New Tropic Trooper Attack Uses Custom Beacon Listener and VS Code Tunnels for Remote Access

A sophisticated cyberattack campaign linked to the well-known threat group Tropic Trooper has recently surfaced, leveraging military-themed document lures to target Chinese-speaking individuals in Taiwan, along with individuals in South Korea and Japan.

The campaign was discovered on March 12, 2026, when researchers came across a malicious ZIP archive that set off a multi-stage attack chain designed to gain persistent remote access to compromised systems.

What makes this campaign stand out is its shift toward newer, open-source offensive tools paired with a creative abuse of developer infrastructure most people would never think to flag as suspicious.

At the center of this attack is a trojanized version of the open-source SumatraPDF reader binary, disguised as a document titled “Comparative Analysis of US-UK and US-Australia Nuclear Submarine Cooperation (2025).exe.”

When a victim runs this file, the loader quietly downloads and displays a convincing PDF lure, showing legitimate-looking content about American submarines and the AUKUS security partnership, while simultaneously downloading and executing an AdaptixC2 Beacon agent in the background.

The victim sees a normal document, but behind the scenes, their system is already compromised.

Researchers from Zscaler ThreatLabz identified and analyzed the full campaign, attributing it with high confidence to Tropic Trooper, a threat actor also tracked as Earth Centaur and Pirate Panda.

They noted that the group used a loader closely resembling the TOSHIS loader, which had previously been connected to Tropic Trooper in an earlier campaign known as TAOTH.

The staging server used in this attack was also found to host additional known Tropic Trooper tools, including a CobaltStrike Beacon with the group’s signature watermark “520” and an EntryShell backdoor, further cementing the attribution.

The group’s tactics reflect a clear evolution in their toolset. Rather than relying on previously used backdoors like Cobalt Strike Beacon or Merlin Mythic agents, Tropic Trooper has now shifted to using the open-source AdaptixC2 framework, with a custom beacon listener built on top of it.

This pivot toward publicly available offensive tools makes attribution harder and lowers the barrier for reuse across different operations, a trend increasingly seen among advanced persistent threat (APT) groups operating across the Asia-Pacific region.

Perhaps the most notable element of this campaign is how the threat actor used Visual Studio (VS) Code tunnels for remote access once a target was deemed “interesting” after the initial compromise.

Commands observed by ThreatLabz included scheduled task creation for persistence, network reconnaissance using arp and net view, and direct use of the VS Code tunnel feature for interactive access to victim machines.

This abuse of a legitimate developer tool makes detection significantly harder, as VS Code traffic is widely trusted by enterprise security tools and network monitoring systems.

How the AdaptixC2 Beacon Uses GitHub as Its C2

The most technically inventive aspect of this campaign is how Tropic Trooper designed its custom AdaptixC2 beacon listener to use GitHub as its command-and-control (C2) platform.

Instead of communicating directly with a traditional attacker-controlled server, the beacon interacts with a GitHub repository, reading task assignments from GitHub Issues and uploading results back to the same repository as file contents.

Layout of the Tropic Trooper GitHub repository (Source – Zscaler)

The entire C2 workflow runs through a repository created under a fake GitHub account, which makes it extremely difficult for network defenders to distinguish this malicious traffic from normal developer activity.

Example of GitHub issues used by AdaptixC2 (Source – Zscaler)

The agent begins by retrieving its external IP address from ipinfo.io, since GitHub-based communication does not expose this information to the attacker’s server.

It then sends an initial beacon via a POST request to GitHub Issue number 1, encrypted using an RC4 session key generated from a random seed, to establish the session.

Diagram showing the C2 workflow (Source – Zscaler)

This shows that how the beacon checks for pending tasks by querying the repository’s open issues, processes commands based on issue title patterns such as “upload” or “fileupload,” and sends back encrypted responses as Base64-encoded file uploads to the repository.

All C2 traffic is encrypted using RC4, and to further cover their tracks, ThreatLabz observed that beacons uploaded to GitHub were deleted within 10 seconds of being posted, destroying session keys and making decryption by any observer practically impossible.

Organizations can take the following steps to reduce their exposure to this type of attack:-

• Block or monitor traffic to unexpected GitHub API endpoints from non-developer endpoints, particularly requests to user-created repositories.
• Apply strict application allowlisting policies to prevent the execution of trojanized binaries that mimic legitimate software like SumatraPDF.
• Monitor for unusual scheduled task creation using names that impersonate system services, such as “MSDNSvc” or “MicrosoftUDN.”
• Restrict or audit the use of VS Code tunnels in corporate environments, since the feature can be used for unauthorized remote access.
• Hunt for use of ipinfo.io and similar IP-lookup services from internal systems, which can indicate beaconing behavior.
• Enforce email and file gateway controls to catch malicious ZIP archives containing executable files disguised as documents.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post New Tropic Trooper Attack Uses Custom Beacon Listener and VS Code Tunnels for Remote Access appeared first on Cyber Security News.