# PDF reader software or backdoor? Tropic Trooper's new campaign raises security concerns ## Overview A seemingly harmless PDF file. A familiar programming tool. But when Tropic Trooper is involved, everything can become a gateway for a sophisticated espionage campaign. This is what Zscaler ThreatLabz announced on March 12, 2026, regarding a new cyberattack campaign by the notorious APT group Tropic Trooper—a Chinese-speaking group that has been active since at least 2011. This campaign primarily targets Chinese-speaking users in Taiwan and has also spread to targets in South Korea and Japan. ![](https://cdn.hashnode.com/uploads/covers/6777abffdb647396c7d71de4/81438ae0-8515-4596-8696-07a5d57033fe.png align="center") The standout difference lies in the change of tool strategy: instead of relying on familiar frameworks like Cobalt Strike or Mythic Merlin, the group has shifted to using AdaptixC2—an open-source platform, combined with a custom control mechanism through GitHub. This shift helps blend C2 traffic with legitimate activity, making detection significantly more difficult. Notably, the final stage of the attack chain leverages Visual Studio Code tunnels to establish interactive remote access, turning familiar development tools into an almost “invisible” backdoor channel within the enterprise environment. ## Event timeline ![](https://cdn.hashnode.com/uploads/covers/6777abffdb647396c7d71de4/2c44aaa6-1dd9-43f0-8bd7-442edd0993a4.png align="center") Originating in late August 2025, a malware sample using Azure Functions as its control infrastructure was created (based on the metadata of the LNK file). Just a few days later, on August 28, 2025, an ISO file named Servicenow-BNM-Verify.iso was uploaded to the VirusTotal platform from Malaysia, indicating the initial distribution signs of the campaign. By September 5, 2025, another sample with the same imphash—a crucial technical indicator linking the payloads—was uploaded from Singapore, reinforcing the theory of an expanding campaign in the region. After the "silent preparation" phase, the campaign officially emerged on March 12, 2026, when Zscaler ThreatLabz discovered a ZIP file containing military-themed lure documents designed to distribute malware related to Tropic Trooper. In March 2026, ThreatLabz completed the analysis and confidently attributed the campaign to Tropic Trooper. By April 2026, the information spread widely when The Hacker News published details of the incident, leading to the extensive sharing of attack indicators (IOCs) within the cybersecurity community. ## Who is Tropic Trooper? ### Introduction Before delving deeper into the analysis process, let's explore a bit about the hacker group behind this: Tropic Trooper. Tropic Trooper (also known as APT23, Earth Centaur, Pirate Panda) is a Chinese-speaking APT group active since at least 2011. This group is known for cyber espionage campaigns targeting government, military, technology, and telecommunications sectors in the Asia-Pacific region. ![](https://cdn.hashnode.com/uploads/covers/6777abffdb647396c7d71de4/ce7cc4b3-2ea8-4274-ac1f-d4af7f34d557.png align="center") ### Targets of attack Primary targets: Government, Defense, Telecommunications, High Technology. Main regions: Taiwan (primary focus), Japan, South Korea, Southeast Asia (expanding trend including Vietnam). ### Key Stages In the early stages, Tropic Trooper primarily targeted high-strategic-value objectives, especially Taiwan, which is considered the focal point of most of the group's campaigns. Additionally, countries like Japan and South Korea frequently appeared on the target list. From around 2017 onward, Tropic Trooper began to show significant technical upgrades. The group expanded its operations to other areas in Asia and adopted new techniques to enhance resilience and evasion capabilities. Entering the 2020–2024 phase, Tropic Trooper began changing its approach. Instead of relying entirely on custom malware, the group increasingly utilized tools available within the operating system—a strategy often referred to as "living-off-the-land." By the 2025–2026 phase, Tropic Trooper had reached a completely different level. Recent campaigns show the group not only using legitimate tools but also directly leveraging cloud infrastructure and the developer ecosystem to conceal activities. ## Attack chain ![](https://cdn.hashnode.com/uploads/covers/6777abffdb647396c7d71de4/30c4efc3-23e3-4443-a76c-546038f7da91.png align="center") The attack chain of Tropic Trooper is designed in several distinct stages, with the ongoing goal of deceiving users, silently executing payloads, and maintaining long-term control without detection. ### Phase 1 — Initial Access: Trojanized Software Everything begins with a ZIP file containing military-themed documents in Chinese, accompanied by a cleverly disguised executable file. This file is actually a trojanized version of SumatraPDF, retaining legitimate indicators like certificates or PDB paths to bypass surface checks, but internally, it has been embedded with a malicious loader. When users open the file, they believe they are simply reading a normal document—while the attack process has already commenced. ![](https://cdn.hashnode.com/uploads/covers/6777abffdb647396c7d71de4/285af297-62f7-4947-a15a-247829f06ee3.png align="center") ### Phase 2 — Execution: TOSHIS Loader After execution, the TOSHIS loader is activated in a more sophisticated manner than previous variants: instead of modifying the entry point, it hijacks the execution flow at the \_security\_init\_cookie function, reducing the likelihood of detection. The loader performs several consecutive steps: * Create encrypted strings in memory (C2, file paths, key) * Resolve APIs through hash instead of direct import * Download a decoy PDF file from the server and open it to distract the user * Simultaneously download the second-stage payload (shellcode) from the same source * Decrypt the payload using AES and execute it directly in memory (fileless) ![](https://cdn.hashnode.com/uploads/covers/6777abffdb647396c7d71de4/c0efeb06-b538-4b13-bbec-3dcf5e72b1cd.png align="center") ### Phase 3 — Command & Control via GitHub The second-stage payload is an AdaptixC2 beacon, customized to use GitHub as the control channel. Instead of communicating with a traditional C2 server, the malware: * Sends beacons through GitHub Issues * Retrieves commands by reading open issues * Executes commands after decryption * Uploads results back to the repository Especially, the beacons are deleted just seconds later, making it nearly impossible to reconstruct the communication content during an investigation. The entire traffic appears as legitimate API calls to GitHub, posing a significant challenge for detection. ![](https://cdn.hashnode.com/uploads/covers/6777abffdb647396c7d71de4/ad0adc7a-c0f2-431d-8f07-68c6e22513be.png align="center") ### Phase 4 — Persistence After establishing the control channel, the malware creates scheduled tasks to maintain access. The tasks are named to resemble system services (e.g., "MSDNSvc," "MicrosoftUDN") to blend in with legitimate processes. This allows the payload to automatically rerun periodically with elevated privileges, ensuring the attacker retains control even if the system restarts. ### Phase 5 — Post-Exploitation: Remote Access via VS Code When identifying a valuable target, the attacker deploys Visual Studio Code and sets up a tunnel for remote access. Notably: * The tunnel uses legitimate Microsoft infrastructure * The HTTPS traffic appears completely normal * Provides a full interactive shell for the attacker This turns VS Code into a "legitimate" backdoor, almost indistinguishable if relying solely on network traffic. ## IOC ### File Hashes Tropic Trooper Campaign * **ZIP (lure + trojanized SumatraPDF)** * SHA-256: `a4f2131eb497afe5f78d8d6e534df2b8d75c5b9b565c3ec17a323afe5355da26` * **Trojanized SumatraPDF (.exe)** * SHA-256: `47c7ce0e3816647b23bb180725c7233e505f61c35e7776d47fd448009e887857` * **Encrypted shellcode / Beacon (4d.dat)** * SHA-256: `aeec65bac035789073b567753284b64ce0b95bbae62cf79e1479714238af0eb7` * **AdaptixC2 Beacon DLL (decrypted)** * SHA-256: `7a95ce0b5f201d9880a6844a1db69aac7d1a0bf1c88f85989264caf6c82c6001` Azure Functions Malware (Related Activity) * ISO: `0ba328aeb0867def650694c5a43fdd47d719c6b3c55a845903646ccdbf3ec239` * LNK: `9e312214b44230c1cb5b6ec591245fd433c7030cb269a9b31f0ff4de621ff517` * Malicious DLL: `b03a2c0d282cbbddfcf6e7dda0b4b55494f4a5c0b17c30cd586f5480efca2c17` * Legit binary (sideload victim): `b778d76671b95df29e15a0af4d604917bfba085f7b04e0ce5d6d0615017e79db` * Shellcode: `550c27fd8dc810df2056f1ec4a749a94ab4befc8843ba913c5f1197ef381a0a5` * Final DLL: `c0fc5ec77d0aa03516048349dddb3aa74f92cfe20d4bca46205f40ab0e728645` * **Related sample (Singapore)** * SHA-256: `28e85fd3546c8ad6fb2aef37b4372cc4775ea8435687b4e6879e96da5009d60a` * Imphash: `B74596632C4C9B3A853E51964E96FC32` ### Network Indicators Infrastructure * Staging IP: `158.247.193[.]100` Command & Control * **GitHub C2 (AdaptixC2)** * `api.github.com/repos/cvaS23uchsahs/rss/issues` * **Cobalt Strike C2** * `47.76.236[.]58:4430` * `stg.lsmartv[.]com:8443` Cloud-based C2 * Azure Functions * Host: `logsapi.azurewebsites[.]net` * Endpoint: `/api/logs` Tooling / Staging * `bashupload[.]app/6e1lhc` * `bashupload[.]app/zgel2a.bin` Living-off-the-land tooling * Visual Studio Code tunnel download * `code.visualstudio.com/...cli-win32-x64` ### Host-Based Indicators Persistence (Scheduled Tasks) * `\MSDNSvc` * `\MicrosoftUDN` Suspicious File Paths * `C:\Users\Public\Documents\dsn.exe` * `C:\Users\Public\Documents\MicrosoftCompilers.exe` * `C:\Users\Public\Documents\2.library-ms` Artifacts * Cobalt Strike Watermark: `520` * EntryShell AES Key: `afkngaikfaf` ## **MITRE ATT&CK Matrix**

Tactic

ID

Technique

Initial Access

T1190

Exploit public-facing application

T1566.001

Spear Phishing Attachment

Execution

T1059.001

Command and Scripting Interpreter: PowerShell

T1059.003

Command and Scripting Interpreter: Windows Command Shell

T1569.002

System Services: Service Execution

Persistence

T1543.003

Create or Modify System Process: Windows Service

T1574.002

Hijack Execution Flow: DLL Side-Loading

T1505.003

Server Software Component: Web Shell

Defense Evasion

T1140

Deobfuscate/Decode Files or Information

T1070.001

Indicator Removal on Host: Clear Windows Event Logs

T1027.002

Obfuscated Files or Information: Software Packing

T1218.011

Signed Binary Proxy Execution: Rundll32

T1036.005

Masquerading: Match Legitimate Name or Location

Credential Access

T1003.001

OS Credential Dumping: LSASS Memory

T1552.002

OS Credential Dumping: Credentials in Registry

Lateral Movement

T1021.002

Remote Services: SMB/Windows Admin Shares

Discovery

T1087.002

Account Discovery: Domain Account

T1482

Domain Trust Discovery

T1083

File and Directory Discovery

Collection

T1005

Data from Local System

Command and Control

T1071.001

Application Layer Protocol: Web Protocols

T1095

Non-Application Layer Protocol

T1090.001

Proxy: Internal Proxy

Exfiltration

T1567.002

Exfiltration to Cloud Storage

T1020

Automated Exfiltration

T1547.001

Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

T1203

Exploitation for Client Execution

T1564.001

Hide Artifacts: Hidden Files and Directories

T1518.001

Software Discovery

T1082

System Information Discovery

T1016

System Network Configuration Discovery

T1049

System Network Connections Discovery

T1033

System Owner/User Discovery

T1204.002

User Execution: Malicious File

T1078.003

Valid Accounts: Local Accounts

## Expert opinion This campaign shows Tropic Trooper actively reducing detection capabilities by switching from Cobalt Strike to AdaptixC2 combined with GitHub as C2. Using GitHub Issues makes blocking nearly impossible, forcing the blue team to focus on detecting abnormal behavior instead of network signatures. The quick beacon removal mechanism and lack of session key storage increase forensic difficulty, while leveraging Visual Studio Code tunnels turns legitimate tools into "invisible" remote access channels. Simultaneously, the trend of using Azure Functions as C2 indicates a strong shift towards a cloud-based model by the attacker. Overall, this is a typical "blend in" strategy: utilizing legitimate infrastructure and tools to conceal activities, making detection increasingly reliant on behavioral analysis rather than traditional technical indicators. ## Recommendation **Immediate (0–24h) - Quick response** Within the first 24 hours, the goal is to determine if the system shows signs of compromise: * Scan all IOCs (hash, IP, domain) on endpoints, EDR, and SIEM for quick detection of compromise indicators. * Check persistence by reviewing scheduled tasks, especially those with deceptive names like \\MSDNSvc or \\MicrosoftUDN. * Behavioral process analysis: * Identify unusual processes spawning Visual Studio Code (code.exe). * Monitor processes calling the GitHub API, especially if originating from directories like C:\\Users\\Public\\Documents. * Block known malicious infrastructure: * Block IP staging 158.247.193\[.\]100 on the firewall/proxy. * **Quick triage endpoint**: * Find executable files in public/writable directories * Prioritize files of unknown origin or those masquerading as legitimate software **Short-term (1–7 days) — Threat Hunting & Hardening** #### Behavioral threat hunting * Trojanized software * Find processes related to SumatraPDF or other popular software. * Verify if the digital signature (code signing) is valid. * **VS Code tunnel abuse** * Query processes with command lines containing code tunnel or tunnel login. * Identify the execution source (user, host, parent process). * **Scheduled task disguise** * Detect tasks with names similar to Microsoft/Windows * Prioritize tasks created recently or by frequent users * **Network anomaly** * Monitor requests to the GitHub API (api.github.com) from processes that are not browsers or IDEs. * Detect unusual user-agents (e.g., curl) from unfamiliar processes. #### Check cloud and API traffic * Review outbound traffic to: * \*.azurewebsites.net * Endpoints related to Azure Functions * Prioritize: * Request POST * Payload encrypted or unusual in size/frequency **Long-term — Sustainable Defense Execution Control** * Implement application allowlisting for writable directories * Prevent execution from: * C:\\Users\\Public\\ * %TEMP%, %APPDATA% #### Control developer tools * Limit the use of Visual Studio Code tunnels: * Allow only on designated developer machines * Monitor login/initialization tunnel behavior ## Refer [Tropic Trooper Uses Trojanized SumatraPDF and GitHub to Deploy AdaptixC2](https://thehackernews.com/2026/04/tropic-trooper-uses-trojanized.html) [Tropic Trooper: AdaptixC2 + Custom Beacon | ThreatLabz](https://www.zscaler.com/blogs/security-research/tropic-trooper-pivots-adaptixc2-and-custom-beacon-listener) [Unknown Malware Using Azure Functions as C2 | dmpdump](https://dmpdump.github.io/posts/AzureFunctionsMalware/) [Dark Web Profile: Tropic Trooper (APT23)](https://socradar.io/blog/dark-web-profile-tropic-trooper-apt23/)