Bright Nexus

Published on April 24, 2026

Tropic Trooper Uses Trojanized SumatraPDF and GitHub to Deploy AdaptixC2

Severity
Medium

Detail

Cybersecurity researchers have uncovered a new targeted campaign attributed to the China-linked threat group Tropic Trooper (APT23). The attack leverages a trojanized version of the legitimate SumatraPDF reader to deploy the AdaptixC2 Beacon, enabling persistent access and post-exploitation activities.

The campaign primarily targets Chinese-speaking users, particularly in Taiwan, as well as individuals in South Korea and Japan. Attackers distribute malicious ZIP archives containing decoy documents with military-themed lures. When opened, the compromised SumatraPDF application displays a benign document to the victim while secretly executing malicious code in the background.

The infection process involves a modified loader known as TOSHIS (a variant of Xiangoop), which retrieves encrypted shellcode from a staging server and launches the AdaptixC2 Beacon. This beacon uses GitHub as a command-and-control (C2) channel, allowing attackers to blend malicious traffic with legitimate services and evade detection.

Once a system is compromised and deemed valuable, attackers escalate their operations by deploying Microsoft Visual Studio Code (VS Code) and establishing VS Code tunnels. This enables stealthy remote access and long-term control over the infected machine. In some cases, additional trojanized applications are installed to further disguise malicious activity.

The campaign infrastructure has also been observed hosting other known tools such as Cobalt Strike Beacon and a custom backdoor named EntryShell, indicating a flexible and evolving attack toolkit.

How?

The attack chain follows a multi-stage process:

  • Victims download a malicious ZIP archive containing lure documents and a trojanized SumatraPDF executable
  • The fake PDF reader displays a decoy document while executing hidden malicious code
  • A modified loader (TOSHIS) retrieves encrypted payloads from a remote staging server
  • AdaptixC2 Beacon is deployed and communicates with attackers via GitHub-based C2
  • Additional tools and payloads are selectively deployed based on the victim’s value
  • Attackers establish persistence and remote access using VS Code tunnels

Recommendation & Conclusion

This campaign highlights the continued evolution of advanced persistent threats (APTs), particularly in their use of legitimate tools like GitHub and VS Code to evade detection. By combining social engineering, trojanized software, and trusted platforms, attackers can maintain stealthy and persistent access to high-value targets.

Organizations should:

  • Avoid downloading software from untrusted or unofficial sources
  • Monitor the use of developer tools like VS Code in non-development environments
  • Inspect outbound connections to platforms like GitHub for anomalies
  • Implement endpoint detection and response (EDR) solutions
  • Educate users about phishing and trojanized software risks

Source

https://thehackernews.com/2026/04/tropic-trooper-uses-trojanized.html