# Tropic Trooper's Trojanized SumatraPDF Campaign Deploys AdaptixC2 to Chinese-Speaking Users


Threat actors use legitimate document reader to distribute advanced C2 beacon; VS Code tunnels leveraged for persistence and remote access


A newly discovered campaign attributed to Tropic Trooper demonstrates a sophisticated supply-chain attack strategy, leveraging a trojanized version of the popular SumatraPDF document reader to deliver the AdaptixC2 Beacon post-exploitation agent. Security researchers at Zscaler ThreatLabz identified the campaign targeting Chinese-speaking users and have attributed it to the APT group with high confidence.


The attack chain represents a notable escalation in operational sophistication, moving beyond traditional malware delivery to abuse legitimate developer tools—specifically Microsoft Visual Studio Code (VS Code) tunnels—for command-and-control (C2) communications and remote access. This approach allows threat actors to blend malicious traffic with legitimate development tool usage, potentially bypassing network detection mechanisms.


## The Threat: Campaign Overview


The campaign operates through a multi-stage infection chain designed to establish persistent remote access on compromised systems:


1. Initial Delivery: Users download what appears to be SumatraPDF, a legitimate, lightweight PDF reader widely used in enterprise and personal environments

2. Trojanized Payload: The compromised version executes a dropper component that deploys AdaptixC2 Beacon

3. C2 Establishment: The beacon communicates with command servers using obfuscated channels

4. Lateral Movement: Threat actors gain persistence through VS Code tunnels, enabling encrypted remote access resistant to traditional security tools


Target Profile: The campaign specifically focuses on Chinese-speaking individuals and organizations, suggesting either:

  • Targeting of diaspora communities
  • Chinese-language software development communities
  • Organizations with cross-border operations in Chinese-speaking regions

    • Zscaler ThreatLabz discovered the campaign in March 2026 through telemetry analysis of uncommon SumatraPDF variants exhibiting suspicious behavior patterns.


    ## Background and Context: Tropic Trooper's Evolution


    Tropic Trooper (also tracked as Pirate Panda, KeyBoy, and Zombie Spider) is a Chinese-speaking threat actor group with a well-documented history spanning over a decade. Key characteristics include:


    | Aspect | Details |

    |--------|---------|

    | Primary Targets | Taiwan, Southeast Asia, Chinese diaspora organizations |

    | Attack Vectors | Supply-chain compromises, spear-phishing, watering hole attacks |

    | Infrastructure | Primarily based in China; uses VPNs and compromised infrastructure |

    | Capabilities | Advanced credential theft, lateral movement, long-term persistence |

    | Notable Tools | Gh0stRAT, PlugX, PoisonIvy, Codoso framework |


    This campaign reflects Tropic Trooper's documented preference for living-off-the-land techniques—abusing legitimate tools like Windows Management Instrumentation (WMI), PowerShell, and now VS Code to avoid detection. By integrating developer-centric tools into their C2 infrastructure, the group demonstrates increasing sophistication in evading endpoint detection and response (EDR) solutions.


    ## Technical Details: Attack Chain Breakdown


    ### Stage 1: Trojanized SumatraPDF Distribution


    The compromised SumatraPDF variant is nearly indistinguishable from the legitimate application, containing all expected functionality. However, embedded within the installation package is a dormant payload that activates post-installation.


    Delivery Mechanism:

  • Hosted on legitimate-looking websites mimicking official software repositories
  • Distributed through compromised download mirrors
  • Potential watering-hole hosting on forums frequented by Chinese-speaking developers

    • Code Signature Evasion:

  • The trojanized version maintains valid digital signatures or spoofed trust indicators
  • Legitimate SumatraPDF functionality operates normally, avoiding user suspicion

    • ### Stage 2: AdaptixC2 Beacon Deployment


    Once installed, SumatraPDF executes a secondary payload—the AdaptixC2 Beacon. This post-exploitation agent:


  • Establishes initial C2: Contacts attacker-controlled servers using encrypted protocols
  • Information Gathering: Collects system metadata, installed software inventory, and network configuration
  • Credential Access: Attempts to harvest credentials from browser caches, credential managers, and memory
  • Command Execution: Accepts remote commands for additional payload delivery and reconnaissance

    • AdaptixC2 is a modular C2 framework, allowing operators to load custom plugins for:

  • Keylogging and screen capture
  • Network reconnaissance and lateral movement
  • Privilege escalation exploitation
  • Exfiltration and data staging

    • ### Stage 3: VS Code Tunnel Persistence


    The most notable technical innovation in this campaign is the abuse of VS Code Remote Tunnels—a legitimate feature designed for secure remote development.


    How It Works:

    1. AdaptixC2 beacon registers a VS Code tunnel using compromised or newly created credentials

    2. The tunnel establishes an encrypted connection to Microsoft's relay infrastructure

    3. Threat actors connect to the tunnel using legitimate VS Code clients, gaining shell access

    4. Communications appear as normal development tool activity in network logs


    Why This Approach:

  • VS Code tunnels use Microsoft infrastructure, lending legitimacy and trust
  • Encrypted end-to-end, making inspection by network proxies impossible
  • Indistinguishable from legitimate developer remote-work traffic
  • Difficult to block without disrupting legitimate development workflows

    • ## Implications: Organizational Risk Assessment


    This campaign presents multiple threat vectors for organizations:


    ### Immediate Risk Vectors


    Developer Communities: The targeting of developer-focused tools suggests elevated risk for:

  • Software development firms
  • Technology startups
  • Universities with strong computer science programs
  • Open-source community contributors

    • Supply Chain Risk: Organizations distributing SumatraPDF or bundling it with other tools could inadvertently distribute the trojanized version, extending the attack surface exponentially.


    Credential Harvesting: AdaptixC2's focus on credential extraction represents a significant risk for organizations lacking robust secrets management:

  • Compromised developer credentials grant access to source code repositories
  • Stolen administrative credentials enable domain-wide lateral movement
  • Cloud service credentials risk data exfiltration at scale

    • ### Detection Challenges


    Traditional security detection mechanisms struggle with this attack pattern:

  • Endpoint Detection & Response (EDR): Legitimate process execution (SumatraPDF, VS Code) masks malicious behavior
  • Network Detection & Response (NDR): VS Code tunnel traffic blends with legitimate development activity
  • File Integrity Monitoring (FIM): The trojanized SumatraPDF maintains expected file structures and behaviors

    • ## Recommendations: Defensive Strategies


    ### Immediate Actions (0-7 Days)


    1. Audit SumatraPDF Installations: Inventory all instances of SumatraPDF across your infrastructure using endpoint management tools

    - Verify installation source and digital signature validity

    - Check installed version against official release history


    2. Review VS Code Tunnel Usage: Examine all active VS Code tunnels in your organization

    - List registered tunnels: code tunnel list on managed systems

    - Disable unnecessary tunnels and rotate authentication tokens

    - Implement tunnel access logging and monitoring


    3. Threat Hunting: Search for indicators of compromise (IOCs):

    - Suspicious AdaptixC2 process behavior patterns

    - Unusual PowerShell or command-line execution from PDF readers

    - Network connections to known C2 infrastructure


    ### Medium-Term Actions (1-4 Weeks)


    1. Update Software Distribution Policies:

    - Implement application allowlisting, restricting SumatraPDF to official sources

    - Deploy software as managed packages through centralized repositories

    - Establish signature validation before installation


    2. Enhance Credential Protection:

    - Require multi-factor authentication (MFA) for all developer accounts

    - Implement privileged access management (PAM) for administrative credentials

    - Deploy credential guard or similar OS-level secrets protection


    3. Network Segmentation:

    - Restrict VS Code tunnel traffic to authorized networks

    - Implement conditional access policies for VS Code tunnels based on device posture

    - Monitor and log all tunnel connection attempts


    ### Long-Term Resilience (1-3 Months)


    1. Security Awareness Training: Educate development teams on:

    - Supply-chain attack risks and software verification procedures

    - Phishing and social engineering targeting developer communities

    - Secure credential handling and secrets management


    2. Monitoring and Detection:

    - Deploy behavioral analytics to detect anomalous VS Code tunnel usage

    - Establish baseline network profiles for development tool traffic

    - Configure alerts for out-of-hours access or unusual geographic connections


    3. Incident Response Planning:

    - Develop specific playbooks for developer credential compromise scenarios

    - Establish rapid credential rotation procedures for high-risk accounts

    - Plan containment strategies that minimize disruption to legitimate development work


    ## Conclusion


    The Tropic Trooper campaign targeting Chinese-speaking users through trojanized SumatraPDF represents a sophisticated evolution in APT tradecraft. By combining supply-chain compromise with abuse of legitimate developer tools, the group has developed an attack pattern that is both effective and difficult to detect.


    Organizations must treat this as a wake-up call regarding the security posture of development environments. Developers and their tools have historically received less security scrutiny than traditional endpoints—a gap that sophisticated threat actors are actively exploiting. By implementing the recommended detection and prevention measures, organizations can significantly reduce their exposure to this and similar threats.


    The use of VS Code tunnels particularly warrants attention, as the feature represents a new category of legitimate-tool abuse that security teams must learn to monitor and defend against effectively.