Tropic Trooper APT Expands to Japan, South Korea via Home Router Supply-Chain Attacks
The China-linked APT23 group has broadened its espionage operations to Japan, South Korea, and Taiwan, using compromised home Wi-Fi routers to hijack DNS and deliver Cobalt Strike beacons through a novel supply-chain attack.
The China-linked advanced persistent threat group known as Tropic Trooper (APT23, Pirate Panda, KeyBoy) has expanded its targeting to Japan, South Korea, and Taiwan, employing a novel supply-chain attack that compromises victims' home Wi-Fi routers to deliver malware. Researchers from Itochu Cyber & Intelligence and Zscaler detailed the campaign at Black Hat Asia in Singapore, revealing a sophisticated infection chain that begins with DNS hijacking at the router level.
According to Itochu researchers Suguru Ishimaru and Satoshi Kamekawa, the attack chain involved compromising a victim's home router and overwriting its DNS settings to point to an attacker-controlled server in an 'evil twin' attack. This allowed the group to redirect software updates for a legitimate dictionary app (youdaodict.exe) to a malicious server, delivering a Cobalt Strike beacon with watermark 520 — a signature the group has used since 2024. The researchers noted that the same host was compromised twice a year apart using the identical infection routine, confirming the method was intentional and repeatable.
The investigation uncovered an exposed Amazon S3 bucket containing 48 files with new malware sets and phishing pages mimicking authentication pages for Signal and other apps. The researchers decrypted five encrypted payloads and discovered several new malware families in Tropic Trooper's arsenal, including DaveShell and Donut loader (open-source loaders observed for the first time in the group's activity), Merlin Agent and Apollo Agent (Go-based remote access Trojans from the Mythic Agents C2 framework), and C6DOOR, a custom backdoor compiled with Go. The group continues to use older tools such as the EntryShell backdoor, heavily obfuscated Xiangoop loader variants, and the watermarked Cobalt Strike beacon.
Zscaler ThreatLabz, which has also been tracking the group, detailed a parallel campaign using malicious ZIP archives containing military-themed document lures targeting Chinese-speaking individuals in Japan, South Korea, and Taiwan. That campaign employed a trojanized SumatraPDF binary to deploy an AdaptixC2 Beacon and ultimately VS Code on targeted machines. The convergence of findings from both research teams paints a picture of a rapidly evolving threat actor that is expanding both its geographic reach and its technical sophistication.
The shift to targeting personal devices outside the office environment represents a significant evolution in Tropic Trooper's operational modus operandi. Historically focused on government, military, healthcare, and high-tech organizations in Taiwan, the Philippines, and Hong Kong, the group is now casting a wider net across Northeast Asia. The use of home routers as an initial compromise vector allows the group to bypass traditional corporate defenses and target individuals who may work remotely or handle sensitive information from home.
Organizations in the affected regions are advised to monitor for the indicators of compromise (IoCs) published in the Zscaler blog and to ensure that home routers used for remote work are properly secured with strong passwords, updated firmware, and DNS settings that cannot be easily overwritten. The campaign underscores the growing trend of APT groups targeting personal devices and home networks as a softer entry point into high-value targets.