Tropic Trooper Uses Trojanized SumatraPDF and GitHub to Deploy AdaptixC2

Tropic Trooper Uses Trojanized SumatraPDF and GitHub to Deploy AdaptixC2 Ravie LakshmananApr 24, 2026Malware / Threat Intelligence Chinese-speaking individuals are the target of a new campaign that uses a trojanized version of SumatraPDF reader to deploy the AdaptixC2 Beacon post-exploitation agent and ultimately facilitate the abuse of Microsoft Visual Studio Code (VS Code) tunnels for remote access. Zscaler ThreatLabz, which discovered the campaign last month, has attributed it with high confidence to Tropic Trooper (aka APT23, Earth Centaur, KeyBoy, and Pirate Panda), a hacking group known for its targeting of various entities in Taiwan, Hong Kong, and the Philippines. It's assessed to be active since at least 2011. "The threat actors created a custom AdaptixC2 Beacon listener, leveraging GitHub as their command-and-control (C2) platform," security researcher Yin Hong Chang said in an analysis. It's believed that Chinese-speaking individuals in Taiwan, and individuals in South Korea and Japan, are the targets of the campaign. The starting point of the attack is a ZIP archive containing military-themed document lures to launch the rogue version of SumatraPDF, which is then used to display a decoy PDF document, while simultaneously retrieving encrypted shellcode from a staging server to launch AdaptixC2 Beacon. To accomplish this, the backdoored SumatraPDF executable launches a slightly modified version of a loader codenamed TOSHIS, which is a variant of Xiangoop, a malware linked to Tropic Trooper, and has been used in the past to fetch next-stage payloads like Cobalt Strike Beacon or Merlin agent for the Mythic framework. The loader is responsible for activating the multi-stage attack, dropping both the lure document as a distraction mechanism and the AdaptixC2 Beacon agent in the background.The agent employs GitHub for C2, beaconing out to the attacker-controlled infrastructure to fetch tasks to be executed on the compromised host. The attack moves to the next stage only when the victim is deemed valuable, at which point the threat actor deploys VS Code and sets up VS Code tunnels for remote access. On select machines, the threat actor has been found to install alternative, trojanized applications, likely in an attemptto better camouflage their actions. What's more, the staging server involved in the intrusion ("158.247.193[.]100") has been observed hosting a Cobalt Strike Beacon and a custom backdoor called EntryShell, both of which have been put to use by Tropic Trooper in the past. "Similar to the TAOTH campaign, publicly available backdoors are used as payloads," Zscaler said. "While Cobalt Strike Beacon and Mythic Merlin were previously used, the threat actor has now shifted to AdaptixC2." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  Advanced Persistent Threat, cybersecurity, GitHub, Malware, Microsoft Visual Studio Code, Threat Intelligence Trending News Apache ActiveMQ CVE-2026-34197 Added to CISA KEV Amid Active Exploitation n8n Webhooks Abused Since October 2025 to Deliver Malware via Phishing Emails Vercel Breach Tied to Context AI Hack Exposes Limited Customer Credentials The Hidden Security Risks of Shadow AI in Enterprises New PHP Composer Flaws Enable Arbitrary Command Execution — Patches Released Your MTTD Looks Great. Your Post-Alert Gap Doesn't OpenAI Launches GPT-5.4-Cyber with Expanded Access for Security Teams Cisco Patches Four Critical Identity Services, Webex Flaws Enabling Code Execution Mirax Android RAT Turns Devices into SOCKS5 Proxies, Reaching 220,000 via Meta Ads Why Security Leaders Are Layering Email Defense on Top of Secure Email Gateways Anthropic MCP Design Vulnerability Enables RCE, Threatening AI Supply Chain Microsoft Issues Patches for SharePoint Zero-Day and 168 Other New Vulnerabilities 108 Malicious Chrome Extensions Steal Google and Telegram Data, Affecting 20,000 Users Why Threat Intelligence Is the Missing Link in CTEM Prioritization and Validation Actively Exploited nginx-ui Flaw (CVE-2026-33032) Enables Full Nginx Server Takeover Three Microsoft Defender Zero-Days Actively Exploited; Two Still Unpatched Load More ▼ Popular Resources Automate Alert Triage and Investigations Across Every Threat Discover Key AI Security Gaps CISOs Face in 2026 Fix Rising Application Security Risks Driven by AI Development How to Identify Risky Browser Extensions in Your Organization