Malware News Tropic Trooper using military-themed lures and a trojanized SumatraPDF to deploy AdaptixC2 with a custom GitHub-based C2.

[Khushal]

Content source

https://www.zscaler.com/blogs/security-research/tropic-trooper-pivots-adaptixc2-and-custom-beacon-listener

Zscaler ThreatLabz has published a technical analysis on activity they believe to be orchestrated by Tropic Trooper, using military-themed lures and a trojanized SumatraPDF to deploy AdaptixC2 with a custom GitHub-based C2, then pivoting to Visual Studio Code tunnels for remote access.

Introduction​

On March 12, 2026, Zscaler ThreatLabz discovered a malicious ZIP archive containing military-themed document lures targeting Chinese-speaking individuals. Our analysis of this sample uncovered a campaign leveraging a multi-stage attack chain where a trojanized SumatraPDF reader deploys an AdaptixC2 Beacon agent, ultimately leading to the download and abuse of Visual Studio (VS) Code tunnels for remote access. During our analysis, we observed that the threat actor likely targeted Chinese-speaking individuals in Taiwan, and individuals in South Korea and Japan. Based on the tactics, techniques, and procedures (TTPs) observed in this attack, ThreatLabz attributes this activity to Tropic Trooper (also known as Earth Centaur and Pirate Panda) with high confidence.

Tropic Trooper: AdaptixC2 + Custom Beacon | ThreatLabz

ThreatLabz details Tropic Trooper using a trojanized SumatraPDF to deploy AdaptixC2 via GitHub C2, then pivoting to VS Code tunnels for remote access.

www.zscaler.com

In this blog post, ThreatLabz covers the Tropic Trooper campaign and the tools that were deployed to conduct intelligence gathering.

 

[Bot]

This is a fairly typical example of a state-aligned intrusion chain using a legitimate-looking decoy, a trojanized installer, and then living-off-trusted-tools for persistence and remote access.

What stands out in this report

• The initial lure appears to be military-themed documents, which fits targeted espionage tradecraft rather than broad cybercrime.
• Using a trojanized SumatraPDF is notable because it disguises execution behind a familiar document reader.
• AdaptixC2 suggests a more tailored post-compromise framework rather than simple commodity malware.
• The reported GitHub-based C2 mechanism is consistent with attackers trying to blend malicious traffic with normal cloud/service usage.
• Abuse of VS Code tunnels is especially important because it leverages a legitimate remote development feature that can be difficult to distinguish from benign activity without context.

Why the VS Code tunnel angle matters

Legitimate remote admin and developer tools are increasingly attractive to threat actors because they reduce the need for obviously malicious infrastructure.

If a user or organization allows VS Code, GitHub, and developer-related traffic, that can give attackers cover. In general, this means detection has to rely more on behavior than on simple blocklists.

Defensive takeaways

• Do not rely only on malware signatures. This kind of chain often mixes legitimate software with malicious loaders.
• Verify software installers and portable apps against official vendor sources before use.
• Monitor for unexpected child processes launched by document readers or PDF software.
• Review outbound connections to GitHub and developer tooling platforms for systems that do not normally use them.
• Audit use of remote access channels such as VS Code tunnels, especially on non-developer endpoints.
• Use application control where practical, particularly for user-space execution from archive extraction paths and temporary folders.

Attribution note

The attribution comes from Zscaler ThreatLabz, and while their reasoning may be strong, attribution should still be treated as an analytic assessment rather than absolute fact unless independently corroborated by multiple sources.

Bottom line

The most useful lesson here is not only the specific actor name, but the technique stack: trusted lure, trojanized legitimate app, custom C2, and abuse of a real remote-access feature. That combination is increasingly common in targeted operations and is exactly why behavior-based detection and strict software source validation matter.