Tropic Trooper Uses Trojanized SumatraPDF and GitHub to Deploy AdaptixC2
A new campaign attributed to the Chinese-speaking threat group Tropic Trooper uses a trojanized SumatraPDF reader to deliver the AdaptixC2 Beacon, leveraging GitHub for command-and-control and VS Code tunnels for remote access.
Chinese-speaking individuals in Taiwan, South Korea, and Japan are the targets of a sophisticated new campaign that weaponizes a trojanized version of the popular SumatraPDF reader to deploy the AdaptixC2 Beacon post-exploitation agent. Discovered by Zscaler ThreatLabz, the operation has been attributed with high confidence to Tropic Trooper (also known as APT23, Earth Centaur, KeyBoy, and Pirate Panda), a hacking group active since at least 2011 that has historically targeted entities in Taiwan, Hong Kong, and the Philippines.
The attack chain begins with a ZIP archive containing military-themed document lures. When opened, the archive launches a rogue version of SumatraPDF, which displays a decoy PDF document to the victim. In the background, the trojanized executable retrieves encrypted shellcode from a staging server at 158.247.193[.]100, ultimately launching the AdaptixC2 Beacon. To accomplish this, the backdoored SumatraPDF runs a slightly modified version of a loader codenamed TOSHIS, a variant of the Xiangoop malware previously linked to Tropic Trooper.
TOSHIS has been used in past campaigns to fetch next-stage payloads such as Cobalt Strike Beacon or Merlin agent for the Mythic framework. In this campaign, the loader activates a multi-stage attack, dropping both the lure document as a distraction and the AdaptixC2 Beacon agent in the background. The agent then uses GitHub as its command-and-control (C2) platform, beaconing out to attacker-controlled infrastructure to fetch tasks for tasks to execute on the compromised host.
"The threat actors created a custom AdaptixC2 Beacon listener, leveraging GitHub as their command-and-control (C2) platform," Zscaler ThreatLabz security researcher Yin Hong Chang said in an analysis. The attack only progresses to the next stage when the victim is deemed valuable, at which point the threat actor deploys Visual Studio Code and sets up VS Code tunnels for persistent remote access. On select machines, the threat actor has also been found to install alternative, trojanized applications to better camouflage their actions.
The staging server involved in the intrusion has been observed hosting a Cobalt Strike Beacon and a custom backdoor called EntryShell, both previously used by Tropic Trooper. This shift to AdaptixC2 represents an evolution in the group's in the group's toolset. "Similar to the TAOTH campaign, publicly available backdoors are used as payloads," Zscaler noted. "While Cobalt Strike Beacon and Mythic Merlin were previously used, the threat actor has now shifted to AdaptixC2."
The campaign underscores the continued evolution of Tropic Trooper's tactics, particularly their adoption of legitimate platforms like GitHub and VS Code tunnels for C2 and remote access, making detection more challenging. Organizations in the targeted regions should monitor for anomalous GitHub beaconing activity and unauthorized VS Code tunnel creation, and ensure that SumatraPDF and other commonly used tools are obtained only from official sources.