Full Report
Chinese-speaking individuals are the target of a new campaign that uses a trojanized version of SumatraPDF reader to deploy the AdaptixC2 Beacon post-exploitation agent and ultimately facilitate the abuse of Microsoft Visual Studio Code (VS Code) tunnels for remote access. Zscaler ThreatLabz, which discovered the campaign last month, has attributed it with high confidence to Tropic Trooper (aka
Analysis Summary
# Threat Actor: Tropic Trooper
## Attribution & Identity
Tropic Trooper is a resilient threat actor, assessed with high confidence to be active since at least 2011.
* **Known Aliases:** APT23, Earth Centaur, KeyBoy, and Pirate Panda.
* **Regional Association:** Linked to Chinese-speaking cyber operations.
## Activity Summary
Recent activity involves a sophisticated campaign targeting Chinese-speaking individuals. The chain begins with a ZIP archive containing military-themed document lures. The group utilizes a trojanized version of the **SumatraPDF** reader to deploy the **AdaptixC2** post-exploitation framework. Notably, the group has pivoted to abusing **GitHub** as a C2 platform and leveraging **Microsoft Visual Studio Code (VS Code) tunnels** for persistent remote access on high-value targets.
## Tactics, Techniques & Procedures
* **Spear Phishing:** Delivery of ZIP archives with military-themed document lures.
* **Living-off-the-Land (LotL) / Binary Proxy Execution:** Use of a backdoored SumatraPDF executable to launch malicious code.
* **Multi-stage Loading:** Utilization of the **TOSHIS** loader (a variant of **Xiangoop**) to fetch encrypted shellcode and activate next-stage payloads.
* **C2 via GitHub:** Leveraging GitHub as a command-and-control platform for Beacon listeners to bypass traditional network filtering.
* **Remote Access via Tunnels:** Weaponization of VS Code tunnels for direct remote access into compromised environments.
* **Evasion:** Deploying trojanized versions of legitimate applications to camouflage secondary actions.
## Targeting
* **Sectors:** Military (implied by lures), and general entities requiring remote access and data exfiltration.
* **Geography:** Primarily Taiwan, Hong Kong, and the Philippines. Current campaign specifically includes South Korea and Japan.
* **Victims:** Chinese-speaking individuals and organizations in the aforementioned regions.
## Tools & Infrastructure
* **Malware Families:**
* **AdaptixC2 Beacon:** Post-exploitation agent (primary focus).
* **TOSHIS / Xiangoop:** Initial stage loaders.
* **EntryShell:** Custom backdoor.
* **Cobalt Strike Beacon:** Historical and recent payload.
* **Merlin:** Post-exploitation agent for the Mythic framework.
* **Infrastructure:**
* **GitHub:** Used as a custom C2 platform.
* **Staging Server:** `158.247.193[.]100` (Hosting payloads like Cobalt Strike and EntryShell).
* **VS Code Tunnels:** Used for persistent remote access.
## Implications
Tropic Trooper continues to evolve by adopting modern, legitimate software features (VS Code tunnels, GitHub C2) to mask their malicious traffic. The shift from common tools like Cobalt Strike and Merlin to AdaptixC2 indicates an effort to evade current detection signatures. Their use of region-specific lures and legitimate software branding (SumatraPDF) suggests a high success rate in social engineering within their target demographics.
## Mitigations
* **Application Whitelisting/Control:** Restrict the execution of unauthorized PDF readers and portable applications.
* **Network Monitoring:** Monitor connections to GitHub APIs and developer-centric services like `tunnels.vscode.dev` for unusual traffic patterns or unauthorized tunneling.
* **Endpoint Detection:** Implement EDR rules to detect the sideloading of DLLs or shellcode injection originating from legitimate binaries like SumatraPDF.
* **User Training:** Educate users on the risks of opening archived files (ZIP/7z) containing military or political themes, especially from unsolicited sources.