Tropic Trooper Campaign Unveils New Tactics to Gain Unauthorized Access
In an alarming new development, a cyber operation referred to as Tropic Trooper has been discovered employing sophisticated methods that merge a trojanized PDF reader, a custom AdaptixC2 Beacon listener, and Visual Studio Code tunnels to achieve and sustain remote access to targeted systems. This campaign appears to specifically target Chinese-speaking populations in Taiwan, alongside victims located in South Korea and Japan. It has been attributed to the Tropic Trooper group—also known as Earth Centaur or Pirate Panda—based on strong overlaps in the tools and techniques utilized.
Upon launching their campaign, the attackers utilize a trojanized version of the SumatraPDF reader, which initially presents a decoy PDF that aligns with the lure’s theme. This innocuous-looking document masks a more sinister operation; in the background, it secretly downloads and executes shellcode that deploys an AdaptixC2 Beacon agent directly into memory, thereby establishing a foothold in the target system.
The malicious files circulated in this campaign often appeared benign at first glance. For instance, one particularly noteworthy document titled “Comparative Analysis of US-UK and US-Australia Nuclear Submarine Cooperation (2025).exe” poses as a legitimate file but is, in fact, a trojanized version of the SumatraPDF reader. This deceptive file ignites a multi-stage infection route, leading to deeper system infiltration.
On March 12, 2026, ThreatLabz uncovered a malicious ZIP archive laced with multiple military and defense documents in Chinese. These files referenced topics as diverse as metaverse industrial bases, acoustic intelligence facilities, unmanned systems, and nuclear submarine cooperation, highlighting the campaign’s strategic focus.
The loader code observed in these incidents closely resembles the TOSHIS loader seen in Trend Micro’s TAOTH campaign, exhibiting similar features in control-flow hijacking and configuration management but with updated stack strings and the omission of a language ID check—a technique designed to evade detection.
Investigative Insights on Loader and Beacon
The modified SumatraPDF binary capitalizes on the _security_init_cookie function to skew standard execution towards the malicious TOSHIS loader code, effectively hijacking the application’s startup process. This loader meticulously constructs critical configuration values, such as command-and-control (C2) IP addresses and file paths, and employs the Adler-32 hashing algorithm for API resolution. Following this, it downloads a decoy PDF and a second-stage shellcode from a staging server, decrypts the shellcode using AES-128-CBC, and executes it in memory as an AdaptixC2 Beacon.
Apart from previous TOSHIS variations that typically deployed Cobalt Strike Beacons or Merlin agents, this latest campaign’s pivot to the open-source AdaptixC2 framework signifies Tropic Trooper’s adaptability and diversification of their post-exploitation tools. The hosting environment linked to this operation also harbors Cobalt Strike Beacon instances and the custom EntryShell backdoor, both identified as previously associated with Tropic Trooper, reinforcing confidence in this attribution.
ThreatLabz revealed that the AdaptixC2 Beacon employs a custom listener utilizing GitHub as its command-and-control platform, ingeniously abusing GitHub’s issues and repository APIs to send beacons, receive commands, and exfiltrate results. The trojanized executable closely mimics the open-source SumatraPDF reader, furnished with identical certificates and PDB paths, making it a formidable threat.
Within the extracted configuration, vital details included a simulated repository owner’s name, an API host directed at api.github.com, and an RC4 key used for decrypting encrypted sections of the configuration and beacon communication. The Beacon effectively generates a session-specific RC4 key, retrieves the victim’s external IP address using ipinfo.io, and embeds that information in each beacon, subsequently posting to designated GitHub issues to facilitate session establishment.
Exploitation Through VS Code Tunnels
The operational tactics further reveal that Tropic Trooper operators are adept at maintaining a low profile; they routinely delete beacon artifacts from GitHub within seconds of posting to obscure session keys and minimize forensic scrutiny into real-time C2 traffic. Notably, the RC4 key mentioned plays a pivotal role in decrypting critical components of the configuration as well as beacon heartbeats.
Following the reconnaissance phase, the AdaptixC2 Beacon transitions high-value targets to VS Code tunnels, enabling interactive remote access from there on. During this phase, operators prompt the installation of the VS Code command-line client and require login through “code tunnel user login –provider github.” This establishes scheduled tasks designed for persistence under discreet task names such as “\MicrosoftUDN” and “\MSDNSvc,” complemented with additional trojanized binaries to enhance camouflage.
In summary, this evolving landscape of cyber threats showcases how groups like Tropic Trooper are sophisticatedly transitioning their operational tactics. The combination of known tools like the TOSHIS loader along with more contemporary methodologies, including the usage of GitHub for command and control, underscores the group’s adaptable nature in digital warfare. The amalgamation of technologies and techniques, alongside high-confidence attribution to Tropic Trooper, emphasizes the urgent need for vigilance and enhanced security measures across vulnerable sectors.