Tropic Trooper Uses Trojanized SumatraPDF and GitHub to Deploy AdaptixC2

Key Points:

• A new campaign attributed to the Tropic Trooper group utilizes a trojanized version of SumatraPDF to deploy the AdaptixC2 Beacon for remote access via Microsoft Visual Studio Code tunnels.
• The attack primarily targets Chinese-speaking individuals in Taiwan, South Korea, and Japan, leveraging military-themed document lures to execute the malicious PDF reader.
• Recommended actions include monitoring for unusual GitHub activity, implementing strict application whitelisting, and conducting regular security assessments to detect potential backdoor installations.

Technical Details: The campaign employs a modified loader codenamed TOSHIS, which is a variant of Xiangoop malware, to facilitate the deployment of AdaptixC2 Beacon. The staging server IP "158.247.193[.]100" has been linked to previous Tropic Trooper activities involving Cobalt Strike and EntryShell.

MITRE ATT&CK Techniques:

• T1071.001 - Application Layer Protocol: Web Protocols (Command and Control)
• T1203 - Exploit Public-Facing Application (Initial Access)
• T1059.001 - Command and Scripting Interpreter: PowerShell (Execution)
• T1105 - Ingress Tool Transfer (Command and Control)

IOCs Mentioned:

• 158.247.193.100