Tropic Trooper Attack Uses Custom Beacon Listener and VS Code Tunnels
Key Takeaways Tropic Trooper, also known as Earth Centaur or Pirate Panda, has launched a new campaign targeting Chinese-speaking individuals in Taiwan, as well as users in South Korea and Japan. The...
Key Takeaways
- Tropic Trooper, also known as Earth Centaur or Pirate Panda, has launched a new campaign targeting Chinese-speaking individuals in Taiwan, as well as users in South Korea and Japan.
- The attack chain utilizes a trojanized SumatraPDF reader to deploy a custom AdaptixC2 beacon listener, which uniquely leverages GitHub Issues for command-and-control (C2) communications.
- The threat group is increasingly adopting open-source offensive tools and abusing legitimate developer infrastructure, such as Visual Studio (VS) Code tunnels, for stealthy remote access and persistence.
- Detection is complicated by the use of encrypted C2 traffic and the rapid deletion of beacon data from GitHub repositories.
Tropic Trooper Shifts Tactics with Custom AdaptixC2 and VS Code Tunnel Abuse
A sophisticated new cyberattack campaign, attributed to the notorious threat group Tropic Trooper (also tracked as Earth Centaur and Pirate Panda), has emerged, primarily targeting Chinese-speaking individuals in Taiwan, alongside victims in South Korea and Japan. This operation marks a significant evolution in the group’s tactics, incorporating open-source offensive tools and exploiting legitimate developer infrastructure for covert operations.
Table Of Content
The campaign came to light on March 12, 2026, following the discovery of a malicious ZIP archive. This archive initiated a multi-stage attack designed to establish persistent remote access on compromised systems.
The Malicious Payload and Initial Compromise
At the heart of the initial compromise is a trojanized version of the open-source SumatraPDF reader. This malicious binary is disguised as a document titled “Comparative Analysis of US-UK and US-Australia Nuclear Submarine Cooperation (2025).exe.” When executed, the loader simultaneously displays a convincing PDF lure containing legitimate content about American submarines and the AUKUS security partnership, while silently deploying an AdaptixC2 Beacon agent in the background. This ensures the victim perceives a normal document interaction even as their system is compromised.
Researchers from Zscaler ThreatLabz meticulously analyzed the campaign, confidently attributing it to Tropic Trooper. Their analysis noted similarities between the loader used in this campaign and the TOSHIS loader, previously linked to Tropic Trooper in the TAOTH campaign. Further cementing the attribution, the staging server involved in this attack was found to host other known Tropic Trooper tools, including a CobaltStrike Beacon with the group’s characteristic “520” watermark and an EntryShell backdoor.
Evolution of Toolset: AdaptixC2 and GitHub C2
Tropic Trooper has notably shifted away from previously favored backdoors like Cobalt Strike Beacon or Merlin Mythic agents. The group now leverages the open-source AdaptixC2 framework, enhanced with a custom beacon listener. This pivot toward publicly available offensive tools is a growing trend among advanced persistent threat (APT) groups in the Asia-Pacific region, complicating attribution efforts and lowering the barrier for tool reuse across various operations.
GitHub as a Command-and-Control Platform
A particularly innovative aspect of this campaign is Tropic Trooper’s use of GitHub as its command-and-control (C2) platform for the custom AdaptixC2 beacon. Instead of communicating with a traditional attacker-controlled server, the beacon interacts with a GitHub repository. It retrieves task assignments from GitHub Issues and uploads results back to the same repository as file contents. This entire C2 workflow operates through a repository created under a fake GitHub account, making it exceptionally difficult for network defenders to distinguish malicious traffic from legitimate developer activity.
The AdaptixC2 agent first retrieves its external IP address from ipinfo.io, a necessary step since GitHub-based communication does not expose this information to the attacker’s server. It then establishes a session by sending an initial beacon via a POST request to GitHub Issue number 1, encrypted using an RC4 session key derived from a random seed. The beacon continuously checks for pending tasks by querying the repository’s open issues, processing commands based on issue title patterns such as “upload” or “fileupload,” and sending back encrypted responses as Base64-encoded file uploads to the repository. All C2 traffic is RC4-encrypted, and to further evade detection, ThreatLabz observed that beacons uploaded to GitHub were deleted within 10 seconds of posting, destroying session keys and rendering decryption by observers practically impossible.
Abusing Visual Studio Code Tunnels for Remote Access
Perhaps the most concerning element of this campaign is the threat actor’s exploitation of Visual Studio (VS) Code tunnels for remote access once a target system was deemed “interesting” post-initial compromise. ThreatLabz observed commands including scheduled task creation for persistence, network reconnaissance using arp and net view, and direct utilization of the VS Code tunnel feature for interactive access to victim machines. This abuse of a widely trusted, legitimate developer tool significantly hinders detection, as VS Code traffic is often implicitly trusted by enterprise security tools and network monitoring systems.
What You Should Do
- Implement strict application allowlisting policies to prevent the execution of trojanized binaries, particularly those mimicking legitimate software like SumatraPDF.
- Monitor for unusual scheduled task creation, especially those using names impersonating system services (e.g., “MSDNSvc” or “MicrosoftUDN”).
- Restrict or rigorously audit the use of VS Code tunnels within corporate environments, as this feature can be exploited for unauthorized remote access.
- Block or monitor traffic to unexpected GitHub API endpoints from non-developer systems, focusing on requests to user-created repositories.
- Actively hunt for the use of IP-lookup services like ipinfo.io from internal systems, which can indicate beaconing behavior.
- Enhance email and file gateway controls to effectively detect and block malicious ZIP archives containing executable files disguised as legitimate documents.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.