Investigation of a malware campaign targeting the Tibetan community and discussion of the challenges in analyzing closed espionage ecosystems.

In this report we track a malware operation targeting members of the Tibetan Parliament that used known and patched exploits to deliver a custom backdoor known as KeyBoy. We analyze multiple versions of KeyBoy revealing a development cycle focused on avoiding basic antivirus detection.