Researchers at Zscaler ThreatLabz have uncovered a campaign attributed with high confidence to Tropic Trooper (also tracked as APT23, Earth Centaur, KeyBoy, and Pirate Panda) that delivers the AdaptixC2 post-exploitation framework via trojanized versions of the SumatraPDF open-source PDF reader. The campaign abuses GitHub as command-and-control infrastructure and leverages Microsoft VS Code tunnels for persistent, stealthy remote access to high-value targets.
Threat Actor Background
Tropic Trooper is a Chinese-speaking APT group with documented operations dating back to at least 2011, with a primary focus on targets in Taiwan, Hong Kong, and the Philippines. The group has historically favored trojanized legitimate software and living-off-the-land techniques to maintain persistence while evading detection.
This latest campaign marks an evolution in their tooling, shifting from older frameworks like Cobalt Strike and EntryShell toward the newer AdaptixC2 open-source post-exploitation platform.
Attack Vector: Trojanized SumatraPDF
The campaign begins with victims receiving ZIP archives containing military-themed document lures bundled with a backdoored version of the SumatraPDF PDF reader. The trojanized executable appears functionally identical to the legitimate application — it opens PDF files normally — while simultaneously executing a modified version of a loader codenamed TOSHIS (specifically, a variant called Xiangoop).
The use of SumatraPDF is deliberate: it is a popular, widely trusted open-source application, making the trojanized version less likely to raise immediate suspicion when distributed in targeted spear-phishing campaigns.
Four-Stage Attack Chain
The full compromise unfolds across four distinct stages:
Stage 1 — Initial Access
Victims open the trojanized SumatraPDF executable. A decoy PDF document is displayed to the user while the loader executes in the background.
Stage 2 — Payload Retrieval
The Xiangoop/TOSHIS loader contacts attacker-controlled staging servers to fetch encrypted shellcode. The staging server at 158.247.193[.]100 was observed hosting both Cobalt Strike Beacon and the EntryShell backdoor — tools previously attributed to this group — alongside the newer AdaptixC2 payload.
Stage 3 — AdaptixC2 Beacon Deployment
The decrypted shellcode deploys an AdaptixC2 Beacon, the post-exploitation component of the open-source AdaptixC2 framework. This beacon provides the attacker with a persistent command-and-control channel, supporting command execution, lateral movement, and data collection.
Stage 4 — VS Code Tunnel Persistence
On particularly valuable targets, Tropic Trooper establishes Microsoft Visual Studio Code tunnels for remote access. VS Code tunnels allow encrypted remote connections that route through Microsoft's infrastructure, making them difficult to block without disrupting legitimate developer workflows. This technique provides a resilient, hard-to-detect secondary access channel even if the primary C2 beacon is discovered and removed.
GitHub as C2 Infrastructure
A notable feature of this campaign is the abuse of GitHub for command-and-control operations. Custom AdaptixC2 beacon listeners hosted on GitHub repositories allow attackers to issue commands through traffic that blends in with normal developer activity. Network detection tools that don't inspect GitHub-destined traffic are likely to miss this channel entirely.
Targets
The campaign primarily targets Chinese-speaking individuals, with victims observed in:
- Taiwan
- South Korea
- Japan
The targeting profile is consistent with Tropic Trooper's historical focus on entities involved in government, defense, aerospace, and technology sectors within the broader East Asia region.
Detection Indicators
Organizations should monitor for:
- Unexpected
SumatraPDF.exeprocesses spawning child processes TOSHIS/Xiangooploader artifacts in temp directories- Outbound connections to
158.247.193[.]100(known staging server) - AdaptixC2 Beacon network signatures
- Unexplained VS Code tunnel establishments on non-developer endpoints
- GitHub API calls from systems that should not be accessing GitHub
Mitigation Recommendations
- Verify digital signatures on all downloaded software installers, including open-source tools
- Restrict VS Code tunnel functionality on endpoints where it is not required for legitimate work
- Implement network monitoring for connections to known AdaptixC2 infrastructure
- Deploy behavioral detection rules for TOSHIS loader execution patterns
- Educate users handling sensitive roles about trojanized software risks in targeted spear-phishing
The shift to AdaptixC2 and GitHub-based C2 reflects a broader trend among APT actors of migrating toward open-source frameworks and legitimate cloud infrastructure — moves that complicate attribution and detection in equal measure.