A recent cybersecurity campaign has been linked to the hacking group known as Tropic Trooper, which is believed to be targeting Chinese-speaking individuals in Taiwan, South Korea, and Japan. This operation utilizes a trojanized version of the SumatraPDF reader to deploy the AdaptixC2 Beacon post-exploitation agent, facilitating unauthorized access through Microsoft Visual Studio Code (VS Code) tunnels.
Details of the Attack
Discovered by Zscaler ThreatLabz, the campaign is characterized by its use of a ZIP archive containing military-themed documents designed to lure victims. Upon execution, the compromised SumatraPDF displays a decoy PDF while simultaneously retrieving encrypted shellcode from a staging server. This shellcode activates the AdaptixC2 Beacon agent, which is responsible for establishing a connection to the attacker’s command-and-control (C2) infrastructure via GitHub.
Mechanics of the Malware
The backdoored SumatraPDF executable employs a modified loader known as TOSHIS, a variant of Xiangoop, previously associated with Tropic Trooper. This loader initiates a multi-stage attack, dropping both the lure document and the AdaptixC2 Beacon agent in the background. The agent communicates with the attacker’s infrastructure to execute tasks on the compromised host.
Targeting and Tools Used
The attack escalates based on the perceived value of the victim, at which point the threat actor deploys VS Code and configures VS Code tunnels for remote access. Additionally, the attackers have been observed installing alternative trojanized applications on select machines to further conceal their activities. The staging server involved in this operation has been linked to previous Tropic Trooper activities, hosting tools such as Cobalt Strike Beacon and a custom backdoor called EntryShell.
Conclusion and Observations
Zscaler noted that this campaign resembles the TAOTH campaign, as it employs publicly available backdoors as payloads. While previous operations utilized Cobalt Strike Beacon and Mythic Merlin, the current focus has shifted to the AdaptixC2 agent. The full scope and impact of this campaign remain to be fully assessed.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
