^[4]

^[2][1]

Tropic Trooper has used HTTP in communication with the C2.^[5][3]

Tropic Trooper's backdoor has communicated to the C2 over the DNS protocol.^[3]

Tropic Trooper has collected information automatically using the adversary'sUSBferry attack.^[3]

Tropic Trooper has used a copy function to automatically exfiltrate sensitive data from air-gapped systems using USB storage.^[3]

Tropic Trooper has created shortcuts in the Startup folder to establish persistence.^[5][3]

Tropic Trooper has created the Registry keyHKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell and sets the value to establish persistence.^[2][3]

Tropic Trooper has used Windows command scripts.^[3]

Tropic Trooper has installed a service pointing to a malicious DLL dropped to disk.^[6]

Tropic Trooper has used base64 encoding to hide command strings delivered from the C2.^[3]

Tropic Trooper used shellcode with an XOR algorithm to decrypt a payload.Tropic Trooper also decrypted image files which contained a payload.^[2][3]

Tropic Trooper has encrypted traffic with the C2 to prevent network detection.^[3]

Tropic Trooper has used SSL to connect to C2 servers.^[1][3]

Tropic Trooper has exfiltrated data using USB storage devices.^[3]

Tropic Trooper has executed commands through Microsoft security vulnerabilities, including CVE-2017-11882, CVE-2018-0802, and CVE-2012-0158.^[1][2]

Tropic Trooper has monitored files' modified time.^[3]

Tropic Trooper has created a hidden directory underC:\ProgramData\Apple\Updates\ andC:\Users\Public\Documents\Flash\.^[1][3]

Tropic Trooper has been known to side-load DLLs using a valid version of a Windows Address Book and Windows Defender executable with one of their tools.^[7][5]

Tropic Trooper has deleted dropper files on an infected system using command scripts.^[3]

Tropic Trooper has used a delivered trojan to download additional files.^[3]

Tropic Trooper has detected a target system’s system volume information.^[8][3]

Tropic Trooper has hidden payloads in Flash directories and fake installer files.^[3]

Tropic Trooper has used multiple Windows APIs including HttpInitialize, HttpCreateHttpHandle, and HttpAddUrl.^[3]

Tropic Trooper usedpr and an openly available tool to scan for open ports on target systems.^[8][3]

Tropic Trooper usednetview to scan target systems for shared resources.^[8]

Tropic Trooper has used JPG files with encrypted payloads to mask their backdoor routines and evade detection.^[3]

Tropic Trooper has encrypted configuration files.^[1][3]

Tropic Trooper sent spearphishing emails that contained malicious Microsoft Office and fake installer file attachments.^{[2][8][9][5][3]}

Tropic Trooper is capable of enumerating the running processes on the system usingpslist.^[2][3]

Tropic Trooper has injected a DLL backdoor into dllhost.exe and svchost.exe.^[1][3]

Tropic Trooper has attempted to transferUSBferry from an infected USB device by copying an Autorun function to the target machine.^[3]

Tropic Trooper has started a web service in the target host and wait for the adversary to connect, acting as a web shell.^[3]

Tropic Trooper's backdoor could list the infected system's installed software.^[3]

Tropic Trooper can search for anti-virus software running on the system.^[2]

Tropic Trooper has detected a target system’s OS version.^[8][3]

Tropic Trooper has used scripts to collect the host's network topology.^[3]

Tropic Trooper has tested if the localhost network is available and other connection capability on an infected system using command scripts.^[3]

Tropic Trooper usedletmein to scan for saved usernames on the target system.^[8]

Tropic Trooper delivered malicious documents with the XLSX extension, typically used by OpenXML documents, but the file itself was actually an OLE (XLS) document.^[2]

Tropic Trooper has lured victims into executing malware via malicious e-mail attachments.^[5]

Tropic Trooper has used known administrator account credentials to execute the backdoor directly.^[3]