Tropic Trooper hides AdaptixC2 in trojanized SumatraPDF
Tropic Trooper used a backdoored SumatraPDF to deploy AdaptixC2, use GitHub for C2, and abuse VS Code tunnels to access users in Taiwan, South Korea and Japan.
Security researcher Zscaler ThreatLabz discovered the campaign last month and attributed it with high confidence to Tropic Trooper, a group tracked since at least 2011 and also known as APT23, Earth Centaur, KeyBoy and Pirate Panda. The intrusions targeted Chinese-speaking users in Taiwan and users in South Korea and Japan.
The attack starts with a ZIP archive containing military-themed document lures that launch a trojanized SumatraPDF executable. The backdoored reader opens a decoy PDF while contacting a staging server to download encrypted shellcode.
The shellcode loads a modified loader called TOSHIS, a variant of Xiangoop previously linked to Tropic Trooper. TOSHIS drops the AdaptixC2 Beacon and leaves the lure document visible to distract victims while the beacon runs in the background.
The AdaptixC2 Beacon uses GitHub repositories as its command-and-control channel. Zscaler wrote: “The threat actors created a custom AdaptixC2 Beacon listener, leveraging GitHub as their command-and-control (C2) platform.” Attackers assess infected systems and, when a device is deemed worth further access, install Microsoft Visual Studio Code and configure VS Code tunnels to enable remote connections.
On some compromised machines operators installed alternative trojanized applications instead of or alongside the backdoored SumatraPDF, likely to blend malicious activity with legitimate software on the host. Zscaler noted reuse of infrastructure and tooling seen in earlier Tropic Trooper operations.
The staging server identified in the intrusions, 158.247.193[.]100, has previously hosted Cobalt Strike Beacon and a custom backdoor called EntryShell tied to the group. Zscaler observed that while the actor used Cobalt Strike and components of the Mythic framework in the past, the current activity makes use of AdaptixC2 and custom loaders.
Zscaler recommended monitoring for unexpected launches of SumatraPDF from archived files, unusual GitHub requests from endpoints, new appearances of VS Code in environments where it is not normally used, and connections to the identified staging infrastructure.
