SumatraPDF Threaded AdaptixC2 and VS Code tunnels cyberespionage hidden in legitimate tools

A recent cyberespionage operation shows how groups with experience in persistence and stealth continue to exploit legitimate applications and public services to avoid detection. According to the investigation report, attackers linked to the collective known as Tropic Trooper have used a scrambled version of the SumatraPDF reader as an initial vector to deploy a post-operation agent called AdaptixC2 Beacon, and have subsequently established remote access using the tunnel functionality of Visual Studio Code.

The modus operandi combines classic techniques and modern tools: the user is attracted to a ZIP file containing military lures and a malicious executable that passes through SumatraPDF. When the decoy is opened a distraction PDF is displayed while, in the background, it is downloaded and executed encrypted code through a charger identified as TOSHIS (a derivative of the known Xiangoop). That charger orchestrates the load chain that ends with an implant that uses GitHub as a command and control channel, and that only scale to a persistent access with VS Code tunnels when the host is of interest to the attacker.

There are several risk elements and practical lessons. First, the use of legitimate tools such as C2 platforms (GitHub) and remote management services (VS Code Tunnels) complicates detection because traffic seems, in plain sight, legitimate traffic. Second, the use of a light and unsigned PDF reader in corporate environments shows that control over user applications and external downloads is critical. Thirdly, the campaign selects victims by language and region, targeting mainly Chinese-speaking communities in Taiwan and individuals in South Korea and Japan, indicating specific geopolitical and sectoral objectives.

The implications for organizations and users are clear: relying only on static signatures or file name blocks is insufficient. Defence requires multi-level controls: verification of the integrity and origin of installers, application pricing policies, leaking of egress to suspicious repositories or PIs, and telemetry that detects abnormal behavior such as processes that deploy encrypted shells, unusual persistence or recurrent connections to public platforms used as C2.

In operational terms, response and research teams should prioritize the search for specific artifacts (e.g. traces of the TOSHIS / Xiangoop loader, the presence of AdaptixC2 or staging IP connections reported 158.247.193.100) and capture memory and network records before remediation. In environments where VS Code is allowed, it is recommended to review the remote access configuration and audit the creation of tunnels, as these legitimate channels can become persistent control vectors. To understand the functionality and risks of the feature, the official documentation of VS Code on tunnels is a good starting point: Visual Studio Code - Tunisels.

To reduce the likelihood of engagement and the attack surface, it is necessary to strengthen basic habits and controls: download software only from official sources and verify signatures / digest when available, apply network segmentation and output policies (egress) that limit direct connections to public repositories from sensitive endpoints, and deploy behavior-based detection that identifies patterns as execution of unusual binaries that launch payloads in memory. The official SumatraPDF reader and his download point can be consulted here to contrast legitimate versions: SumatraPDF - official site.

If your organization detects activity related to this campaign, it is prudent to treat it as an incident: to isolate the affected equipment, to preserve devices for forensic analysis, and to look for indicators such as unauthorized VS Code Server processes, connections to GitHub that do not correspond to development activity and communications with suspicious IPs / hostnames. In practice, it is also appropriate to update and tighten the EDR / AV rules to capture memory load and dynamic loader techniques, and to review access controls to remote development tools that could be abused.

This campaign is new evidence that advanced actors mix low-cost and high-level techniques with public services to operate under radar. The defensive position must evolve in parallel: more behavior-based monitoring, less implicit confidence in daily use tools, and more stringent network controls and applications are the measures that significantly reduce the risk that a seemingly harmless decoy will become a persistent back door.

For additional media and technical coverage of this intrusion, see the press briefing that covered the finding: BleepingComputer - Trooper uses trojanized SumatraPDF to deliver AdaptixC2 and the original investigation of the threat team that discovered the campaign, whose analysis deepens indicators and samples.