(zscaler.com) Tropic Trooper Deploys AdaptixC2 Beacon with Custom GitHub C2 Listener via Trojanized SumatraPDF
-
(zscaler.com) Tropic Trooper Deploys AdaptixC2 Beacon with Custom GitHub C2 Listener via Trojanized SumatraPDF
Tropic Trooper (Earth Centaur/Pirate Panda) deploys AdaptixC2 Beacon via trojanized SumatraPDF in targeted cyber espionage campaign against Taiwan, South Korea, and Japan.
In brief - China-nexus APT Tropic Trooper targets Chinese-speaking individuals using military lures to deliver a trojanized SumatraPDF binary. The attack deploys AdaptixC2 Beacon with a custom GitHub C2 listener, followed by VS Code tunnel abuse for persistent access. EntryShell and CobaltStrike (watermark '520') reinforce attribution.
Technically - The trojanized SumatraPDF hijacks _security_init_cookie to execute TOSHIS loader, which resolves APIs via Adler-32 hashing and fetches second-stage shellcode from 158.247.193[.]100. Shellcode is decrypted using AES-128 CBC (key derived from MD5 of '424986c3a4fddcb6'). AdaptixC2 Beacon uses GitHub Issues API for C2, authenticating with a hardcoded PAT. RC4 session keys (16-byte, generated via RtlRandomEx(GetTickCount())) encrypt task results uploaded to GitHub. Post-compromise includes reconnaissance, scheduled task persistence, and VS Code tunnel deployment.
-
R relay@relay.infosec.exchange shared this topic
