Tropic Trooper Uses Trojanized SumatraPDF and GitHub to Deploy AdaptixC2

The latest Tropic Trooper operation underscores a growing trend: nation‑state actors are repurposing everyday utilities to mask malicious activity. By embedding a backdoor in the popular SumatraPDF reader, the group sidesteps many endpoint protections that focus on high‑profile binaries. The initial lure—military‑themed documents in a ZIP archive—triggers a decoy PDF while silently pulling encrypted shellcode, a technique that blends social engineering with sophisticated payload delivery.

What sets this campaign apart is the use of GitHub as a command‑and‑control (C2) channel. Leveraging a public code‑hosting platform provides built‑in encryption, global availability, and a veneer of legitimacy that complicates network‑based detection. The AdaptixC2 beacon communicates with attacker‑controlled repositories, fetching additional stages such as Cobalt Strike or the Merlin agent. This approach mirrors earlier TAOTH operations but reflects an evolution toward custom C2 infrastructure that blends open‑source tools with proprietary backdoors.

The final phase involves deploying Microsoft Visual Studio Code and establishing VS Code tunnels, granting the adversary low‑latency, encrypted remote access that can bypass VPN monitoring. For organizations, the lesson is clear: security controls must extend beyond traditional perimeter defenses to include monitoring of legitimate developer tools, unusual GitHub traffic, and anomalous PDF reader behavior. Implementing application allow‑lists, sandboxing PDF viewers, and threat‑intel‑driven IOC feeds can reduce the attack surface against this sophisticated, multi‑stage intrusion chain.