A recent cyberattack campaign attributed to the notorious threat group Tropic Trooper has been identified, targeting Chinese-speaking individuals in Taiwan, as well as people in South Korea and Japan. The attack employs military-themed document lures and advanced techniques to compromise systems.
Discovery and Attack Chain
Unveiled on March 12, 2026, researchers encountered a malicious ZIP archive initiating a multi-stage attack designed for persistent access. This campaign is notable for its use of open-source tools combined with unconventional exploitation of developer infrastructure.
The attack utilizes a trojanized version of the SumatraPDF reader, masquerading as a document titled “Comparative Analysis of US-UK and US-Australia Nuclear Submarine Cooperation (2025).exe.” Running the file downloads a genuine-looking PDF while secretly deploying an AdaptixC2 Beacon agent, compromising the system without alerting the user.
Technical Insights and Attribution
Experts from Zscaler ThreatLabz have linked the attack to Tropic Trooper, also known as Earth Centaur and Pirate Panda. The group’s use of a loader similar to the TOSHIS loader, previously associated with them, supports this attribution. Additional tools found on the staging server, including a Cobalt Strike Beacon with a “520” watermark and an EntryShell backdoor, further corroborate their involvement.
The campaign showcases a strategic shift in Tropic Trooper’s methods, moving from traditional backdoors to the AdaptixC2 framework. The use of open-source tools complicates attribution and facilitates reuse across operations, a trend among advanced persistent threat groups in the Asia-Pacific region.
Innovative Use of GitHub and VS Code
A unique aspect of this campaign is the use of Visual Studio Code tunnels for remote access, performed post-compromise. This method involves creating scheduled tasks for persistence and conducting network reconnaissance, utilizing VS Code’s trusted infrastructure to evade detection.
Furthermore, the campaign employs a custom AdaptixC2 beacon listener that communicates via GitHub. By interacting with a GitHub repository, the beacon reads task assignments and uploads results, blending malicious activity with legitimate developer traffic.
The beacon sends encrypted communications to GitHub, using RC4 encryption and quickly deleting interactions to prevent detection. This innovative approach makes it challenging for network defenders to distinguish between malicious and regular activity.
Protective Measures and Recommendations
Organizations should implement measures to mitigate such threats, including monitoring unexpected GitHub API endpoint traffic, enforcing strict application allowlisting to block trojanized binaries, and auditing VS Code tunnel usage. It’s also crucial to monitor for unusual scheduled tasks and IP-lookup service usage.
Proactive email and file gateway controls can help detect and block malicious ZIP archives disguised as documents, reducing exposure to similar attack vectors.
Stay informed by following our updates on Google News, LinkedIn, and X. Set CSN as a preferred source in Google for the latest cybersecurity news.
