THREATNOIR
Subscribe
Back to Feed
Threat IntelligenceApr 24, 2026

Tropic Trooper Uses Trojanized SumatraPDF and GitHub to Deploy AdaptixC2

Tropic Trooper deploys AdaptixC2 via trojanized SumatraPDF targeting Chinese-speakers.

Read at source

Summary

Tropic Trooper (APT23) is conducting a targeted campaign against Chinese-speaking individuals in Taiwan, Hong Kong, South Korea, and Japan using a trojanized SumatraPDF reader to deliver the AdaptixC2 post-exploitation agent. The attack chain leverages GitHub as a C2 platform and VS Code tunnels for remote access, with the staging server also hosting Cobalt Strike Beacon and custom backdoors previously attributed to the group.

Full text

Tropic Trooper Uses Trojanized SumatraPDF and GitHub to Deploy AdaptixC2 Ravie LakshmananApr 24, 2026Malware / Threat Intelligence Chinese-speaking individuals are the target of a new campaign that uses a trojanized version of SumatraPDF reader to deploy the AdaptixC2 Beacon post-exploitation agent and ultimately facilitate the abuse of Microsoft Visual Studio Code (VS Code) tunnels for remote access. Zscaler ThreatLabz, which discovered the campaign last month, has attributed it with high confidence to Tropic Trooper (aka APT23, Earth Centaur, KeyBoy, and Pirate Panda), a hacking group known for its targeting of various entities in Taiwan, Hong Kong, and the Philippines. It's assessed to be active since at least 2011. "The threat actors created a custom AdaptixC2 Beacon listener, leveraging GitHub as their command-and-control (C2) platform," security researcher Yin Hong Chang said in an analysis. It's believed that Chinese-speaking individuals in Taiwan, and individuals in South Korea and Japan, are the targets of the campaign. The starting point of the attack is a ZIP archive containing military-themed document lures to launch the rogue version of SumatraPDF, which is then used to display a decoy PDF document, while simultaneously retrieving encrypted shellcode from a staging server to launch AdaptixC2 Beacon. To accomplish this, the backdoored SumatraPDF executable launches a slightly modified version of a loader codenamed TOSHIS, which is a variant of Xiangoop, a malware linked to Tropic Trooper, and has been used in the past to fetch next-stage payloads like Cobalt Strike Beacon or Merlin agent for the Mythic framework. The loader is responsible for activating the multi-stage attack, dropping both the lure document as a distraction mechanism and the AdaptixC2 Beacon agent in the background.The agent employs GitHub for C2, beaconing out to the attacker-controlled infrastructure to fetch tasks to be executed on the compromised host. The attack moves to the next stage only when the victim is deemed valuable, at which point the threat actor deploys VS Code and sets up VS Code tunnels for remote access. On select machines, the threat actor has been found to install alternative, trojanized applications, likely in an attemptto better camouflage their actions. What's more, the staging server involved in the intrusion ("158.247.193[.]100") has been observed hosting a Cobalt Strike Beacon and a custom backdoor called EntryShell, both of which have been put to use by Tropic Trooper in the past. "Similar to the TAOTH campaign, publicly available backdoors are used as payloads," Zscaler said. "While Cobalt Strike Beacon and Mythic Merlin were previously used, the threat actor has now shifted to AdaptixC2." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  Advanced Persistent Threat, cybersecurity, GitHub, Malware, Microsoft Visual Studio Code, Threat Intelligence Trending News 108 Malicious Chrome Extensions Steal Google and Telegram Data, Affecting 20,000 Users Mirax Android RAT Turns Devices into SOCKS5 Proxies, Reaching 220,000 via Meta Ads New PHP Composer Flaws Enable Arbitrary Command Execution — Patches Released OpenAI Launches GPT-5.4-Cyber with Expanded Access for Security Teams Microsoft Issues Patches for SharePoint Zero-Day and 168 Other New Vulnerabilities Actively Exploited nginx-ui Flaw (CVE-2026-33032) Enables Full Nginx Server Takeover n8n Webhooks Abused Since October 2025 to Deliver Malware via Phishing Emails Cisco Patches Four Critical Identity Services, Webex Flaws Enabling Code Execution Apache ActiveMQ CVE-2026-34197 Added to CISA KEV Amid Active Exploitation Three Microsoft Defender Zero-Days Actively Exploited; Two Still Unpatched Anthropic MCP Design Vulnerability Enables RCE, Threatening AI Supply Chain Vercel Breach Tied to Context AI Hack Exposes Limited Customer Credentials Why Security Leaders Are Layering Email Defense on Top of Secure Email Gateways Why Threat Intelligence Is the Missing Link in CTEM Prioritization and Validation The Hidden Security Risks of Shadow AI in Enterprises Your MTTD Looks Great. Your Post-Alert Gap Doesn't Popular Resources Discover Key AI Security Gaps CISOs Face in 2026 Fix Rising Application Security Risks Driven by AI Development Automate Alert Triage and Investigations Across Every Threat How to Identify Risky Browser Extensions in Your Organization

Indicators of Compromise

  • ip — 158.247.193.100
  • malware — AdaptixC2
  • malware — TOSHIS
  • malware — EntryShell
  • malware — Xiangoop

Entities

Tropic Trooper (threat_actor)APT23 (threat_actor)SumatraPDF (product)Visual Studio Code (VS Code) (product)Microsoft (vendor)GitHub (technology)