IntroductionOn March 12, 2026, Zscaler ThreatLabz discovered a malicious ZIP archive containing military-themed document lures targeting Chinese-speaking individuals. Our analysis of this sample uncovered a campaign leveraging a multi-stage attack chain where a trojanized SumatraPDF reader deploys an AdaptixC2 Beacon agent, ultimately leading to the download and abuse of Visual Studio (VS) Code tunnels for remote access. During our analysis, we observed that the threat actor likely targeted Chinese-speaking individuals in Taiwan, and individuals in South Korea and Japan. Based on the tactics, techniques, and procedures (TTPs) observed in this attack, ThreatLabz attributes this activity to Tropic Trooper (also known as Earth Centaur and Pirate Panda) with high confidence.In this blog post, ThreatLabz covers the Tropic Trooper campaign and the tools that were deployed to conduct intelligence gathering. Key TakeawaysOn March 12, 2026, ThreatLabz discovered a malicious ZIP archive containing military-themed document lures targeting Chinese-speaking individuals.The campaign used a trojanized SumatraPDF binary to deploy an AdaptixC2 Beacon and ultimately VS Code on targeted machines.The shellcode loader used in this attack closely resembles the TOSHIS loader, which has been associated with Tropic Trooper and was previously reported in the TAOTH campaign.The threat actors created a custom AdaptixC2 Beacon listener, leveraging GitHub as their command-and-control (C2) platform.The staging server involved in this attack also hosted CobaltStrike Beacon and an EntryShell backdoor. Both malware types and configurations are known to have been used by Tropic Trooper. Technical AnalysisIn the sections below, ThreatLabz outlines the attack chain, starting with military-themed lures and leading to the deployment of the AdaptixC2 Beacon agent. We also discuss the use of a custom GitHub listener and the recurring TTP of abusing VS Code for remote access.Attack chainThe full sequence of the attack is illustrated in the figure below.Figure 1: Tropic Trooper attack chain leading to the deployment of an AdaptixC2 Beacon and VS Code tunnels.The ZIP archive contained documents with the following names roughly translated to English:Original Chinese FilenameEnglish TranslationCECC昆山元宇宙产业基地建设方案(20230325).docxCECC Kunshan Metaverse Industrial Base Construction Plan (20230325).docx中国声学智能产业声创中心建设和运营方案(2021112)(2)(1)(1).docxChina Acoustic Intelligence Industry Innovation Center Construction and Operation Plan (2021112)(2)(1)(1).docx武器装备体系结构贡献度评估.pdfAssessment of Contribution Degree of Weaponry System Architecture.pdf武器装备体系能力贡献度的解析与度量方法.pdfAnalysis and Measurement Methods for Capability Contribution of Weaponry Systems.pdf江苏自主智能无人系统产业基地建设方案(202304) .docxJiangsu Autonomous Intelligent Unmanned Systems Industrial Base Construction Plan (202304).docx美英与美澳核潜艇合作的比较分析(2025).exeComparative Analysis of US-UK and US-Australia Nuclear Submarine Cooperation (2025).exeTable 1: The table lists the files found inside the ZIP archive, showing each original Chinese filename alongside its approximate English translation.Most of these files appear outdated. The document that appears to be the most recent, Comparative Analysis of US-UK and US-Australia Nuclear Submarine Cooperation (2025).exe, is actually a trojanized version of the SumatraPDF reader binary. When executed, this loader triggers a multi-stage attack: it downloads and displays a new decoy PDF that is shown to the victim while discreetly downloading and running an AdaptixC2 Beacon agent in the background.The downloaded lure PDF aligns with its file name, featuring analysis and visuals concerning American submarines and the AUKUS partnership (a security partnership between Australia, the U.K., and the U.S). The figure below illustrates the contents of the downloaded lure PDF.Figure 2: Tropic Trooper PDF lure containing information about the AUKUS partnership and American submarines.Stage 1 – TOSHIS loader (backdoored SumatraPDF)The trojanized executable resembles the open-source SumatraPDF reader at first glance, featuring identical certificates and PDB paths to those of the legitimate SumatraPDF executable. However, the signature of this binary is invalid because it has been trojanized with TOSHIS loader. Analysis shows the threat actor hijacks the executable’s control flow by redirecting the _security_init_cookie function to execute malicious code. Compared to earlier TOSHIS loader samples, where the entry point was modified to jump to the payload, this version uses a revised trojanization method that executes by overwriting _security_init_cookie instead.Figure 3: Comparison of the entry points in the trojanized and legitimate SumatraPDF versions.The InjectedCode function redirects to TOSHIS loader code. The function begins by constructing stack strings, which include the command-and-control (C2) IP address, the destination path for the lure file, DLL names, and a cryptographic key. Next,
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: