Chinese-speaking individuals are the target of a new campaign that uses a trojanized version of SumatraPDF reader to deploy the AdaptixC2 Beacon post-exploitation agent and ultimately facilitate the abuse of Microsoft Visual Studio Code (VS Code) tunnels for remote access.
Zscaler ThreatLabz, which discovered the campaign last month, has attributed it with high confidence to Tropic Trooper (aka APT23, Earth Centaur, KeyBoy, and Pirate Panda), a hacking group known for its targeting of various entities in Taiwan, Hong Kong, and the Philippines. It’s assessed to be active since at least 2011.
“The threat actors created a custom AdaptixC2 Beacon listener, leveraging GitHub as their command-and-control (C2) platform,” security researcher Yin Hong Chang said in an analysis.
It’s believed that Chinese-speaking individuals in Taiwan, and individuals in South Korea and Japan, are the targets of the campaign. The starting point of the attack is a ZIP archive containing military-themed document lures to launch the rogue version of SumatraPDF, which is then used to display a decoy PDF document, while simultaneously retrieving encrypted shellcode from a staging server to launch AdaptixC2 Beacon.
To accomplish this, the backdoored SumatraPDF executable launches a slightly modified version of a loader codenamed TOSHIS, which is a variant of Xiangoop, a malware linked to Tropic Trooper, and has been used in the past to fetch next-stage payloads like Cobalt Strike Beacon or Merlin agent for the Mythic framework.
The loader is responsible for activating the multi-stage attack, dropping both the lure document as a distraction mechanism and the AdaptixC2 Beacon agent in the background.The agent employs GitHub for C2, beaconing out to the attacker-controlled infrastructure to fetch tasks to be executed on the compromised host.
The attack moves to the next stage only when the victim is deemed valuable, at which point the threat actor deploys VS Code and sets up VS Code tunnels for remote access. On select machines, the threat actor has been found to install alternative, trojanized applications, likely in an attemptto better camouflage their actions.
What’s more, the staging server involved in the intrusion (“158.247.193[.]100”) has been observed hosting a Cobalt Strike Beacon and a custom backdoor called EntryShell, both of which have been put to use by Tropic Trooper in the past.
“Similar to the TAOTH campaign, publicly available backdoors are used as payloads,” Zscaler said. “While Cobalt Strike Beacon and Mythic Merlin were previously used, the threat actor has now shifted to AdaptixC2.”
