The Tunnel Behind the Document

What appears to be a harmless PDF reader becomes the perfect disguise. Tropic Trooper leverages a trojanized version of SumatraPDF to silently deploy AdaptixC2, establishing a covert foothold that evolves into full remote access through developer tooling like Visual Studio Code tunnels. This campaign reflects a strategic blend of social engineering, trusted software abuse, and modern cloud-based command-and-control.

Phase 1: The Bait — A Document That Feels Legitimate 

The attack begins with a ZIP archive distributed to targeted individuals, particularly Chinese-speaking users in Taiwan and across East Asia. Inside, military-themed documents are used as lures, carefully crafted to appear relevant and credible to the victim.

Once opened, the victim launches what appears to be a legitimate PDF file using SumatraPDF. At this point, nothing seems suspicious—the document displays correctly, reinforcing trust and lowering suspicion.

This is where the deception is most effective: the user believes they are simply reading a document, while the infection chain is already underway.

Phase 2: The Hidden Execution — Malware Behind the Reader 

The SumatraPDF executable has been trojanized. Instead of acting solely as a reader, it silently executes a modified version of the TOSHIS loader, a variant of Xiangoop malware previously linked to Tropic Trooper operations.

This loader retrieves encrypted shellcode from a staging server and executes it in memory. Simultaneously, the decoy document continues to display, ensuring the user remains unaware.

The use of memory execution and encrypted payload delivery significantly reduces detection by traditional security tools, especially those relying on signature-based analysis.

Phase 3: Establishing Control — AdaptixC2 via GitHub 

Once the payload is executed, AdaptixC2 Beacon is deployed on the system. This post-exploitation agent uses GitHub as its command-and-control infrastructure, blending malicious traffic with legitimate platform usage.

Instead of traditional C2 servers, commands are retrieved from attacker-controlled repositories, making detection far more complex and allowing the attacker to operate under the cover of trusted services.

At this stage, the attacker gains the ability to execute commands, monitor the system, and prepare for deeper intrusion.

Phase 4: The Tunnel — Remote Access Through Developer Tools

The campaign escalates selectively. Only when a victim is deemed valuable does the attacker move forward with full remote access.

This is achieved by deploying Visual Studio Code and configuring VS Code tunnels, a legitimate feature that allows remote development access. By abusing this functionality, attackers establish persistent, encrypted remote control without triggering conventional alerts.

In some cases, additional trojanized applications are installed to further disguise activity and blend into normal system behavior.

Phase 5: Infrastructure Reuse — A Familiar Signature 

The staging infrastructure used in the campaign has also hosted tools like Cobalt Strike Beacon and a custom backdoor known as EntryShell, both previously associated with Tropic Trooper.

This reuse of infrastructure and tooling reinforces attribution and highlights a consistent operational pattern: combining publicly available frameworks with custom loaders to maintain flexibility and efficiency.

This campaign demonstrates how modern threat actors no longer rely solely on exploits but instead weaponize trust—trusted software, trusted platforms, and trusted workflows.

By combining social engineering, trojanized applications, GitHub-based command channels, and VS Code tunnels, Tropic Trooper achieves stealth, persistence, and scalability in a single operation.

The key takeaway is clear: the attack surface now includes not just vulnerabilities, but everyday tools and platforms. Detecting these threats requires behavioral analysis, visibility across cloud services, and a deep understanding of how legitimate features can be turned against the user.

https://thehackernews.com/2026/04/tropic-trooper-uses-trojanized.html?m=1