Tropic Trooper (Earth Centaur/Pirate Panda) deploys AdaptixC2 Beacon via trojanized SumatraPDF in targeted cyber espionage campaign against Taiwan, South Korea, and Japan.

In brief - China-nexus APT Tropic Trooper targets Chinese-speaking individuals using military lures to deliver a trojanized SumatraPDF binary. The attack deploys AdaptixC2 Beacon with a custom GitHub C2 listener, followed by VS Code tunnel abuse for persistent access. EntryShell and CobaltStrike (watermark '520') reinforce attribution.

Technically - The trojanized SumatraPDF hijacks _security_init_cookie to execute TOSHIS loader, which resolves APIs via Adler-32 hashing and fetches second-stage shellcode from 158.247.193[.]100. Shellcode is decrypted using AES-128 CBC (key derived from MD5 of '424986c3a4fddcb6'). AdaptixC2 Beacon uses GitHub Issues API for C2, authenticating with a hardcoded PAT. RC4 session keys (16-byte, generated via RtlRandomEx(GetTickCount())) encrypt task results uploaded to GitHub. Post-compromise includes reconnaissance, scheduled task persistence, and VS Code tunnel deployment.

Source: https://www.zscaler.com/blogs/security-research/tropic-trooper-pivots-adaptixc2-and-custom-beacon-listener

#Cybersecurity #ThreatIntel