SYMBOLCOMMON_NAMEaka. SYNONYMS
win.tropidoor (Back to overview)

Tropidoor

Actor(s): WageMole

VTCollection    

Tropidoor is an advanced HTTP/S Remote Access Trojan (RAT) written as a C project, which exhibits significant code overlap with the PostNapTea RAT. In November 2024, it was deployed in campaigns targeting developers via fake recruiters as part of a social engineering campaign distributing trojanized open-source projects on platforms like Bitbucket. It is a final-stage payload in a multi-stage execution chain, which also deployed an obfuscated BeaverTail malware.

The RAT uses RSA and AES for encryption and decryption of network traffic. Communication with the C2 uses specific HTTP POST parameters, including tropi2p, gumi, s_width, and letter, with the first parameter loosely inspiring its code name. It stores its configuration in a binary format and resolves required Windows APIs during runtime via the Fowler–Noll–Vo (FNV) hash function. Many of its characteristic strings are XOR encrypted.

A key technical feature is its custom implementation of various Windows administrative and reconnaissance commands. By implementing this functionality internally, the RAT avoids executing the legitimate Windows binaries, making its command execution activities harder to detect by behavioral monitoring tools. Custom implemented commands include functionality equivalent to standard utilities like:

arp
dir
ipconfig
kill
net
netsh
netstat
nslookup
ping
reg
rm
sc
schtasks
systeminfo
tracert
wmic logicaldisk
wmic process

References
2025-09-25Virus BulletinMatěj Havránek, Peter Kálnai
DeceptiveDevelopment: From primitive crypto theft to sophisticated AI-based deception
BeaverTail OtterCookie InvisibleFerret PylangGhost AkdoorTea GolangGhost Tropidoor TsunamiKit
2025-09-25ESET ResearchMatěj Havránek, Peter Kálnai
DeceptiveDevelopment: From primitive crypto theft to sophisticated AI-based deception
BeaverTail OtterCookie InvisibleFerret PylangGhost AkdoorTea GolangGhost Tropidoor TsunamiKit
2025-04-02ASECASEC
BeaverTail and Tropidoor Malware Distributed via Recruitment Emails
BeaverTail Tropidoor
Yara Rules
[TLP:WHITE] win_tropidoor_auto (20260504 | Detects win.tropidoor.)
rule win_tropidoor_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.tropidoor."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tropidoor"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 75f6 488d95e0010000 488bce e8???????? 488d0d90330900 ff15???????? 4c8bf0 }
            // n = 7, score = 100
            //   75f6                 | je                  0xec9
            //   488d95e0010000       | mov                 edx, 0x58
            //   488bce               | dec                 eax
            //   e8????????           |                     
            //   488d0d90330900       | lea                 eax, [0x87fd8]
            //   ff15????????         |                     
            //   4c8bf0               | dec                 eax

        $sequence_1 = { 48c7c3ffffffff 488945a0 e9???????? 498b06 48c7c3ffffffff 488945a8 e9???????? }
            // n = 7, score = 100
            //   48c7c3ffffffff       | lea                 edx, [ebp - 0x38]
            //   488945a0             | je                  0xf01
            //   e9????????           |                     
            //   498b06               | sub                 eax, 1
            //   48c7c3ffffffff       | je                  0xf43
            //   488945a8             | cmp                 eax, 1
            //   e9????????           |                     

        $sequence_2 = { 66314c458a 48ffc0 4883f817 7306 0fb74d88 ebec 488b05???????? }
            // n = 7, score = 100
            //   66314c458a           | mov                 ebp, edx
            //   48ffc0               | dec                 eax
            //   4883f817             | mov                 esi, ecx
            //   7306                 | inc                 ebp
            //   0fb74d88             | mov                 esi, edi
            //   ebec                 | dec                 ecx
            //   488b05????????       |                     

        $sequence_3 = { ffd0 85c0 743f 4c8d054beb0800 488d85100f0000 6683bd100f000000 4c0f45c0 }
            // n = 7, score = 100
            //   ffd0                 | dec                 eax
            //   85c0                 | mov                 ecx, dword ptr [ebp + 0x2f]
            //   743f                 | dec                 eax
            //   4c8d054beb0800       | xor                 ecx, esp
            //   488d85100f0000       | dec                 esp
            //   6683bd100f000000     | lea                 ebx, [esp + 0xe0]
            //   4c0f45c0             | dec                 ecx

        $sequence_4 = { c74424605d005700 c744246475006700 c744246874005000 c744246c63006f00 c744247067005f00 6689742474 0fb705???????? }
            // n = 7, score = 100
            //   c74424605d005700     | je                  0x388
            //   c744246475006700     | dec                 eax
            //   c744246874005000     | lea                 ecx, [ebp + 0x28]
            //   c744246c63006f00     | dec                 eax
            //   c744247067005f00     | cmp                 dword ptr [ebp + 0x40], 0x10
            //   6689742474           | dec                 ecx
            //   0fb705????????       |                     

        $sequence_5 = { 488b4c2440 488d4590 4889442428 4c8d4d94 488d85f0030000 4533c0 488d159f440900 }
            // n = 7, score = 100
            //   488b4c2440           | mov                 dword ptr [ebp + 0x40], esi
            //   488d4590             | mov                 word ptr [ebp + 0x30], si
            //   4889442428           | dec                 eax
            //   4c8d4d94             | lea                 ebx, [ecx + 4]
            //   488d85f0030000       | dec                 eax
            //   4533c0               | lea                 edx, [ebp + 0x110]
            //   488d159f440900       | dec                 esp

        $sequence_6 = { 48895c2448 4d8bf1 498bf0 448bfb 4c8d6bff f30f7f442450 4c8b642450 }
            // n = 7, score = 100
            //   48895c2448           | inc                 ecx
            //   4d8bf1               | mov                 eax, 0x38
            //   498bf0               | inc                 ecx
            //   448bfb               | mov                 eax, 4
            //   4c8d6bff             | dec                 eax
            //   f30f7f442450         | lea                 edx, [0xa316d]
            //   4c8b642450           | dec                 ecx

        $sequence_7 = { ffd0 85c0 7418 0f104558 0f1186a8000000 f20f104d68 f20f118eb8000000 }
            // n = 7, score = 100
            //   ffd0                 | xor                 ecx, esp
            //   85c0                 | dec                 esp
            //   7418                 | lea                 ebx, [esp + 0xe0]
            //   0f104558             | dec                 ecx
            //   0f1186a8000000       | mov                 ebx, dword ptr [ebx + 0x30]
            //   f20f104d68           | dec                 ecx
            //   f20f118eb8000000     | mov                 esi, dword ptr [ebx + 0x38]

        $sequence_8 = { e8???????? 42c6043300 eb13 4c89742420 4d8bcf 498bd6 488bce }
            // n = 7, score = 100
            //   e8????????           |                     
            //   42c6043300           | js                  0x747
            //   eb13                 | dec                 eax
            //   4c89742420           | mov                 ecx, dword ptr [ebp - 0x78]
            //   4d8bcf               | dec                 eax
            //   498bd6               | mov                 eax, dword ptr [ecx]
            //   488bce               | dec                 eax

        $sequence_9 = { 0f8446010000 4889742440 488d85b0030000 4489642438 4c8d85a0010000 488d4d90 4889442420 }
            // n = 7, score = 100
            //   0f8446010000         | mov                 eax, dword ptr [ecx]
            //   4889742440           | call                dword ptr [eax + 0x38]
            //   488d85b0030000       | test                eax, eax
            //   4489642438           | jns                 0x1441
            //   4c8d85a0010000       | dec                 eax
            //   488d4d90             | mov                 ecx, dword ptr [esp + 0x30]
            //   4889442420           | dec                 ecx

    condition:
        7 of them and filesize < 1826816
}
Download all Yara Rules