Threat Intelligence Tarot
Vol. II · 115
China-aligned
G0081
risk 3/5
The Strait Watcher
Tropic Trooper
KeyBoy · Pirate Panda · Earth Centaur
Taiwan governmentPhilippines militaryHong KongTransportation sectorHealthcare
Active since ~2011 · Cross-strait intelligence, Regional surveillance
The Strait Watcher counts ships. It counts cargo manifests, port schedules, and the names on military rosters. When the strait warms, it already knows where every ferry was at noon.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
T1566.001
Spearphishing Attachment
Initial Access
T1203
Exploitation for Client Execution
Execution
T1547.001
Registry Run Keys
Persistence
T1027
Obfuscated Files or Information
Defense Evasion
T1071.001
Web Protocols
Command and Control
T1025
Data from Removable Media
Collection
Notable Operations
  • KeyBoy malware family against Taiwan government
  • USB-based traversal of air-gapped Taiwanese defense networks
  • Philippines military targeting via document lures
  • Transportation and healthcare campaigns (Trend Micro disclosure 2021)
Defenses
  • USB device control on cross-strait defense networks
    CIS Control 10
  • Document attachment sandboxing with VBA macro analysis
    CIS Control 9
  • Strait-region SOC threat sharing partnerships
    NIST CSF: ID.RA
  • Endpoint detection tuned to KeyBoy and Tropic Trooper IOCs
    MITRE D3FEND
Reversed: Their Weakness
Cross-strait defensive coordination between Taiwan's NICST and allied SOCs blunts the watcher's edge. Shared indicators travel faster than the next campaign.

Share this adversary profile

Compare →

swipe to browse

← PreviousThe Vixen CourtierNext →The Heartbeat
Related Adversaries
The Cloud Atlas
Inception
5 shared TTPs
The USB Serpent
Aoqin Dragon
5 shared TTPs
The Heartbeat
Tonto Team
5 shared TTPs
Data sourced from MITRE ATT&CK. For educational purposes.