BLACK Hat Asia revelations show Tropic Trooper, the China-linked APT also known as Pirate Panda, KeyBoy, APT23, Bronze Hobart and Earth Centaur, pivoting to new targets and attack methods, including home Wi‑Fi networks to reach individuals in Japan, Taiwan and South Korea.
According to Itochu researchers Suguru Ishimaru and Satoshi Kamekawa, the group has used an unusual infection chain that involved a legitimate dictionary app update (youdaodict[.]exe) containing two tiny files, one of which was an XML source of the infection, with a watermark identifier (520) that Tropic Trooper has used since 2024. Follow‑ups showed unauthorized changes to the victim’s home router and DNS hijacking, where the DNS settings were overwritten to point to an attacker’s server in an evil twin scenario.
The researchers also disclosed a broader expansion of the toolset, including five encrypted .dat payloads that yielded new malware such as DaveShell and Donut Loader, along with Merlin Agent, Apollo Agent and C6DOOR, while older tools like Xiangoop loader variants and a watermarked Cobalt Strike beacon persist. ThreatLabz and Itochu’s findings together indicate a rapid shift toward open‑source tools and a wider geographic footprint, underscoring the need for heightened vigilance around home networks.