Tropic Trooper’s New Cyberattack Exploits Developer Tools for Stealthy Remote Access
A sophisticated cyberattack campaign attributed to the notorious threat group Tropic Trooper has recently been uncovered, targeting Chinese-speaking individuals in Taiwan, as well as individuals in South Korea and Japan. This campaign, identified on March 12, 2026, employs military-themed document lures to initiate a multi-stage attack chain aimed at establishing persistent remote access to compromised systems.
Initial Attack Vector:
The attack begins with a malicious ZIP archive containing a trojanized version of the open-source SumatraPDF reader. This executable is deceptively named Comparative Analysis of US-UK and US-Australia Nuclear Submarine Cooperation (2025).exe. When executed, it displays a legitimate-looking PDF document discussing American submarines and the AUKUS security partnership. Simultaneously, it downloads and executes an AdaptixC2 Beacon agent in the background, compromising the system without the user’s knowledge.
Attribution and Toolset Evolution:
Researchers from Zscaler ThreatLabz have analyzed the campaign and confidently attribute it to Tropic Trooper, also known as Earth Centaur and Pirate Panda. The loader used in this attack closely resembles the TOSHIS loader, previously linked to Tropic Trooper in earlier campaigns. The staging server associated with this attack also hosts other known Tropic Trooper tools, including a Cobalt Strike Beacon with the group’s signature watermark 520 and an EntryShell backdoor, further supporting this attribution.
Notably, Tropic Trooper has evolved its toolset by shifting from previously used backdoors like Cobalt Strike Beacon to utilizing the open-source AdaptixC2 framework, with a custom beacon listener built on top of it. This transition to publicly available offensive tools complicates attribution and lowers the barrier for reuse across different operations, a trend increasingly observed among advanced persistent threat (APT) groups in the Asia-Pacific region.
Abuse of Developer Tools for Remote Access:
A particularly innovative aspect of this campaign is the abuse of Visual Studio (VS) Code tunnels for remote access. After the initial compromise, if a target is deemed interesting, the attackers use VS Code’s tunnel feature to establish interactive access to the victim’s machine. This method includes creating scheduled tasks for persistence, conducting network reconnaissance using commands like `arp` and `net view`, and leveraging VS Code tunnels for remote access. By exploiting a legitimate developer tool, the attackers can evade detection, as VS Code traffic is generally trusted by enterprise security tools and network monitoring systems.
Innovative Command-and-Control Mechanism:
The most technically inventive aspect of this campaign is Tropic Trooper’s use of GitHub as its command-and-control (C2) platform. Instead of communicating directly with a traditional attacker-controlled server, the AdaptixC2 beacon interacts with a GitHub repository. It reads task assignments from GitHub Issues and uploads results back to the same repository as file contents. This entire C2 workflow operates through a repository created under a fake GitHub account, making it extremely difficult for network defenders to distinguish malicious traffic from legitimate GitHub activity.
Implications and Recommendations:
This campaign underscores the increasing sophistication of APT groups like Tropic Trooper, who are adept at leveraging legitimate tools and platforms to conduct stealthy operations. The use of open-source frameworks and trusted developer tools for malicious purposes highlights the need for organizations to implement robust security measures, including:
– Enhanced Monitoring: Implementing advanced monitoring solutions that can detect anomalous behavior associated with legitimate tools like VS Code.
– User Education: Educating employees about the risks of opening unsolicited documents, even if they appear legitimate.
– Access Controls: Restricting the use of developer tools and platforms to authorized personnel and ensuring they are configured securely.
– Regular Audits: Conducting regular audits of network traffic to identify unusual patterns that may indicate malicious activity.
By staying vigilant and adopting comprehensive security strategies, organizations can better defend against sophisticated threats like those posed by Tropic Trooper.
