Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
RedLine Stealer C2 Uses 7 Fraudulent Domains in Maritime Phishing Attacks
July 6, 2026
Teen Arrested for Bandai Channel Cyberattack Aided by ChatGPT
July 6, 2026
Gaslight macOS Malware Evades AI Security Analysis With Prompt Injection
July 6, 2026
Home/Threats/Tropic Trooper Attack Uses Custom Beacon Listener and VS Code Tunnels
Threats

Tropic Trooper Attack Uses Custom Beacon Listener and VS Code Tunnels

Key Takeaways Tropic Trooper, also known as Earth Centaur or Pirate Panda, has launched a new campaign targeting Chinese-speaking individuals in Taiwan, as well as users in South Korea and Japan. The...

Sarah simpson
Sarah simpson
April 23, 2026 4 Min Read
40 0

Key Takeaways

  • Tropic Trooper, also known as Earth Centaur or Pirate Panda, has launched a new campaign targeting Chinese-speaking individuals in Taiwan, as well as users in South Korea and Japan.
  • The attack chain utilizes a trojanized SumatraPDF reader to deploy a custom AdaptixC2 beacon listener, which uniquely leverages GitHub Issues for command-and-control (C2) communications.
  • The threat group is increasingly adopting open-source offensive tools and abusing legitimate developer infrastructure, such as Visual Studio (VS) Code tunnels, for stealthy remote access and persistence.
  • Detection is complicated by the use of encrypted C2 traffic and the rapid deletion of beacon data from GitHub repositories.

Tropic Trooper Shifts Tactics with Custom AdaptixC2 and VS Code Tunnel Abuse

A sophisticated new cyberattack campaign, attributed to the notorious threat group Tropic Trooper (also tracked as Earth Centaur and Pirate Panda), has emerged, primarily targeting Chinese-speaking individuals in Taiwan, alongside victims in South Korea and Japan. This operation marks a significant evolution in the group’s tactics, incorporating open-source offensive tools and exploiting legitimate developer infrastructure for covert operations.

Table Of Content

  • Key Takeaways
  • Tropic Trooper Shifts Tactics with Custom AdaptixC2 and VS Code Tunnel Abuse
  • The Malicious Payload and Initial Compromise
  • Evolution of Toolset: AdaptixC2 and GitHub C2
  • GitHub as a Command-and-Control Platform
  • Abusing Visual Studio Code Tunnels for Remote Access
  • What You Should Do

The campaign came to light on March 12, 2026, following the discovery of a malicious ZIP archive. This archive initiated a multi-stage attack designed to establish persistent remote access on compromised systems.

The Malicious Payload and Initial Compromise

At the heart of the initial compromise is a trojanized version of the open-source SumatraPDF reader. This malicious binary is disguised as a document titled “Comparative Analysis of US-UK and US-Australia Nuclear Submarine Cooperation (2025).exe.” When executed, the loader simultaneously displays a convincing PDF lure containing legitimate content about American submarines and the AUKUS security partnership, while silently deploying an AdaptixC2 Beacon agent in the background. This ensures the victim perceives a normal document interaction even as their system is compromised.

Researchers from Zscaler ThreatLabz meticulously analyzed the campaign, confidently attributing it to Tropic Trooper. Their analysis noted similarities between the loader used in this campaign and the TOSHIS loader, previously linked to Tropic Trooper in the TAOTH campaign. Further cementing the attribution, the staging server involved in this attack was found to host other known Tropic Trooper tools, including a CobaltStrike Beacon with the group’s characteristic “520” watermark and an EntryShell backdoor.

Evolution of Toolset: AdaptixC2 and GitHub C2

Tropic Trooper has notably shifted away from previously favored backdoors like Cobalt Strike Beacon or Merlin Mythic agents. The group now leverages the open-source AdaptixC2 framework, enhanced with a custom beacon listener. This pivot toward publicly available offensive tools is a growing trend among advanced persistent threat (APT) groups in the Asia-Pacific region, complicating attribution efforts and lowering the barrier for tool reuse across various operations.

GitHub as a Command-and-Control Platform

A particularly innovative aspect of this campaign is Tropic Trooper’s use of GitHub as its command-and-control (C2) platform for the custom AdaptixC2 beacon. Instead of communicating with a traditional attacker-controlled server, the beacon interacts with a GitHub repository. It retrieves task assignments from GitHub Issues and uploads results back to the same repository as file contents. This entire C2 workflow operates through a repository created under a fake GitHub account, making it exceptionally difficult for network defenders to distinguish malicious traffic from legitimate developer activity.

The AdaptixC2 agent first retrieves its external IP address from ipinfo.io, a necessary step since GitHub-based communication does not expose this information to the attacker’s server. It then establishes a session by sending an initial beacon via a POST request to GitHub Issue number 1, encrypted using an RC4 session key derived from a random seed. The beacon continuously checks for pending tasks by querying the repository’s open issues, processing commands based on issue title patterns such as “upload” or “fileupload,” and sending back encrypted responses as Base64-encoded file uploads to the repository. All C2 traffic is RC4-encrypted, and to further evade detection, ThreatLabz observed that beacons uploaded to GitHub were deleted within 10 seconds of posting, destroying session keys and rendering decryption by observers practically impossible.

Abusing Visual Studio Code Tunnels for Remote Access

Perhaps the most concerning element of this campaign is the threat actor’s exploitation of Visual Studio (VS) Code tunnels for remote access once a target system was deemed “interesting” post-initial compromise. ThreatLabz observed commands including scheduled task creation for persistence, network reconnaissance using arp and net view, and direct utilization of the VS Code tunnel feature for interactive access to victim machines. This abuse of a widely trusted, legitimate developer tool significantly hinders detection, as VS Code traffic is often implicitly trusted by enterprise security tools and network monitoring systems.

What You Should Do

  • Implement strict application allowlisting policies to prevent the execution of trojanized binaries, particularly those mimicking legitimate software like SumatraPDF.
  • Monitor for unusual scheduled task creation, especially those using names impersonating system services (e.g., “MSDNSvc” or “MicrosoftUDN”).
  • Restrict or rigorously audit the use of VS Code tunnels within corporate environments, as this feature can be exploited for unauthorized remote access.
  • Block or monitor traffic to unexpected GitHub API endpoints from non-developer systems, focusing on requests to user-created repositories.
  • Actively hunt for the use of IP-lookup services like ipinfo.io from internal systems, which can indicate beaconing behavior.
  • Enhance email and file gateway controls to effectively detect and block malicious ZIP archives containing executable files disguised as legitimate documents.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackSecurityThreat

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

Critical Pack2TheRoot Flaw Lets Attackers Gain Root Access

Next Post

Microsoft Teams rolls out Efficiency Mode for low-end devices

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Opera GX Bug Lets Attackers Steal User Data
July 6, 2026
Critical OpenAI Vulnerability Exposed Sensitive Prompts and API Activity
July 6, 2026
SSH Honeypots Fail to Detect Post-Login Attacks, Study Finds
July 6, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
David kimber
David kimber
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us