Chinese speaking users across parts of Asia are being targeted in a newly uncovered cyber campaign that leverages a modified version of the SumatraPDF reader to deploy a sophisticated post exploitation framework. The activity has been linked to Tropic Trooper, also known as APT23, Earth Centaur, KeyBoy, and Pirate Panda, a threat group active since at least 2011 and known for focusing on entities in Taiwan, Hong Kong, and the Philippines. Security researchers at Zscaler ThreatLabz identified the campaign and noted that it introduces a custom command and control setup built around AdaptixC2, with GitHub playing a central role in managing attacker communications.
The attack begins with a ZIP archive that contains military themed documents designed to lure targets into opening them. Once executed, the archive launches a trojanized version of SumatraPDF that displays a harmless decoy document to avoid suspicion. In the background, however, the compromised application retrieves encrypted shellcode from a staging server and executes it to deploy the AdaptixC2 Beacon. This process is carried out using a modified loader referred to as TOSHIS, which is considered a variant of the Xiangoop malware family previously associated with Tropic Trooper operations. Historically, similar loaders have been used to deliver frameworks such as Cobalt Strike Beacon and Merlin agent tied to the Mythic platform.
The infection chain is designed as a multi stage operation where the loader handles both distraction and execution. While the decoy document keeps the user engaged, the malicious payload establishes persistence and begins communicating with attacker infrastructure. The AdaptixC2 Beacon uses GitHub repositories as a command and control channel, allowing threat actors to issue instructions and retrieve results in a way that blends with legitimate traffic. This approach makes detection more challenging, as GitHub is widely used and generally trusted in enterprise environments. Researchers observed that the attackers only escalate their activities after evaluating the value of the compromised system.
In cases where the target is deemed important, the campaign progresses further by deploying Microsoft Visual Studio Code and enabling VS Code tunnels for remote access. This provides the attackers with a more stable and interactive foothold within the compromised environment. On certain machines, additional trojanized applications have also been installed, likely to mask malicious behavior and maintain persistence. The staging infrastructure linked to the campaign has hosted multiple tools previously associated with Tropic Trooper, including Cobalt Strike Beacon and a custom backdoor known as EntryShell. The shift toward AdaptixC2 indicates an evolution in the group’s toolkit while still relying on publicly available malware components to support its operations across Taiwan, Japan, and South Korea.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
