A newly identified cyber campaign is targeting Chinese-speaking individuals by using a trojanized version of the SumatraPDF reader to deliver a post-exploitation tool known as AdaptixC2 Beacon. Security researchers at Zscaler ThreatLabz discovered the campaign last month and have attributed it with high confidence to the advanced persistent threat group Tropic Trooper.
Campaign Overview and Initial Infection
The attack chain begins with a malicious executable disguised as a legitimate SumatraPDF installer. This trojanized software is hosted on GitHub, a platform commonly used for legitimate software distribution, which helps the attackers evade detection. Once a victim downloads and runs the fake installer, it deploys the AdaptixC2 Beacon, a framework used for post-exploitation activities.
AdaptixC2 is an open-source command and control framework that allows attackers to maintain persistent access to compromised systems. It is frequently used by threat actors to execute commands, move laterally within networks, and exfiltrate data.
The Role of VS Code Tunnels
After establishing a foothold with AdaptixC2, the campaign leverages a feature of Microsoft Visual Studio Code (VS Code) called tunnels. VS Code tunnels are designed to allow remote development by creating a secure connection between a local machine and a remote server. The attackers abuse this legitimate functionality to maintain covert remote access to the victim’s system, making their activity harder to distinguish from normal network traffic.
This technique of using built-in developer tools for malicious purposes is part of a growing trend known as living-off-the-land (LotL), where attackers use legitimate software features to blend in with regular operations.
Target Profile and Attribution
The campaign specifically targets Chinese-speaking individuals, suggesting that the attackers are focusing on a particular linguistic or geographic demographic. Zscaler ThreatLabz has attributed the operation to Tropic Trooper, also known by other aliases such as APT23 or Pirpi. This group has been active for over a decade, primarily targeting government, military, and healthcare organizations in East Asia, with a particular focus on Taiwan and the Philippines.
The use of trojanized software hosted on public repositories is a hallmark of Tropic Trooper’s tactics. The group has previously employed similar methods using fake versions of other popular applications to distribute malware.
Implications for cybersecurity
The abuse of GitHub as a distribution channel for malware is a significant concern for organizations and individuals who rely on the platform for software downloads. GitHub has implemented security measures to scan repositories for malicious code, but attackers continue to find ways to bypass these controls.
Similarly, the misuse of VS Code tunnels highlights the challenges posed by living-off-the-land techniques. Security teams are increasingly required to monitor for unusual use of legitimate tools, as traditional signature-based detection methods are often ineffective against such attacks.
Defense Recommendations
Zscaler ThreatLabz recommends that users and organizations verify the integrity of software downloads, especially those obtained from third-party sources or public repositories. Users should only download software from official developer websites or trusted app stores.
For enterprises, monitoring network traffic for anomalous use of tools like VS Code tunnels is critical. Implementing strict application control policies and using endpoint detection and response (EDR) solutions can help identify and block malicious behavior associated with post-exploitation frameworks like AdaptixC2.
Outlook
Given the persistence and adaptability of Tropic Trooper, similar campaigns are likely to continue using trojanized versions of popular software. The group’s demonstrated ability to exploit legitimate cloud and developer tools suggests that future operations will involve more sophisticated techniques for evasion and persistence. Organizations are advised to maintain updated threat intelligence and user awareness training to mitigate the risk of these attacks.
Source: Zscaler ThreatLabz
