Tropic Trooper’s New Cyber Espionage Tactics: Trojanized SumatraPDF and GitHub Exploitation
A sophisticated cyber espionage campaign has been identified, targeting Chinese-speaking individuals in Taiwan, as well as individuals in South Korea and Japan. The campaign employs a trojanized version of the SumatraPDF reader to deploy the AdaptixC2 Beacon post-exploitation agent, ultimately facilitating the misuse of Microsoft Visual Studio Code (VS Code) tunnels for remote access.
Zscaler ThreatLabz, which uncovered the campaign in March 2026, attributes it with high confidence to Tropic Trooper, also known as APT23, Earth Centaur, KeyBoy, and Pirate Panda. This hacking group has been active since at least 2011, primarily targeting entities in Taiwan, Hong Kong, and the Philippines.
The attack initiates with a ZIP archive containing military-themed document lures. When opened, this archive launches the compromised SumatraPDF application, which displays a decoy PDF document to the user. Simultaneously, the application retrieves encrypted shellcode from a staging server to execute the AdaptixC2 Beacon.
To achieve this, the backdoored SumatraPDF executable triggers a modified version of a loader codenamed TOSHIS, a variant of Xiangoop. Xiangoop is malware previously linked to Tropic Trooper and has been used to fetch next-stage payloads like Cobalt Strike Beacon or the Merlin agent for the Mythic framework.
The loader orchestrates a multi-stage attack by dropping both the lure document as a distraction and the AdaptixC2 Beacon agent in the background. The agent utilizes GitHub as its command-and-control (C2) platform, communicating with attacker-controlled infrastructure to receive tasks for execution on the compromised host.
The attack progresses to the next stage only when the victim is deemed valuable. At this point, the threat actor deploys VS Code and establishes VS Code tunnels for remote access. On select machines, the attacker installs alternative, trojanized applications, likely to better conceal their activities.
Notably, the staging server involved in this intrusion (158.247.193[.]100) has been observed hosting a Cobalt Strike Beacon and a custom backdoor called EntryShell, both previously utilized by Tropic Trooper.
This campaign underscores the evolving tactics of Tropic Trooper, highlighting their ability to adapt and employ sophisticated methods to infiltrate targeted systems.
