**Tropic Trooper** (aka APT23, Earth Centaur, KeyBoy, and Pirate Panda), a hacking group with a history of targeting entities in Taiwan, Hong Kong, and the Philippines, is believed to be behind this recent activity. **Zscaler ThreatLabz** discovered the campaign last month and attributes it with high confidence to this group, which has been active since at least 2011. ### AdaptixC2 Beacon and GitHub C2 "The threat actors created a custom AdaptixC2 Beacon listener, leveraging **GitHub** as their command-and-control (C2) platform," security researcher Yin Hong Chang said in an analysis. This indicates a strategic shift in their tactics, adapting readily available resources for malicious purposes. The campaign is believed to target Chinese-speaking individuals in Taiwan, as well as individuals in South Korea and Japan. The attack begins with a ZIP archive containing military-themed documents. Opening this archive launches a rogue version of **SumatraPDF**, which displays a decoy PDF document while simultaneously retrieving encrypted shellcode from a staging server to launch the AdaptixC2 Beacon. ### TOSHIS Loader and Multi-Stage Attack The backdoored **SumatraPDF** executable launches a modified version of a loader codenamed TOSHIS, a variant of Xiangoop. Xiangoop is a malware previously linked to **Tropic Trooper**, and has been used to fetch payloads like Cobalt Strike Beacon or Merlin agent for the Mythic framework.  The loader initiates the multi-stage attack, dropping the lure document as a distraction and the AdaptixC2 Beacon agent in the background. The agent uses **GitHub** for C2, communicating with the attacker's infrastructure to receive tasks for execution on the compromised host. ### VS Code Tunnels for Remote Access The attack escalates when a victim is deemed valuable. At this point, the threat actor deploys **VS Code** and sets up VS Code tunnels for remote access. On certain machines, trojanized applications are installed, likely to conceal their activities. The staging server ("158.247.193[.]100") has also been observed hosting a Cobalt Strike Beacon and a custom backdoor called EntryShell, tools previously used by **Tropic Trooper**. ### Shifting Tactics "Similar to the TAOTH campaign, publicly available backdoors are used as payloads," **Zscaler** noted. "While Cobalt Strike Beacon and Mythic Merlin were previously used, the threat actor has now shifted to AdaptixC2."