Tropic Trooper attribution and target profile
Zscaler ThreatLabz, which discovered the campaign last month, attributed the activity with high confidence to Tropic Trooper — also tracked as APT23, Earth Centaur, KeyBoy, and Pirate Panda. Zscaler noted the group has been active since at least 2011 and has a history of targeting entities in Taiwan, Hong Kong, and the Philippines. In this operation the actors focused on Chinese-speaking individuals in Taiwan and also targeted individuals in South Korea and Japan.
Initial delivery: trojanized SumatraPDF and military-themed lures
The intrusion begins with a ZIP archive containing military-themed document lures. A backdoored version of the SumatraPDF reader inside the archive is used to display a decoy PDF to the victim while simultaneously fetching encrypted shellcode from a staging server to launch the next stage. According to Zscaler, the backdoored SumatraPDF launches a slightly modified loader codenamed TOSHIS to activate the multi-stage chain.
TOSHIS loader, Xiangoop lineage, and payload choreography
TOSHIS is described as a variant of Xiangoop — a loader that Zscaler links to Tropic Trooper and that has been used previously to retrieve follow-on payloads. In this campaign the loader drops both the lure document (to distract the user) and the AdaptixC2 Beacon agent silently in the background. Zscaler observed that Xiangoop-linked loaders have historically fetched next-stage payloads such as Cobalt Strike Beacon or the Merlin agent for the Mythic framework; in this activity the familiar loader pattern is repurposed to deliver AdaptixC2.
AdaptixC2 Beacon, GitHub-based C2, and observed staging infrastructure
Once deployed, the AdaptixC2 Beacon agent beacons out to attacker-controlled infrastructure to fetch tasks. Zscaler reported the actors built a custom AdaptixC2 Beacon listener and are using GitHub as the command-and-control platform — a detail highlighted in Yin Hong Chang’s analysis. The campaign’s staging server, recorded as 158.247.193[.]100, was observed hosting a Cobalt Strike Beacon and a custom backdoor called EntryShell — both tools Zscaler noted Tropic Trooper has used in the past. Zscaler also drew a parallel to the TAOTH campaign, saying publicly available backdoors have been used repeatedly as payloads; while Cobalt Strike Beacon and Mythic Merlin were previously used, the threat actor has now shifted to AdaptixC2.
VS Code tunnels, trojanized applications, and access persistence
Zscaler reported the operation escalates on hosts deemed valuable. In those cases the threat actor deploys Microsoft Visual Studio Code and configures VS Code tunnels to provide remote access. On select machines the intruders also installed alternative, trojanized applications, likely to better camouflage their actions while maintaining remote control. Those steps indicate a preference for leveraging legitimate developer tooling and disguised binaries to sustain access.
How technologists, affected enterprises, and end users should look at this
- Technologists and security teams: Monitor for execution of unexpected SumatraPDF binaries from archive deliveries, anomalous child processes that match the TOSHIS/Xiangoop loader pattern, and unusual use of GitHub as a C2 channel tied to AdaptixC2 beaconing. Note the staging server IP observed in this intrusion: 158.247.193[.]100.
- Affected enterprises and procurement leaders: Be aware that commodity developer tools such as VS Code can be repurposed for remote access via tunnels; inventory and harden developer workstations and vet any third-party builds of common utilities before deployment.
- End users in Taiwan, South Korea, and Japan: The initial lure arrives as a ZIP with a military-themed document; users should be cautious with such attachments and report unexpected archive contents to their security teams.
Across this operation, Tropic Trooper reused a familiar playbook — weaponize a common viewer, use a loader with Xiangoop ancestry to stage payloads, and rely on publicly available post-exploitation implants — but adapted the toolset by shifting to AdaptixC2 and by leveraging GitHub as a control plane. The campaign underscores how threat actors mix commodity tooling, trojanized binaries, and public platforms to complicate detection and maintain remote access. Observed infrastructure (including 158.247.193[.]100) and the move to VS Code tunnels are concrete signals defenders can hunt for now.
Read the original Zscaler summary at https://thehackernews.com/2026/04/tropic-trooper-uses-trojanized.html.




