Listen to this Post
Introduction: Threat actors are increasingly clever at weaponizing legitimate developer tools and open-source platforms to quietly takeover systems, causing major concern for organizations worldwide. In a recent sophisticated campaign, the advanced persistent threat (APT) group Tropic Trooper (APT23) was discovered using a trojanized version of the legitimate SumatraPDF reader to deploy the AdaptixC2 post-exploitation framework. By abusing GitHub for command-and-control (C2) communication and Microsoft Visual Studio Code tunnels for remote access, this multi-stage attack demonstrates how living-off-the-land techniques can easily bypass conventional security controls.
Learning Objectives:
- Understand the complete Tropic Trooper attack chain, from military-themed lures to VS Code tunnel deployment.
- Analyze how threat actors abuse GitHub Issues and repositories as stealthy command-and-control infrastructure.
- Learn detection strategies and mitigation commands for the AdaptixC2 framework and VS Code tunnel abuse.
- Decoding The Attack Chain: From Malicious PDF to System Takeover
The campaign, first discovered by Zscaler ThreatLabz on March 12, 2026, begins with a malicious ZIP archive containing military-themed document lures targeting Chinese-speaking individuals in Taiwan, as well as targets in South Korea and Japan. When a victim executes the disguised file—named “Comparative Analysis of US-UK and US-Australia Nuclear Submarine Cooperation (2025).exe”—the trojanized SumatraPDF reader launches. While the user views a decoy PDF, the loader retrieves encrypted shellcode from a staging server (158.247.193[.]100), which has also been observed hosting Cobalt Strike Beacon and a custom EntryShell backdoor. This stage activates the AdaptixC2 Beacon agent, setting the stage for persistent control.
Step‑by‑step guide to understanding the initial compromise and persistence:
- lures: The ZIP archive includes strategically chosen filenames related to military architectures and industrial plans to entice specific targets.
- execution: The trojanized executable leverages the TOSHIS loader (a Tropic Trooper trademark) to launch both the decoy document and the malicious shellcode.
- persistence: On high-value machines, the attacker sets up persistence via scheduled tasks for continued access.
For defenders, hunting for this activity involves checking command-line logs for unsigned SumatraPDF binaries or suspicious scheduled tasks. On Windows, use:
Get-ScheduledTask | Where-Object {$_.TaskPath -ne "\Microsoft\Windows\"} | Format-List TaskName, TaskPath, State
On Linux, audit cron jobs with:
cat /etc/crontab ls -la /etc/cron.
- AdaptixC2: The Custom Beacon That Lives on GitHub
Perhaps the most inventive aspect of this attack is how Tropic Trooper repurposed AdaptixC2, an open-source post-exploitation framework, with a custom beacon listener that uses GitHub as its command-and-control (C2) platform. Instead of communicating with a traditional attacker-controlled server, the beacon interacts with a GitHub repository, reading task assignments from GitHub Issues and uploading results back to the same repository. This approach leverages GitHub’s legitimate reputation, allowing malicious traffic to blend in with routine API calls and evade network monitoring.
AdaptixC2 is built for stealth, featuring fileless in-memory execution, encrypted configuration files (using a simple RC4-based scheme), and support for Beacon Object Files (BOFs) that run directly within the agent‘s process. It offers web-based, pipe-based, and TCP-based beacon communications, giving attackers flexibility.
Step‑by‑step guide to detecting AdaptixC2 beaconing activity:
- Network monitoring: Look for outbound HTTPS requests to GitHub API endpoints from non‑developer workstations. Example detection query:
sudo tcpdump -i eth0 -n 'host api.github.com and port 443'
- Process analysis: Hunt for unnamed or suspicious processes making API calls. Check for `rundll32.exe` executing Beacon DLLs (a known AdaptixC2 technique).
- Configuration parsing: Use Palo Alto Unit 42‘s config extractor to analyze suspicious RC4‑encrypted beacon configurations.
A YARA rule snippet to detect AdaptixC2 loader artifacts:
rule AdaptixC2_Loader {
strings:
$rc4_marker = { 52 43 34 00 } // "RC4"
$beacon_config = /beacon_[a-f0-9]{32}/
condition:
$rc4_marker and $beacon_config
}
- Abusing Visual Studio Code Tunnels for Persistent, Trusted Access
After the initial compromise, for targets deemed high-value, the attacker deploys Microsoft Visual Studio Code and sets up VS Code tunnels for remote access. This technique effectively eliminates the need for dedicated C2 infrastructure, as the tunnel creates an encrypted connection directly to Microsoft‘s tunnel service, blending in with legitimate developer activity. Commands observed in this campaign include network reconnaissance (arp and net view) and interactive shell access via the tunnel. This legitimate feature, when abused, gives attackers full remote control without triggering typical intrusion detection systems (IDS) alerts.
Step‑by‑step guide to detecting and disabling unauthorized VS Code tunnels:
- Process auditing: Look for `code-tunnel` or `code` processes running with the `tunnel` argument.
ps aux | grep -i "code-tunnel"
- Log inspection: On Windows, check Event ID 4688 (Process Creation) for `code.exe` or
code-tunnel.exe. Example PowerShell command:Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4688} | Where-Object {$_.Message -match "code-tunnel"} - Prevention: Organizations can block the execution of VS Code tunnels by applying application control policies or using Windows Defender Application Control (WDAC). On Linux, use `auditd` to monitor execution:
auditctl -w /usr/bin/code -p x -k vscode_tunnel ausearch -k vscode_tunnel
- Remediation: Terminate unauthorized tunnel processes and revoke any associated Microsoft Entra ID (formerly Azure AD) tokens used for tunnel authentication.
- Hunting for Open-Source C2 Frameworks in Your Environment
The shift toward legitimate open-source tools like AdaptixC2 represents a growing trend among APT groups, making attribution harder and security gaps wider than expected. AdaptixC2 aligns with multiple MITRE ATT&CK tactics—Command and Control (TA0011), Credential Access (TA0006), Defense Evasion (TA0005), and Lateral Movement (TA0008). Defenders must employ advanced endpoint detection and response (EDR) solutions and network detection and response (NDR) tools that can identify the framework‘s specific communication patterns, such as its unique DoH (DNS‑over‑HTTPS) network indicators.
Step‑by‑step guide to hunting for open-source C2 framework artifacts:
- Network heuristics: Deploy a Zeek script to detect suspicious GitHub API Beacon intervals.
- Endpoint sweeps: Use an EDR to query for fileless PowerShell executions that load shellcode into memory (a hallmark of AdaptixC2 deployment).
- Indicator sharing: Cross-reference internal process hashes with publicly available indicators of compromise (IOCs) from the Zscaler report, such as specific DLL hashes and the staging server IP
158.247.193[.]100.
5. Defending Against Weaponized Legitimate Tools
This campaign highlights a broader shift in the threat landscape: sophisticated actors are moving away from their own bespoke tools and toward abusing trusted platforms. Defenders must adapt by implementing zero-trust principles, strictly controlling application execution, and conducting regular threat hunting for anomalous uses of developer tools like VS Code and Git. To minimize risk, security teams should enforce allowlisting for code editors and development environments, monitor outbound network connections to cloud development platforms, and educate users about the dangers of executing files from untrusted sources—even if those files appear to be legitimate documents.
Step‑by‑step guide to mitigating the risk:
- Implement application allowlisting: Use Windows Defender Application Control or Linux `fapolicyd` to restrict execution to known binaries only.
- Monitor and alert: Create custom detections in your SIEM for processes like `code` and `code-tunnel` spawning from temporary or user-writable directories.
- User education: Train employees, especially those in high-value roles, to never run executable files attached to emails, even if the filename matches their role’s interests (e.g., military-themed archives).
- Network segmentation: Use micro-segmentation to prevent a compromised workstation from moving laterally or accessing sensitive servers.
What Undercode Say:
- Key Takeaway 1: Abusing legitimate developer infrastructure is a rising trend; accordingly, security controls must be redesigned to trust nothing, including your own network‘s reputation.
- Key Takeaway 2: Open-source C2 frameworks are now mainstream APT tools—therefore, defensive strategies need to shift from signature‑based detection to behavioral analysis of both network traffic and endpoint processes.
Prediction: Over the next 18 months, expect a rapid increase in attacks weaponizing cloud-based development environments and DevOps pipelines. Threat actors will continue to abuse GitHub, GitLab, and Microsoft’s trusted services—so security teams must urgently build detection capabilities that monitor for anomalous use of these platforms by non‑developer user accounts, or risk being blindsided by traffic that looks entirely legitimate until it‘s too late.
▶️ Related Video (76% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Hackermohitkumar A – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
