Tropic Trooper targets Chinese speakers with SumatraPDF trojan and VS Code tunnels

As reported by The Hacker News, a new sophisticated cyber campaign has been identified, leveraging a trojanized SumatraPDF reader to target Chinese-speaking individuals. This campaign deploys the AdaptixC2 Beacon post-exploitation agent, ultimately facilitating the misuse of Microsoft Visual Studio Code tunnels for remote access.

The campaign, attributed with high confidence to the persistent threat group Tropic Trooper, utilizes a custom AdaptixC2 Beacon listener with GitHub as its command-and-control platform, according to Zscaler ThreatLabz. The attack begins with a ZIP archive containing military-themed lures to launch a rogue SumatraPDF version. This decoy application displays a fake PDF while secretly retrieving and executing encrypted shellcode. A loader, TOSHIS, a variant of Xiangoop malware linked to Tropic Trooper, then deploys both the lure document and the AdaptixC2 Beacon agent.

The agent communicates via GitHub to receive commands. Once a target is deemed valuable, attackers establish VS Code tunnels for remote access, sometimes installing alternative trojanized applications for camouflage. The staging server has also hosted Cobalt Strike Beacon and a custom backdoor, EntryShell, previously used by Tropic Trooper.

Source: The Hacker News