in 1997. With over a billion devices protected to date from emerging cyberthreats and targeted attacks, Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection, specialized security products and services, as well as Cyber Immune solutions to fight sophisticated and evolving digital threats. We help over 200,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.