π―Basically, a hacker group is using clever tricks to hide their attacks using GitHub and developer tools.
What Happened
A new cyberattack campaign linked to the Tropic Trooper group has emerged, targeting Chinese-speaking individuals in Taiwan, South Korea, and Japan. Discovered on March 12, 2026, this campaign utilizes military-themed document lures to initiate a multi-stage attack designed for persistent remote access.
The Threat
At the heart of this attack is a trojanized version of the open-source SumatraPDF reader, disguised as a document titled "Comparative Analysis of US-UK and US-Australia Nuclear Submarine Cooperation (2025).exe." When executed, it not only displays a convincing PDF but also downloads and executes the AdaptixC2 Beacon agent in the background. This clever ruse allows attackers to compromise systems while the victim believes they are simply viewing a document.
Who's Behind It
Researchers from Zscaler ThreatLabz have attributed this campaign to Tropic Trooper, also known as Earth Centaur or Pirate Panda. The group is noted for its evolution in tactics, moving from traditional backdoors like Cobalt Strike to utilizing the AdaptixC2 framework. This shift complicates attribution and lowers the barrier for reuse across different operations.
Tactics & Techniques
The campaign showcases a notable shift in tactics, notably through the use of Visual Studio Code (VS Code) tunnels for remote access. Once a target is deemed interesting, commands are issued for tasks like network reconnaissance and scheduled task creation for persistence. This use of a legitimate developer tool makes detection significantly harder, as VS Code traffic is often trusted by security systems.
Command and Control Innovation
Perhaps the most inventive aspect of this attack is the use of GitHub as a command-and-control (C2) platform. Instead of traditional servers, the beacon interacts with a GitHub repository, reading tasks from GitHub Issues and uploading results back to the repository. This method obscures malicious activity among normal developer operations, making it difficult for defenders to detect.
What You Should Do
Organizations can take proactive measures to mitigate the risk of such attacks: By staying vigilant and adapting security measures, organizations can better defend against evolving threats like those posed by Tropic Trooper.
Do Now
- 1.Monitor traffic to unexpected GitHub API endpoints from non-developer environments.
- 2.Implement application allowlisting to prevent execution of trojanized binaries.
- 3.Audit the use of VS Code tunnels in corporate environments to restrict unauthorized access.
Do Next
- 4.Hunt for unusual scheduled task creation that mimics system services.
- 5.Enforce email and file gateway controls to catch malicious ZIP archives.
π Pro insight: The Tropic Trooper's use of GitHub for C2 is a significant evolution, indicating a trend towards leveraging trusted platforms for malicious activities.
