Tropic Trooper trojanized SumatraPDF remote-access campaign
Campaign
Summary
Hide ▲
Show ▼
Tropic Trooper is running an active campaign that uses a trojanized SumatraPDF lure to plant AdaptixC2 Beacon and later abuse VS Code tunnels for remote access. The operation was discovered last month and is assessed to have been active since at least 2011, which signals long-running adversary continuity. Its target set includes Chinese-speaking individuals in Taiwan, South Korea, and Japan, making the reach broader than a single-victim intrusion.
Related Happenings
FamousSparrow multi-wave intrusion campaign against Azerbaijani oil and gas company
Campaign
First: 13.05.2026 16:00
Last: 13.05.2026 16:00
Sources 1
About this happening:
A **China-affiliated** actor tracked as **FamousSparrow (UAT-9244)** ran a **multi-wave intrusion** against an **unnamed Azerbaijani oil and gas company** from **late December 202...
FamousSparrow multi-wave intrusion campaign against Azerbaijani oil and gas company
CampaignAbout this happening: A **China-affiliated** actor tracked as **FamousSparrow (UAT-9244)** ran a **multi-wave intrusion** against an **unnamed Azerbaijani oil and gas company** from **late December 202...
Silk Typhoon / Hafnium coordinated intelligence-gathering campaign
Campaign
First: 27.04.2026 22:56
Last: 27.04.2026 22:56
Sources 1
About this happening:
The **Silk Typhoon / Hafnium** operation is tied to a **coordinated intelligence-gathering campaign** spanning **February 2020 to June 2021**, underscoring a sustained espionage e...
Silk Typhoon / Hafnium coordinated intelligence-gathering campaign
CampaignAbout this happening: The **Silk Typhoon / Hafnium** operation is tied to a **coordinated intelligence-gathering campaign** spanning **February 2020 to June 2021**, underscoring a sustained espionage e...
Latest development: 28.04.2026 15:30
US officials described Silk Typhoon/Hafnium activity from February 2020 to June 2021 as a coordinated intelligence-gathering campaign that targeted US universities and COVID-19 researchers, including a Texas university network, and later expanded into Microsoft Exchange Server vulnerability exploitation. The operation reportedly used stolen mailbox access to search for vaccines, treatments, and testing research, and the FBI said the campaign affected more than 12,700 US organizations.
Prt-scan GitHub Actions secret-theft campaign
Campaign
First: 22.04.2026 20:33
Last: 22.04.2026 20:33
Sources 1
About this happening:
The **prt-scan** campaign has been systematically abusing **pull_request_target** GitHub Actions workflows to steal developer secrets and, when possible, publish **malicious packa...
Prt-scan GitHub Actions secret-theft campaign
CampaignAbout this happening: The **prt-scan** campaign has been systematically abusing **pull_request_target** GitHub Actions workflows to steal developer secrets and, when possible, publish **malicious packa...
Marimo CVE-2026-39987 exploitation wave
Exploitation Wave
First: 12.04.2026 17:20
Last: 12.04.2026 17:20
Sources 1
About this happening:
**Marimo** exploitation activity surged **within 12 hours of disclosure**, with **125 IP addresses** beginning reconnaissance against **CVE-2026-39987** and the **/terminal/ws** e...
Marimo CVE-2026-39987 exploitation wave
Exploitation WaveAbout this happening: **Marimo** exploitation activity surged **within 12 hours of disclosure**, with **125 IP addresses** beginning reconnaissance against **CVE-2026-39987** and the **/terminal/ws** e...
Storm-1175 high-tempo Medusa ransomware campaign
Campaign
First: 07.04.2026 13:02
Last: 07.04.2026 13:02
Sources 1
About this happening:
**Storm-1175** is running a **high-tempo Medusa ransomware campaign** that has repeatedly exploited **n-day and zero-day flaws** to gain initial access before patching closes the...
Storm-1175 high-tempo Medusa ransomware campaign
CampaignAbout this happening: **Storm-1175** is running a **high-tempo Medusa ransomware campaign** that has repeatedly exploited **n-day and zero-day flaws** to gain initial access before patching closes the...
Timeline
-
24.04.2026 12:29 1 articles · 1mo ago
Trojanized SumatraPDF drops AdaptixC2 Beacon
Exploitation ObservedA campaign against Chinese-speaking individuals uses a ZIP archive with military-themed document lures to launch a rogue SumatraPDF reader, show a decoy PDF document, and retrieve encrypted shellcode from a staging server to deploy AdaptixC2 Beacon on targeted hosts.
Show sources
- Tropic Trooper Uses Trojanized SumatraPDF and GitHub to Deploy AdaptixC2 — thehackernews.com — 24.04.2026 12:29
-
24.04.2026 12:29 1 articles · 1mo ago
TOSHIS loader and GitHub C2 details
Technical Analysis UpdateThe backdoored SumatraPDF executable launches a slightly modified loader codenamed TOSHIS, a Xiangoop variant linked to Tropic Trooper, while a custom AdaptixC2 Beacon listener uses GitHub as command-and-control and the staging server 158.247.193[.]100 hosts Cobalt Strike Beacon and EntryShell.
Show sources
- Tropic Trooper Uses Trojanized SumatraPDF and GitHub to Deploy AdaptixC2 — thehackernews.com — 24.04.2026 12:29
-
24.04.2026 12:29 1 articles · 1mo ago
Valued victims get VS Code tunnel access
Victim Impact UpdateWhen a targeted host is deemed valuable, the operators deploy Microsoft Visual Studio Code (VS Code) and set up VS Code tunnels for remote access, and on select machines they install alternative trojanized applications to better camouflage their actions.
Show sources
- Tropic Trooper Uses Trojanized SumatraPDF and GitHub to Deploy AdaptixC2 — thehackernews.com — 24.04.2026 12:29
-
24.04.2026 12:29 2 articles · 1mo ago
Zscaler attributes the campaign to Tropic Trooper
Initial DisclosureZscaler ThreatLabz says the campaign targets Chinese-speaking individuals in Taiwan, South Korea, and Japan, attributes the activity with high confidence to Tropic Trooper, and assesses the group as active since at least 2011.
Show sources
- Tropic Trooper Uses Trojanized SumatraPDF and GitHub to Deploy AdaptixC2 — thehackernews.com — 24.04.2026 12:29
- Tropic Trooper Uses Trojanized SumatraPDF and GitHub to Deploy AdaptixC2 — thehackernews.com — 24.04.2026 12:29