Tropic Trooper leverages trojanized SumatraPDF to deliver AdaptixC2 Beacon via GitHub C2
Summary
Hide ▲
Show ▼
A campaign attributed to Tropic Trooper (APT23, Earth Centaur) uses a trojanized SumatraPDF reader to deploy the AdaptixC2 Beacon post-exploitation agent. Chinese-speaking individuals in Taiwan and users in South Korea and Japan are targeted via military-themed ZIP archives containing malicious SumatraPDF executables. The executable displays a decoy PDF while fetching encrypted shellcode from a staging server to launch AdaptixC2, which communicates with C2 infrastructure via GitHub. Subsequent activity includes deployment of Microsoft VS Code tunnels for remote access on high-value hosts, alongside the use of trojanized applications for camouflage. The staging server at 158.247.193[.]100 has hosted Cobalt Strike Beacon and the custom EntryShell backdoor previously associated with Tropic Trooper.
Timeline
-
24.04.2026 12:29 1 articles · 2h ago
Tropic Trooper campaign employs trojanized SumatraPDF to deploy AdaptixC2 Beacon via GitHub C2
A new Tropic Trooper campaign uses trojanized SumatraPDF reader to deliver the AdaptixC2 Beacon post-exploitation agent via encrypted shellcode retrieved from a staging server. The attacker employs a modified TOSHIS loader to execute AdaptixC2, which communicates with C2 infrastructure hosted on GitHub. Military-themed ZIP archives serve as initial lures targeting Chinese-speaking individuals in Taiwan and users in South Korea and Japan. On high-value hosts, VS Code tunnels are deployed for remote access, with additional trojanized applications installed to mask activity. The staging server at 158.247.193[.]100 previously hosted Cobalt Strike Beacon and EntryShell.
Show sources
- Tropic Trooper Uses Trojanized SumatraPDF and GitHub to Deploy AdaptixC2 — thehackernews.com — 24.04.2026 12:29
Information Snippets
-
Tropic Trooper uses a trojanized SumatraPDF executable to launch a modified loader named TOSHIS, a variant of Xiangoop malware previously linked to the group.
First reported: 24.04.2026 12:291 source, 1 articleShow sources
- Tropic Trooper Uses Trojanized SumatraPDF and GitHub to Deploy AdaptixC2 — thehackernews.com — 24.04.2026 12:29
-
The SumatraPDF executable displays a decoy PDF document while retrieving encrypted shellcode from a staging server to deploy the AdaptixC2 Beacon agent.
First reported: 24.04.2026 12:291 source, 1 articleShow sources
- Tropic Trooper Uses Trojanized SumatraPDF and GitHub to Deploy AdaptixC2 — thehackernews.com — 24.04.2026 12:29
-
AdaptixC2 Beacon communicates with attacker-controlled infrastructure via GitHub for C2 operations, fetching tasks for execution on compromised hosts.
First reported: 24.04.2026 12:291 source, 1 articleShow sources
- Tropic Trooper Uses Trojanized SumatraPDF and GitHub to Deploy AdaptixC2 — thehackernews.com — 24.04.2026 12:29
-
Microsoft Visual Studio Code tunnels are deployed on select high-value machines to establish remote access after victim profiling.
First reported: 24.04.2026 12:291 source, 1 articleShow sources
- Tropic Trooper Uses Trojanized SumatraPDF and GitHub to Deploy AdaptixC2 — thehackernews.com — 24.04.2026 12:29
-
Alternative trojanized applications are installed on compromised hosts to better camouflage attacker activity.
First reported: 24.04.2026 12:291 source, 1 articleShow sources
- Tropic Trooper Uses Trojanized SumatraPDF and GitHub to Deploy AdaptixC2 — thehackernews.com — 24.04.2026 12:29
-
The staging server at IP address 158.247.193[.]100 has been observed hosting Cobalt Strike Beacon and EntryShell, a custom backdoor associated with Tropic Trooper.
First reported: 24.04.2026 12:291 source, 1 articleShow sources
- Tropic Trooper Uses Trojanized SumatraPDF and GitHub to Deploy AdaptixC2 — thehackernews.com — 24.04.2026 12:29
-
The campaign targets Chinese-speaking individuals in Taiwan and users in South Korea and Japan, using military-themed ZIP archives as initial lures.
First reported: 24.04.2026 12:291 source, 1 articleShow sources
- Tropic Trooper Uses Trojanized SumatraPDF and GitHub to Deploy AdaptixC2 — thehackernews.com — 24.04.2026 12:29