Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Chinese Hackers Spotted Targeting Transportation Sector

Since the middle of 2020, a Chinese state-sponsored threat actor called ‘Tropic Trooper’ has been targeting transportation organizations and government entities related to transportation sector, Trend Micro reports.

Since the middle of 2020, a Chinese state-sponsored threat actor called ‘Tropic Trooper’ has been targeting transportation organizations and government entities related to transportation sector, Trend Micro reports.

Also known as Earth Centaur and KeyBoy, the advanced persistent threat (APT) has been around since 2011, conducting espionage campaigns against organizations in government, healthcare, high-tech, and transportation sectors in Hong Kong, the Philippines, and Taiwan.

As part of the attacks conducted over the past year and a half, Trend Micro warned that the group attempted to access flight schedules, financial plans, and other internal documents at the target organizations, as well as any personal information available on the compromised hosts, including search histories.

Trend Micro’s monitoring of the group revealed red teamwork proficiency, as the adversary can easily bypass security settings, prevent its activities from becoming obstructive, and employ reverse proxies that are used to bypass network security systems.  

The APT has also been observed using open-source frameworks, which allows it to easily come up with new backdoor variants, and likely employs the same tactics in attacks on other industries as well, the Trend Micro researchers explained.

Tropic Trooper uses a multi-stage infection process, in which Internet Information Services (IIS) and Microsoft Exchange vulnerabilities (including ProxyLogon) are exploited for intrusion. Next, the attackers install web shells and deploy the Nerapack .NET loader and the Quasar RAT as the first stage malware.

[ READ: Chinese Hackers Target Air-Gapped Military Networks ]

Different types of second-stage backdoors, including ChiserClient and SmileSvr, are deployed, based on the victim. The attackers then begin Active Directory (AD) discovery, leverage Server Message Block (SMB) to spread across the network, and attempt to harvest login credentials.

“We found that the threat group developed multiple backdoors capable of communication via common network protocols. We think this indicates that it has the capability to bypass network security systems by using these common protocols to transfer data. We also found that the group tries to launch various backdoors per victim,” Trend Micro said.

Based on commands received from the command and control (C&C) server, the employed backdoors can download files, write/read files, open command shells for command execution, upload files, list directories and files, and more. Based on the victim, backdoors that support different protocols are used.

“These threat actors are notably sophisticated and well-equipped. Looking deeper into the new methods the group uses, we found that it has an arsenal of tools capable of assessing and then compromising its targets while remaining under the radar,” Trend Micro added.

Related: Chinese Hackers Target Air-Gapped Military Networks

Related: Chinese, Iranian State Hackers Exploiting Log4j Flaw: Mandiant

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.