★ 7/10 · Security · 2026-04-24

Tropic Trooper Uses Trojanized SumatraPDF and GitHub to Deploy AdaptixC2

The threat actor Tropic Trooper is deploying the AdaptixC2 Beacon agent through a trojanized version of the SumatraPDF reader. The campaign leverages GitHub as a command-and-control (C2) platform and utilizes Microsoft...

Captured 2026-04-24 09:29

Tropic Trooper Uses Trojanized SumatraPDF and GitHub to Deploy AdaptixC2

Summary

The threat actor Tropic Trooper is deploying the AdaptixC2 Beacon agent through a trojanized version of the SumatraPDF reader. The campaign leverages GitHub as a command-and-control (C2) platform and utilizes Microsoft Visual Studio Code (VS Code) tunnels to establish persistent remote access on compromised hosts.

Key Points

  • Uses a trojanized SumatraPDF executable to display decoy PDF documents while simultaneously retrieving encrypted shellcode.
  • Employs the TOSHIS loader, a variant of the Xiangoop malware, to manage multi-stage payload delivery.
  • Utilizes GitHub as the primary command-and-control (C2) infrastructure via a custom AdaptixC2 Beacon listener.
  • Establishes remote access capabilities by deploying and configuring VS Code tunnels on high-value targets.
  • Identified staging server IP address: 158.247.193[.]100.
  • The staging infrastructure has also been observed hosting Cobalt Strike Beacons and the EntryShell backdoor.

Technical Details

The attack chain initiates via a ZIP archive containing military-themed document lures. When the user executes the contents, the backdoored SumatraPDF application launches the TOSHIS loader. This loader is responsible for the secondary stage of the attack: dropping a decoy document to distract the user and fetching encrypted shellcode from a remote staging server (158.247.193[.]100) to instantiate the AdaptixC2 Beacon agent.

The AdaptixC2 agent is configured to use GitHub as its C2 platform, beaconing out to attacker-controlled repositories to receive instructions. For post-exploitation, the threat actor moves to a stage involving the deployment of VS Code. By setting up VS Code tunnels, the actor can bypass traditional network perimeters to maintain remote access to the compromised machine. In some instances, the actor has also deployed additional trojanized applications to further obfuscate their presence on the host.

Impact / Why It Matters

Developers and system administrators should monitor for unauthorized VS Code tunnel creation and unusual outbound traffic to GitHub originating from unexpected processes. The use of legitimate, widely-used software like SumatraPDF and VS Code for malicious purposes allows attackers to blend in with standard developer workflows and evade signature-based detection.

security malware vscode

↳ Sources