Skip to content


YAHOYAH is a Trojan used by Tropic Trooper as a second-stage backdoor.1

Item Value
ID S0388
Associated Names
Version 1.1
Created 17 June 2019
Last Modified 23 March 2023
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols YAHOYAH uses HTTP for C2.1
enterprise T1140 Deobfuscate/Decode Files or Information YAHOYAH decrypts downloaded files before execution.1
enterprise T1105 Ingress Tool Transfer YAHOYAH uses HTTP GET requests to download other files that are executed in memory.1
enterprise T1027 Obfuscated Files or Information YAHOYAH encrypts its configuration file using a simple algorithm.1
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery YAHOYAH checks for antimalware solution processes on the system.1
enterprise T1082 System Information Discovery YAHOYAH checks for the system’s Windows OS version and hostname.1

Groups That Use This Software

ID Name References
G0081 Tropic Trooper 1