Tropic Trooper employs a multi-stage attack flow:
- Initial Access: Exploiting vulnerabilities in public-facing applications (like Microsoft Exchange Server) or through spearphishing emails with malicious attachments.
- Persistence: Establishing persistent access using web shells (like “ByPassGodzilla”) and malware (like “Yahoyah” and “ChinaChopper”).
- Privilege Escalation: Utilizing DLL side-loading and exploiting system services to gain higher privileges.
- Lateral Movement: Moving laterally within the network using SMB shares and remote services.
- Data Exfiltration: Exfiltrating data to cloud storage or using other automated methods.