Tropic Trooper
G00811 reportsaliases · Tropic Trooper · Pirate Panda · KeyBoy
1
Reports
6
Techniques
4
Tactics
5
Countries
67%
Hunt coverage
3
Aliases
Analyst assessment — key judgments
- Signature techniques: T1583.002 (DNS Server), T1588.006 (Vulnerabilities), T1021.007 (Cloud Services).
- Primary targeting: JP, CN, TW, KR.
- Currently dormant: 0 report(s) in last 30d vs 0 prior (+0%).
- Hunt coverage 67% of 6 observed techniques (2 gap(s)).
- Assessment confidence: medium (60).
Activity & trend
DormantLast 30d: 0 vs 0 prior (+0%)· first reported 2026-02-20 · last 2026-02-20
0
7d
0
30d
0
90d
1
All
0.0
Rpts/wk
Reporting timeline · 12 months
Movement — last 30 days
Dropped (90d+)
T1583.002T1588.006T1021.007T1059.001T1584.002T1027.015Vulnerabilities in this actor's reporting · 1
- CVE-2025-55182KEV1 rpt
Overview
Analyst triage
Intelligence summary
Tropic Trooper is an unaffiliated threat group that has led targeted campaigns against targets in Taiwan, the Philippines, and Hong Kong. Tropic Trooper focuses on targeting government, healthcare, transportation, and high-tech industries and has been active since 2011.(Citation: TrendMicro Tropic Trooper Mar 2018)(Citation: Unit 42 Tropic Trooper Nov 2016)(Citation: TrendMicro Tropic Trooper May 2020)
Top co-occurring indicators
Aliases & naming
Targeting · countries
Targeting · named victims
ATT&CK technique matrix
Coverage vs hunt library:
—
Hunt-coverage gaps — prioritized
Top techniques by observation
- T1583.002 · DNS Serverconf 601evidence: JSAC2026 -Day 1-
- T1588.006 · Vulnerabilitiesconf 601evidence: JSAC2026 -Day 1-
- T1021.007 · Cloud Servicesconf 601evidence: JSAC2026 -Day 1-
- T1059.001 · PowerShellconf 601evidence: JSAC2026 -Day 1-
- T1584.002 · DNS Serverconf 601evidence: JSAC2026 -Day 1-
- T1027.015 · Compressionconf 601evidence: JSAC2026 -Day 1-
Threat catalogue · engineering roadmap
Flagged detection-engineering queue
Uncovered techniques you flagged for hunt / detection build-out, aggregated across every actor you visit. Stored locally in your browser.
Infrastructure
IOC type mix
Tooling / malware families
Relationships
Activity
30-day mention timeline
Recent reporting
| Title | Source | Severity | Collected |
|---|