Tropic Trooper Campaign: Leveraging GitHub and VS Code Tunnels for Stealthy C2
A sophisticated new campaign attributed to the threat actor Tropic Trooper (also known as Earth Centaur or Pirate Panda) has emerged, showcasing a high degree of operational maturity. This campaign utilizes a complex infection chain that leverages a trojanized PDF reader, a custom AdaptixC2 Beacon listener, and the abuse of legitimate Visual Studio (VS) Code tunnels to maintain persistent, interactive remote access.
Based on significant overlaps in tooling, infrastructure, and telemetry, researchers have assigned attribution to Tropic Trooper with high confidence. The campaign appears strategically targeted, focusing heavily on Chinese-speaking individuals in Taiwan, with secondary victimology observed in South Korea and Japan.
On March 12, 2026, ThreatLabz identified a malicious ZIP archive containing a collection of military and defense-themed lures. The documents, written in Chinese, touched on highly sensitive topics, including acoustic intelligence centers, unmanned systems, and nuclear submarine cooperation. One particularly deceptive file, “Comparative Analysis of US-UK and US-Australia Nuclear Submarine Cooperation (2025).exe,” served as the primary delivery vehicle: a trojanized version of the SumatraPDF reader.
The TOSHIS Loader and AdaptixC2 Execution Flow
The malware’s initial execution relies on a modified SumatraPDF binary that exhibits advanced evasion techniques. By abusing the _security_init_cookie function, the attacker hijacks the application’s execution flow, diverting it away from standard initialization and into a malicious TOSHIS loader routine.
This loader is a direct evolution of the TOSHIS loader previously observed in Trend Micro’s TAOTH campaign. While the loader maintains familiar control-flow hijacking and configuration handling logic, it features updated stack strings and has removed language ID checks to streamline cross-platform deployment. The loader performs the following technical sequence:
- Configuration Assembly: It dynamically constructs essential parameters, including C2 IP addresses, file paths, DLL names, and cryptographic keys.
- API Resolution: It utilizes the Adler-32 hashing algorithm to resolve necessary Windows APIs, obfuscating its true intent from static analysis tools.
- Payload Retrieval: It fetches a decoy PDF (to maintain the illusion of legitimacy for the user) and a secondary stage shellcode from a staging server.
- In-Memory Execution: The shellcode is decrypted using AES-128-CBC and executed directly in memory as an AdaptixC2 Beacon, minimizing the disk footprint.

Notably, this campaign marks a tactical pivot. While previous TOSHIS iterations typically deployed Cobalt Strike Beacons or Merlin agents, the shift toward the open-source AdaptixC2 framework suggests Tropic Trooper is actively diversifying its post-exploitation arsenal to bypass evolving detection signatures.
Abusing GitHub as a Command-and-Control Platform
The AdaptixC2 Beacon employs a highly stealthy C2 mechanism by leveraging the GitHub API. By using GitHub Issues and repository contents as the communication medium, the traffic blends in with legitimate developer activity, making traditional network-level detection extremely difficult.
The technical workflow of this “living-off-the-cloud” approach includes:
- Session Establishment: The Beacon retrieves the victim’s external IP via
ipinfo.io, embeds this IP into its heartbeat, and posts the data to a specific GitHub issue to signal the start of a session. - Command Delivery: Operators issue tasks by encoding commands within the titles and bodies of open GitHub issues. The malware uses simple substring matching to parse these commands.
- Payload Exfiltration/Download: For more complex tasks, the malware downloads Base64-encoded files from repository paths (e.g.,
upload/{agent_id}/...) and uploads encrypted results back to the repository asdownload_*.txtfiles. - Anti-Forensics: Operators are observed deleting beacon artifacts from GitHub within seconds of use, a move designed to destroy session keys and scrub the forensic trail.

Persistence via VS Code Tunnels
While the AdaptixC2 Beacon serves as the initial foothold and reconnaissance tool, the operators reserve their most robust access for high-value targets through the abuse of VS Code tunnels. This transition allows for a seamless, interactive remote shell environment that is difficult to distinguish from legitimate development work.
Once a target is identified, the operators issue commands to:
- Install the VS Code command-line client.
- Authenticate via the
code tunnel user login --provider githubcommand. - Establish persistence by creating scheduled tasks with deceptive names, such as
\MicrosoftUDNor\MSDNSvc, often accompanied by additional trojanized binaries to masquerade as system processes.

In summary, the convergence of the TOSHIS loader, the EntryShell backdoor, the use of Cobalt Strike (identified by the “520” watermark), and the specific methodology of VS Code tunnel deployment provides a definitive fingerprint. This reinforces the high-confidence attribution to Tropic Trooper and highlights a growing trend of threat actors leveraging legitimate cloud-based developer tools to bypass perimeter security.