Tropic Trooper: AdaptixC2 + Custom Beacon | ThreatLabz

Key Takeaways

• Tropic Trooper targeted Chinese-speaking individuals in Taiwan, South Korea, and Japan using military-themed lures.
• The attack chain utilizes a trojanized SumatraPDF binary (TOSHIS loader) to deploy an AdaptixC2 Beacon.
• The threat actors developed a custom AdaptixC2 Beacon listener that leverages GitHub Issues for C2 communication.
• VS Code tunnels are deployed for persistent remote access to compromised machines.
• The staging server also hosted Cobalt Strike Beacon and the EntryShell backdoor.

Affected Systems

• Windows

Attack Chain

The attack begins with a malicious ZIP archive containing a trojanized SumatraPDF executable. Upon execution, the TOSHIS loader hijacks the control flow to download a decoy PDF and a second-stage shellcode from a staging server. The shellcode decrypts and executes an AdaptixC2 Beacon in-memory, which establishes a C2 channel via GitHub Issues. Finally, the threat actor uses this access to deploy VS Code tunnels for persistent remote access and exfiltrate data.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

The article does not provide any specific detection rules or queries.

Detection Engineering Assessment

EDR Visibility: High — EDR solutions can detect the execution of trojanized binaries, anomalous child processes (e.g., SumatraPDF spawning curl or schtasks), and the creation of suspicious scheduled tasks. Network Visibility: Medium — While C2 traffic is encrypted and uses legitimate services like GitHub and ipinfo.io, the initial staging downloads from bare IPs and bashupload[.]app can be monitored. Detection Difficulty: Moderate — The use of legitimate services (GitHub, VS Code) for C2 and remote access blends in with normal developer activity, but the initial infection vector and persistence mechanisms are noisy.

Required Log Sources

• Process Creation (Event ID 4688 / Sysmon 1)
• Network Connections (Sysmon 3)
• Scheduled Task Creation (Event ID 4698)

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for instances of code.exe executing with the 'tunnel user login --provider github' arguments, especially if spawned by unusual parent processes or running from public directories.	Process Creation	Command and Control	Medium
Search for schtasks.exe creating tasks that execute binaries located in C:\Users\Public\Documents.	Process Creation / Scheduled Tasks	Persistence	Low
Identify PDF reader applications (like SumatraPDF) making unexpected network connections to bare IP addresses or spawning command-line utilities like curl.exe.	Process Creation / Network Connections	Execution	Low

Control Gaps

• Lack of application control preventing execution from public directories
• Permissive outbound access to file-sharing sites like bashupload[.]app

Key Behavioral Indicators

• code.exe tunnel arguments
• schtasks pointing to Public\Documents
• curl downloading to %localappdata%\microsoft\windows\Burn

False Positive Assessment

• Medium

Recommendations

Immediate Mitigation

• Block access to the identified staging IPs (58.247.193[.]100, 158.247.193[.]100) and payload domains (bashupload[.]app).
• Search endpoints for the presence of the identified scheduled tasks (\MSDNSvc, \MicrosoftUDN).

Infrastructure Hardening

• Implement Application Control to restrict execution of binaries from user-writable directories like C:\Users\Public\Documents.
• Restrict outbound access to unauthorized file-sharing and code-hosting platforms if not required for business operations.

User Protection

• Deploy EDR rules to monitor for unauthorized use of VS Code tunneling features.
• Ensure endpoint protection blocks executables with invalid or tampered digital signatures.

Security Awareness

• Train users to be cautious of executable files disguised as documents, especially those delivered in ZIP archives.

MITRE ATT&CK Mapping

• T1585.003 - Resource Development: Establish Accounts: Cloud Accounts
• T1587.001 - Resource Development: Develop Capabilities: Malware
• T1588.001 - Resource Development: Obtain Capabilities: Malware
• T1588.002 - Resource Development: Obtain Capabilities: Tool
• T1608.001 - Resource Development: Stage Capabilities: Upload Malware
• T1608.002 - Resource Development: Stage Capabilities: Upload Tool
• T1204.002 - Execution: User Execution: Malicious File
• T1106 - Execution: Native API
• T1059.003 - Execution: Command and Scripting Interpreter: Windows Command Shell
• T1053.005 - Persistence: Scheduled Task/Job: Scheduled Task
• T1036.001 - Defense Evasion: Masquerading: Invalid Code Signature
• T1036.004 - Defense Evasion: Masquerading: Masquerade Task or Service
• T1620 - Defense Evasion: Reflective Code Loading
• T1027.007 - Defense Evasion: Obfuscated Files or Information: Dynamic API Resolution
• T1027.013 - Defense Evasion: Obfuscated Files or Information: Encrypted/Encoded File
• T1127 - Defense Evasion: Trusted Developer Utilities Proxy Execution
• T1016 - Discovery: System Network Configuration Discovery
• T1005 - Collection: Data from Local System
• T1071.001 - Command and Control: Application Layer Protocol: Web Protocols
• T1102.002 - Command and Control: Web Service: Bidirectional Communication
• T1219.001 - Command and Control: Remote Access Tools: IDE Tunneling
• T1105 - Command and Control: Ingress Tool Transfer
• T1132.001 - Command and Control: Data Encoding: Standard Encoding
• T1573.001 - Command and Control: Encrypted Channel: Symmetric Cryptography
• T1573.002 - Command and Control: Encrypted Channel: Asymmetric Cryptography
• T1001.003 - Exfiltration: Exfiltration Over Web Service: Exfiltration to Code Repository
• T1041 - Exfiltration: Exfiltration Over C2 Channel

Additional IOCs

• Ips:
  • 58[.]247[.]193[[.]]100 - Staging server
  • 158[.]247[.]193[[.]]100 - Staging server hosting EntryShell
• Domains:
  • bashupload[[.]]app - Payload hosting
  • ip[.]me - IP discovery service abused by threat actor
  • ipinfo[.]io - IP discovery service abused by AdaptixC2
• Urls:
  • hxxp://bashupload[[.]]app/6e1lhc - Payload URL
  • hxxp://bashupload[[.]]app/zgel2a[.]bin - Payload URL
  • hxxps://code[.]visualstudio[.]com/sha/download?build=stable&os=cli-win32-x64 - Legitimate VS Code download URL abused by threat actor
• File Paths:
  • C:\Users\Public\Documents\dsn.exe - Scheduled task payload
  • C:\Users\Public\Documents\MicrosoftCompilers.exe - Scheduled task payload
  • C:\Users\Public\Documents\2.library-ms - Scheduled task argument
  • %localappdata%\microsoft\windows\Burn\v.zip - Downloaded VS Code archive
• Command Lines:
  • Purpose: Establish persistence via scheduled task | Tools: schtasks.exe | Stage: Persistence | schtasks /create /tn \MSDNSvc /sc hourly /mo 2 /tr
  • Purpose: Establish persistence via scheduled task | Tools: schtasks.exe | Stage: Persistence | schtasks /create /tn \MicrosoftUDN /sc hourly /mo 2 /f /tr
  • Purpose: Establish remote access tunnel | Tools: code.exe | Stage: Command and Control | code tunnel user login --provider github
  • Purpose: Download external tools | Tools: curl.exe | Stage: Execution
  • Purpose: Discover running processes and command lines | Tools: wmic.exe | Stage: Discovery | wmic process where processid=8528 get commandline
• Other:
  • cvaS23uchsahs - GitHub repository owner used for C2
  • 7adf76418856966effc9ccf8a21d1b12 - AdaptixC2 RC4 Key
  • 424986c3a4fddcb6 - AES key seed for shellcode decryption
  • afkngaikfaf - EntryShell AES-128 ECB key