Tropidoor Backdoor

Tropidoor is a threatening program that is classified as a backdoor. Backdoors are a type of malware designed to provide unauthorized access to a compromised system. Some variants can also download and install additional malicious software or components, increasing the severity of an attack.

Tropidoor’s Connection to BeaverTail and North Korean Threat Actors

Tropidoor has been observed in cyberattack campaigns alongside a downloader malware and another harmful program called BeaverTail. The latter is linked to North Korean threat actors and has been used to target developers, particularly in South Korea.

How Tropidoor is Delivered: Recruitment-Themed Phishing Campaigns

Cybercriminals have distributed Tropidoor using recruitment-themed phishing emails. These fraudulent messages impersonated job offers from the DEV Community (dev.to) and contained links to a BitBucket repository hosting malicious code. The repository included BeaverTail and the downloader that executes Tropidoor.

Beyond DEV Community: LinkedIn and Other Attack Vectors

BeaverTail has been widely spread through phishing campaigns on LinkedIn, using fake job offers as bait. While these campaigns have targeted users worldwide, the majority of victims appear to be in South Korea.

Malware Distribution Tactics: Phishing, Malvertising and More

Malware like Tropidoor is typically distributed through:

• Phishing emails with unsafe attachments or links
• Drive-by downloads from compromised websites
• Malvertising (unsafe advertisements that trigger downloads)
• Untrustworthy software sources, such as freeware sites and P2P networks
• Pirated software and illegal activation tools (cracks)
• Fake software updates
• Self-spreading mechanisms using local networks or USB drives

BitBucket Deception: The Phishing Tactic

Another phishing attempt involved emails impersonating a company called AutoSquare. Victims were directed to clone a BitBucket project, which contained an npm package housing both BeaverTail and a DLL downloader malware disguised as car.dll. This downloader was executed via a JavaScript-based stealer and loader.

Tropidoor’s Capabilities: A Powerful Cyberweapon

Once executed, Tropidoor operates in memory and interacts with its Command and Control (C2) server. This allows it to:

• Gather system information (device name, OS details, hardware info)
• Manage files (search, delete, download, collect)
• Execute and terminate processes
• Capture screenshots
• Inject malicious code into running processes
• Load and execute payloads in memory

An Evolving Threat: The Future of Tropidoor

Malware developers frequently enhance their tools, and future versions of Tropidoor could introduce new functionalities. This evolution makes it critical for cybersecurity teams to stay vigilant against emerging threats.

The Lazarus Group Connection: A Familiar Tactic

Tropidoor shares similarities with LightlessCan, another malware used by the Lazarus Group, a North Korean-affiliated hacking organization. Like its predecessor, BLINDINGCAN (aka AIRDRY or ZetaNile), Tropidoor directly implements Windows commands such as schtasks, ping and reg to blend in with legitimate system activity.

Protect Yourself: Staying Safe from Tropidoor Attacks

To lessen the risk of infection, users should:

• Be cautious with email attachments and links
• Avoid downloading software from unverified sources
• Keep security fixes and software up to date
• Use strong, unique passwords
• Employ reputable anti-malware and endpoint protection tools

By staying alert and following cybersecurity best practices, individuals and organizations can better defend against sophisticated threats like Tropidoor.