The sub-techniques beta is now live! Read the release blog post for more info.


Yahoyah is a Trojan used by Tropic Trooper as a second-stage backdoor.[1]

ID: S0388
Platforms: Windows
Contributors: Bart Parys
Version: 1.0
Created: 17 June 2019
Last Modified: 30 June 2019

Techniques Used

Domain ID Name Use
Enterprise T1140 Deobfuscate/Decode Files or Information

Yahoyah decrypts downloaded files before execution.[1]

Enterprise T1027 Obfuscated Files or Information

Yahoyah encrypts its configuration file using a simple algorithm.[1]

Enterprise T1105 Remote File Copy

Yahoyah uses HTTP GET requests to download other files that are executed in memory.[1]

Enterprise T1063 Security Software Discovery

Yahoyah checks for antimalware solution processes on the system.[1]

Enterprise T1071 Standard Application Layer Protocol

Yahoyah uses HTTP for C2.[1]

Enterprise T1082 System Information Discovery

Yahoyah checks for the system’s Windows OS version and hostname.[1]

Groups That Use This Software

ID Name References
G0081 Tropic Trooper [1]