Tropic Trooper, a China-linked APT, is changing its TTPs and expanding targets to individuals in Japan, Taiwan, and South Korea by using unconventional vectors like home Wi‑Fi DNS hijacks and trojanized software updates. Researchers uncovered new open-source and custom tools in its arsenal—including a watermarked Cobalt Strike beacon, loaders such as DaveShell and Donut, Go-based RATs Merlin and Apollo, and the C6DOOR backdoor—alongside exposed Amazon S3 data and tailored phishing decoys. #TropicTrooper #CobaltStrike
Keypoints
- Tropic Trooper has broadened its geographic focus to target individuals in Japan, Taiwan, and South Korea.
- Attackers compromised a victim’s home router and hijacked DNS to deliver a trojanized software update.
- Researchers discovered an exposed Amazon S3 bucket containing phishing pages and decoy files mimicking apps like Signal.
- New observed tooling includes DaveShell, Donut loader, Merlin Agent, Apollo Agent, C6DOOR, and a watermarked Cobalt Strike beacon.
- Itochu and Zscaler analyses provide IoCs and show a rapid shift toward open-source tools and novel supply-chain techniques.