EntryShell
EntryShell is a custom backdoor associated with the China-linked threat actor Tropic Trooper (also tracked as APT23, Earth Centaur, KeyBoy, Pirate Panda, and Bronze Hobart). Reporting states it is an older, known Tropic Trooper tool and was observed hosted on staging server 158.247.193[.]100 alongside other Tropic Trooper-associated tooling, including Cobalt Strike Beacon carrying the group’s signature watermark "520." Its presence on the same infrastructure was cited as supporting attribution of related campaigns to Tropic Trooper. In the referenced activity, Tropic Trooper targeted Chinese-speaking individuals, primarily in Taiwan, as well as victims in Japan and South Korea, using military-themed lure documents and a trojanized SumatraPDF infection chain that deployed other payloads such as AdaptixC2 Beacon and abused VS Code tunnels for remote access. EntryShell itself is only described in the provided content as a custom backdoor previously used by Tropic Trooper; no additional high-confidence details on its infection vector, internal functionality, persistence, or command-and-control behavior are provided. One report notes the staging server hosted the EntryShell backdoor using the AES-128 ECB key "afkngaikfaf."
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The staging server has also hosted Cobalt Strike Beacon and a custom backdoor, EntryShell, previously used by Tropic Trooper.
Techniques & procedures
3 distinct techniques documented for this family, organized by ATT&CK tactic.
Stealth
1 techniqueTOSHIS loader then retrieves a second-stage shellcode from the same IP address, decrypts it using AES-128 CBC with WinCrypt cryptographic functions... The agent decodes its Base64-encoded contents... Each task in the queue is decrypted using the RC4 session key
Command and Control
2 techniquesTOSHIS loader downloads the PDF decoy from 58.247.193[.]100... TOSHIS loader then retrieves a second-stage shellcode from the same IP address...
We decrypted these and found new malware... Merlin Agent and Apollo Agent, which are a Go-based remote access Trojans (RATs) that are part of the Mythics Agents open source C2 framework; and C6DOOR, a simple [custom] backdoor compiled with Go.
IOCs tracked for this family
1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Recent activity
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A custom backdoor hosted on the staging server and previously used by Tropic Trooper.
A custom backdoor observed on the staging server and previously used by Tropic Trooper.
An older known backdoor still used by Tropic Trooper.
A backdoor associated in the article with Tropic Trooper tooling and found on the staging server used in this campaign.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.