December 9, 2023

A sophisticated and well equipped cyber espionage group in what appears to be yet another uptick in malicious activities tried to access some internal documents and personal information on the compromised hosts. Dubbed Earth Centaur, also known by the monikers Pirate Panda and Tropic Trooper, is a long-running threat group focused on information theft and espionage that has led targeted campaigns.

The hostile agents, believed to be a Chinese speaking actor, are known for their use of spear-phishing emails with weaponized attachments to exploit known vulnerabilities, while simultaneously advancing their malicious tools with obfuscation, stealthiness, and striking power.


This threat group is proficient at red teamwork, knows how to bypass security settings and keep its operation unobstructive. The usage of the open-source frameworks also allows the group to develop new backdoor variants efficiently.

The operators were observed fine-tuning their attack strategies with new behaviors by deploying a USB trojan dubbed USBFerry to strike physically isolated networks belonging to government institutions and military entities in Taiwan and the Philippines in a bid to siphon sensitive data through removable flash drives.

The latest multi stage intrusion sequence involves the group turning to exploit vulnerable IIS servers and Exchange server flaws as entry points to install a web shell that’s then leveraged to deliver a .NET-based Nerapack loader and a first-stage backdoor known as Quasar on the compromised system.

The attackers follow it up by dropping an arsenal of second stage implants like ChiserClient, SmileSvr, ChiserClient, HTShell, and bespoke versions of Lilith RAT and Gh0st RAT depending on the victim to retrieve further instructions from a remote server, download additional payloads, perform file operations, execute arbitrary commands, and exfiltrate results back to the server.

Tropic Trooper also attempts to breach the intranet, dump credentials, and wipe out event logs from the infected machines using a specific set of tools. Also put to use is a command-line program called Rclone that enables the actor to copy harvested data to different cloud storage providers.


The findings are noteworthy because of the steps the APT takes to avoid detection and the critical nature of the targeted entities, not to mention the new capabilities developed for their malicious software to linger on infected hosts and avoid detection.

Indicators of Compromise

Loaders – Trojan.MSIL.NERAPACK

  • 12425edb2c50eac79f06bf228cb2dd77bb1e847c4c4a2049c91e0c5b345df5f2
  • 321febf2bc5603b58628e3a82fb063027bf175252a3b30869eccb90a78e59582
  • 3ad24a438b9a67e4eff7ca7d34b06d5efc24b824e3e346488d534532faa619da
  • dd1afc083b7d82444fcec99e01e8293d51f744201cb968346ec334fb5dd32495
  • e488f0015f14a0eff4b756d10f252aa419bc960050a53cc04699d5cc8df86c8a
  • 6b1b231a7d190651f8c89072e2514aade288dfe6bd87ea62171b6ecffe13d63e
  • e4a15537f767332a7ed08009f4e0c5a7b65e8cbd468eb81e3e20dc8dfc36aeed
  • a64e0c21494811ededf5d8af41b00937c1d5787d63dfcc399a7f32c19a553c99
  • c6cac51035ef7df22c8ff3b5ba204721cdae97bc4728b0de68db1358c0c04035

Backdoors – Backdoor.Win64.CHISERCLIENT

  • ea2264f56ba315c4db49d06cce12365875502686f8f748570cb5a99cb213f008
  • 182f07a00b93a00fae17b33fbfc25931afeddd80f075f241060b4338a49cd5cc
  • 2167855743b9e488ce514c80f246fd5d0973a4296cb565f95517fa1dcfee8f74
  • c6f17d39905d2006020c326c13bb514a66bccc5a42d533aade00e09456ca5dec
  • 97e9bf8032e11bb618a77fbe92489e972b0c92e2e30b26f594f6129ee1cec987
  • 507b0280105da31739159703e418e3d1b1e6e6817362bf69e2da3c0b305af605
  • 819afbdc46b3b8f3e4b71e64c48df14ce886a273ce3c93d7a402f4760405b1a4
  • b3c31192048576591a52bc025e82286d7d32429c2f0991e68d801555b2d74c65996aa9c937b610efd1ab5c0ab173fc9fa78a70b423a193c3e2b505519bde7807
  • 7e72ee1052b018250810e41ac01065ebd833293ecfc363415b7d19dd31734d49


  • 7ca64c811008e34b5dbb7538fa4bed84c1678ed9813e665071dc0ad0def5b74b
  • b914087ac90f8aa782ef4c22cee9c458f7bdfc3d37278327aa7e1442011f0e4a

C&C Servers

  • lastest[.]ctotw[.]tw:443
  • infos[.]friendship[.]tw:80
  • citilink[.]dsmtp[.]com:443
  • flight[.]goldentop[.]tw:80
  • cart[.]ns02[.]us
  • webadmin[.]mirrorstorage[.]org:443
  • api01[.]lflinkup[.]net:80
  • portal[.]blueraymax[.]com:80
  • ca[.]threatiy[.]com:443
  • cb[.]threatiy[.]com:8443
  • cc[.]threatiy[.]com:8080
  • 193[.]42[.]40[.]126
  • 157[.]119[.]234[.]100
  • 158[.]247[.]199[.]191
  • 45[.]77[.]214[.]244
  • 195[.]123[.]221[.]7:8080

1 thought on “Tropic Trooper Espionage

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.