Tropic Trooper’s New Arsenal: AdaptixC2 & GitHub C2 Explained

On March 12, 2026, researchers found something odd. A Chinese hacking group called Tropic Trooper was using new tools. Not the old ones. These new tools are free, open to everyone, and way harder to spot. That’s the shift we need to talk about.

The group used a custom command-and-control setup on GitHub. They also weaponized Visual Studio Code tunnels. For the first time at this scale, they’re turning developer tools into weapons. The bottom line? Traditional malware detection is losing ground.

What Exactly Happened?

On March 12, 2026, Zscaler ThreatLabz discovered a malicious ZIP archive containing military-themed document lures targeting Chinese-speaking individuals. The files looked real. One was titled “Comparative Analysis of US-UK and US-Australia Nuclear Submarine Cooperation (2025).exe.”

Here’s the trick. When someone opened it, two things happened at once. First, a real PDF popped up. It showed submarine info and the AUKUS security partnership. Users saw a normal document. That’s what they were supposed to see.

Meanwhile, something else was running in the background.

According to GBHackers, the executable was actually a fake version of SumatraPDF, a legitimate PDF reader. Hidden deep inside was malicious code. When launched, the trojanized SumatraPDF displayed a decoy PDF that matched the lure’s theme, while silently downloading and executing shellcode that deployed an AdaptixC2 Beacon agent in memory.

The victims had zero clue their systems were now compromised.

The Attack Chain: Three Stages

Here’s the thing. This wasn’t just one quick hack. It was built in stages. Each stage had a job to do.

Stage 1: The Trojanized Loader

Inside that fake PDF reader sat the TOSHIS loader. This loader showed up in past Tropic Trooper attacks too. Here’s how it works:

TOSHIS acts as a stager by retrieving additional payloads from its command-and-control (C&C) server. Its infection mechanism involves patching the entry point of a legitimate Portable Executable (PE) file to execute malicious shellcode.

So the loader grabbed two things:

• A decoy PDF (keeps the victim calm)
• Encrypted shellcode (the real payload)

Next, it decrypted the shellcode using AES-128 and ran it in memory. No files dropped to disk. That’s the kicker. Antivirus tools often miss this approach.

Stage 2: The AdaptixC2 Beacon

After decryption, out came an AdaptixC2 Beacon. Think of it as a messaging app between the hacker and the infected computer. Standard command-and-control stuff.

But wait. Here’s what makes it different. Instead of calling home to some server the attackers own, it connects to GitHub.

Stage 3: VS Code Tunnels for Persistence

Once they got in, they moved high-value targets to a different system. They deployed VS Code tunnels. This is a legit Microsoft feature for remote coding work. Attackers just turned it into a backdoor.

They set up scheduled tasks with fake Windows names. Names like “\MicrosoftUDN” and “\MSDNSvc”. Anyone checking the task list would think they’re normal system processes.

Who Is Tropic Trooper?

This group goes by many names. Security pros call them Earth Centaur, Pirate Panda, APT23, or KeyBoy. They work for China. They’ve been around since at least 2011.

Their typical targets include:

• Government officials
• Military people
• Tech companies
• Researchers and journalists
• Dissidents and activists

They focus on Asia-Pacific. Taiwan is a big target. But they cast a wider net.

Here’s the critical part. This isn’t a criminal gang stealing credit cards. This is nation-state intelligence work. Every target matters. Every stolen piece of data gets analyzed at the highest levels.

Why GitHub? Why VS Code?

The genius here is simple. They’re hiding in plain sight.

When a computer connects to GitHub, it looks totally normal. Developers use GitHub every single day. Security teams don’t block it. Network tools don’t raise flags when they see GitHub traffic.

Same thing with VS Code tunnels. The traffic goes through Microsoft Azure. Everything’s encrypted with HTTPS. The executables are signed by Microsoft. To your firewall, it’s completely legit.

Here’s how the GitHub C2 works:

The infected computer does this:

1. Grabs the victim’s external IP from ipinfo.io
2. Sends a check-in message to a fake GitHub repository
3. Posts encrypted messages in GitHub Issues
4. Reads new commands from issue titles
5. Uploads results back to the repository

All of it looks like normal developer activity. A security analyst watching GitHub wouldn’t spot anything wrong.

The Technical Innovation

So what makes this special? The attackers didn’t just use AdaptixC2 as-is. They customized it. They built a custom listener specifically built for GitHub.

Here’s what they configured:

Configuration Item	Value
Beacon Type	AdaptixC2
C2 Platform	GitHub API
Repository Owner	cvaS23uchsahs
Repository Name	rss
API Endpoint	api.github.com
Encryption	RC4 session keys
Sleep Delay	60 seconds
Persistence	Scheduled tasks

Each beacon generates its own RC4 key. Every message is encrypted. And here’s the part that’s really clever. The attackers delete their tracks from GitHub within seconds. That wipes session data and makes forensics nearly impossible.

Why Open-Source C2 Tools?

Here’s the shift. Tropic Trooper used to deploy Cobalt Strike. That costs money. It’s well-known. Security teams actively hunt for it.

AdaptixC2 is totally different. It’s free and open. Anyone can grab it. Anyone can change it. This makes it way harder to pin down who did what. Plus, the barrier to entry drops to almost zero.

The attackers don’t pay for expensive tools. They don’t risk using known malware. They just take free software and tweak it.

This shows a big change in how nation-state hackers think. They’re moving away from proprietary tools toward commodity frameworks. It’s smarter, cheaper, and faster.

Targeting: Who Got Hit?

The campaign went after specific regions. The threat actor likely targeted Chinese-speaking individuals in Taiwan, and individuals in South Korea and Japan.

This isn’t random chance. Taiwan is a top intelligence target for China. South Korea and Japan are allied with Western interests. The victims probably included:

• Government officials
• Tech sector workers
• Military-connected people
• Strategic industry leaders

The military themes in the documents suggest they wanted to reach people with security clearances or strategic value.

Detection: How Can You Find This?

Standard antivirus won’t catch it. The malware lives in memory. No exe files on disk. Signatures don’t work here.

But there are signs if you know where to look.

Network clues:

• Connections to GitHub API endpoints (api.github.com)
• Strange GitHub repository access patterns
• Connections to *.devtunnels.ms (VS Code infrastructure)
• Lots of API calls to GitHub Issues

System clues:

• Scheduled tasks with sketchy names
• VS Code running as a service
• Unexpected code.exe processes
• GitHub tokens hiding in memory
• PowerShell spawning odd processes

File clues:

• Fake legitimate binaries (SumatraPDF, etc.)
• Changed entry points in PE files
• Scheduled tasks named like Windows services
• Suspicious batch or PowerShell scripts

Your job is to hunt for these patterns. If you find them, treat it as a serious breach.

The Bigger Picture: A Trend in APT Tactics

This campaign isn’t alone. It shows a bigger shift in how advanced threats work.

State-sponsored groups are now moving toward:

• Open-source tools – Harder to pin down, cheaper to deploy
• Legit infrastructure – GitHub, Microsoft services, cloud platforms
• Developer-focused tactics – Using tools developers actually trust
• Minimal custom code – Fewer forensic footprints

This is “living off trusted sites.” Instead of building new stuff from scratch, attackers abuse what’s already there. Firewalls trust it. Employees use it daily. Security teams don’t watch it closely.

The takeaway: old defenses don’t work against these methods.

Comparison: How This Differs From Previous Campaigns

Tropic Trooper isn’t new to the game, but their methods are getting sharper.

Researchers spotted similarities to their TAOTH campaign from 2024-2025. That one hijacked an old Sogou Zhuyin update server. This new campaign uses a similar loader but adds fresh persistence tricks.

The pattern shows growing skill:

• 2024-2025: Supply chain attacks via update servers
• 2026: Abuse of developer platforms and legit tools

Each cycle gets harder to catch.

Impact on Defenders

So here’s the problem. This puts defenders in a tight spot.

You can’t block GitHub. Your developers need it. You can’t block VS Code. It’s essential for your teams. You can’t easily detect GitHub-based C2 without false alarms. Legit repos create similar traffic patterns.

The attacker picked these tools on purpose. They’re hard to defend against.

Organizations need to rethink their approach:

• Behavioral analysis, not just signature-based detection
• Watch for strange API patterns
• Track how legit tools are actually being used
• Hunt for suspicious scheduled tasks
• Endpoint detection focused on process behavior

The simple truth. Antivirus alone isn’t enough anymore. You need visibility into how your legitimate tools are being abused.

Attribution Confidence

So can researchers actually prove this is Tropic Trooper? Yes. The evidence is solid.

Here’s why they’re confident:

1. TOSHIS loader – Code matches past Tropic Trooper attacks
2. Cobalt Strike marker – The staging server had Cobalt Strike with watermark “520,” a known Tropic Trooper signature
3. EntryShell backdoor – A custom tool linked to Tropic Trooper showed up
4. VS Code tunnels – Same tech used in TAOTH campaign
5. Geographic focus – Taiwan and Asia targets (consistent pattern)
6. Post-infection commands – Similar to previous campaigns
7. Trojanized binaries – Same methodology they’ve used before

Confidence level is high. This is almost certainly Tropic Trooper.

Also read: Delta Flight DL275 Diverted to LAX After Emergency Onboard

What Should Organizations Do?

If your organization is in Taiwan, South Korea, or Japan, pay attention. If you work in tech, government, or strategic industries, pay close attention.

Right now:

1. Hunt for signs – Look for GitHub API connections, VS Code services, and weird scheduled tasks
2. Monitor GitHub access – Track who accesses GitHub and from where
3. Check your tasks – Look for Microsoft-like task names that seem off
4. Update everything – Patch all systems, especially SumatraPDF
5. Plan your response – Get ready for possible compromise
6. Search your systems – Actively hunt for this malware

For the future:

1. Zero-trust thinking – Don’t assume GitHub or Microsoft services are safe
2. Behavioral monitoring – Focus on what legit tools are actually doing
3. Stay informed – Keep up with emerging APT tactics
4. Secure your developers – Train them on secure coding and tool usage
5. Build response capability – Create a team that can move fast

The Bigger Threat

Here’s what this shows us. Advanced threat actors are moving faster than we are.

They’re shifting toward tools and platforms that are hard to defend against because organizations depend on them. They’re focusing on tactics that blend in with normal work.

The era of blocking known malware is over. The real future is spotting abnormal behavior in legit tools.

Tropic Trooper’s new weapons show us what’s coming. Other groups will copy this. They’ll modify it. They’ll reuse it.

Organizations that understand this trend will defend better. Those that don’t will keep chasing yesterday’s threats while today’s attacks walk right past them.