A campaign targeting Chinese-speaking users in Taiwan, South Korea and Japan is using a trojanized version of SumatraPDF to deploy the AdaptixC2 Beacon and then abuse Visual Studio Code tunnels for remote access, according to a technical analysis from Zscaler ThreatLabz.
KEY FACTS
- Targeting Chinese-speaking individuals in Taiwan, plus users in South Korea and Japan.
- Initial access A ZIP file with military-themed lures launches a rogue SumatraPDF reader.
- Payload The malware retrieves encrypted shellcode to run AdaptixC2 Beacon.
- Attribution The activity is linked with high confidence to Tropic Trooper.
- Follow-on access Victims deemed valuable may receive VS Code and tunnels for remote access.
The report said the backdoored PDF reader opens a decoy document while a modified loader drops the background payload. That loader is a variant of Xiangoop, a malware family previously linked to the group and used to stage other tools.
The campaign uses GitHub as a command and control platform for a custom AdaptixC2 Beacon listener. The staging server at 158.247.193.100 was also seen hosting Cobalt Strike Beacon and a custom backdoor called EntryShell, both associated with earlier operations.
On selected machines, the operators installed alternative trojanized applications, apparently to hide their activity. Zscaler said the group has shifted from earlier payloads such as Cobalt Strike Beacon and Merlin to AdaptixC2.
WHY IT MATTERS
The case shows how a known intrusion set can combine fake software, public cloud services and legitimate developer tools to stay inside a network. It also suggests that defenders should watch for suspicious use of VS Code tunnels and trojanized installers alongside more traditional malware signals.