Menu
Browse

Cyber Threat Actor: Tropic Trooper

Aliases: 3 aliases
Actor Type Location Known Incidents
 Icon
Nation State
China
3 incidents
Profile

TropicTrooper, also tracked under the aliases KeyBoy and PiPi, is a threat actor linked to China and described in public reporting as a state‑sponsored hacking group. The actor’s known objectives center on espionage, specifically the collection of defense and marine‑related intelligence from targeted governments and military organizations. Their targeting pattern includes military hospitals, government agencies, and financial institutions, which are used as initial footholds to reach more heavily protected networks.

The group’s typical tactics involve the deployment of the USBferry malware family, which is designed to spread automatically through removable USB storage devices. Once introduced, the malware self‑replicates across drives, allowing it to jump air‑gapped environments and gather sensitive files from isolated systems. When the infected USB devices are later reconnected to internet‑connected hosts, the stolen data is exfiltrated, enabling the attackers to bridge physical isolation safeguards such as biometric authentication and USB quarantine measures. This reliance on trusted intermediary systems and supply chain vectors characterizes their tooling style.

A representative operation occurred in 2020, when Tropic Trooper used USBferry to penetrate the air‑gapped networks of the Taiwanese and Philippine militaries. By first compromising peripheral entities like military hospitals and government offices, the group established a pathway into the defended systems of the armed forces. The campaign focused on extracting classified defense documents and marine intelligence, demonstrating a sustained effort to exploit removable media as a means to bypass stringent physical security controls.

Incidents
Attributed incidents available to members
3 incidents
Sources
Sources available to members
0 sources