Back to Intelligence

Tropic Trooper Campaign: Trojanized SumatraPDF, AdaptixC2, and VS Code Tunnel Abuse — Detection Guide

SA
Security Arsenal Team
April 24, 2026
7 min read

A sophisticated campaign attributed to the threat actor Tropic Trooper (aka KeyBoy, Pirate Panda) is actively targeting Chinese-speaking individuals and organizations. Discovered by Zscaler ThreatLabz, this operation demonstrates a high degree of adaptability, combining trojanized utilities with modern development tools to evade detection.

The attack chain begins with a weaponized SumatraPDF installer, a legitimate, lightweight PDF reader often used to evade heavier scrutiny. Once executed, it deploys the AdaptixC2 Beacon, a post-exploitation agent. The campaign escalates by abusing Microsoft Visual Studio Code (VS Code) Tunnels for secure, firewall-piercing remote access.

Defenders must act immediately. The abuse of VS Code tunnels is particularly insidious, as it uses trusted infrastructure (Microsoft's) and standard HTTPS ports (443) to establish C2 channels, effectively blending in with legitimate developer traffic.

Technical Analysis

Affected Products & Platforms:

  • SumatraPDF: Trojanized installer versions targeting Windows environments.
  • Microsoft Visual Studio Code: The "Tunnel" feature is abused for reverse connectivity.
  • GitHub: Used for initial C2 staging and payload hosting.

Attack Chain Breakdown:

  1. Initial Access: Victims are lured into downloading a trojanized SumatraPDF installer.
  2. Execution: The malicious SumatraPDF executable drops and executes the AdaptixC2 Beacon payload.
  3. C2 & Staging: The beacon communicates with attacker-controlled infrastructure hosted on GitHub.
  4. Remote Access (Persistence): The malware leverages the VS Code CLI (code.exe) to establish a "tunnel." This tunnels traffic from the victim's machine to the attacker, providing remote desktop or terminal access over HTTPS without requiring open inbound ports on the victim's firewall.

Exploitation Status:

  • Status: Confirmed active exploitation in the wild (ITW) as of last month.
  • Attribution: High confidence attribution to Tropic Trooper, a group known for targeting government, energy, and transportation sectors, primarily in Asia.

Detection & Response

This attack relies on the abuse of legitimate tools. Standard signature-based detection may miss trojanized PDF readers or VS Code traffic. Defenders must focus on behavioral anomalies—specifically, a PDF reader spawning shells or a non-developer user account establishing VS Code tunnels.

SIGMA Rules

The following rules target the unique behavioral characteristics of this campaign: the unlikely parent-child relationship of SumatraPDF spawning command shells, and the creation of VS Code tunnels.

YAML
---
title: Suspicious SumatraPDF Spawning Shell
id: 8a5c2e1f-9d4a-4b2c-8e1f-5a6b7c8d9e0f
status: experimental
description: Detects SumatraPDF spawning cmd.exe, powershell.exe, or cscript.exe, typical of trojanized document exploit behavior.
references:
  - https://thehackernews.com/2026/04/tropic-trooper-uses-trojanized.html
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.execution
  - attack.t1204
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith:
      - '\SumatraPDF.exe'
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\pwsh.exe'
      - '\cscript.exe'
      - '\wscript.exe'
  condition: selection
falsepositives:
  - Unknown (SumatraPDF should rarely spawn other processes)
level: high
---
title: VS Code Tunnel Creation
id: b1f3c4d5-6e7a-8b9c-0d1e-2f3a4b5c6d7e
status: experimental
description: Detects the execution of code.exe with arguments related to tunnel creation, often used for covert C2.
references:
  - https://thehackernews.com/2026/04/tropic-trooper-uses-trojanized.html
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.command_and_control
  - attack.t1572
  - attack.t1071.001
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\code.exe'
    CommandLine|contains:
      - 'tunnel '
      - '--accept-server-license-terms'
      - 'tunnel create'
  condition: selection
falsepositives:
  - Legitimate developer usage of VS Code Port Forwarding/Tunneling
level: medium
---
title: AdaptixC2 Github C2 Pattern
id: c2d3e4f5-6a7b-8c9d-0e1f-2a3b4c5d6e7f
status: experimental
description: Detects potential AdaptixC2 beacon activity via suspicious CLI parameters or network connections to GitHub raw endpoints from non-browser processes.
references:
  - https://thehackernews.com/2026/04/tropic-trooper-uses-trojanized.html
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.command_and_control
  - attack.t1102
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    DestinationHostname|contains:
      - 'raw.githubusercontent.com'
      - 'gist.githubusercontent.com'
    Initiated: 'true'
  filter_legit_browsers:
    Image|endswith:
      - '\chrome.exe'
      - '\firefox.exe'
      - '\msedge.exe'
      - '\iexplore.exe'
  condition: selection and not filter_legit_browsers
falsepositives:
  - Developer tools (Git, npm, python scripts) fetching resources from GitHub
level: low

KQL (Microsoft Sentinel / Defender)

Use this query to hunt for VS Code tunnel creation events and suspicious parent-child processes involving SumatraPDF.

KQL — Microsoft Sentinel / Defender
// Hunt for VS Code Tunnel creation and SumatraPDF anomalies
let ProcessEvents = DeviceProcessEvents
| where Timestamp > ago(30d);
// 1. Detect VS Code Tunnel usage
let VSCodeTunnels = ProcessEvents
| where FileName =~ "code.exe"
| where ProcessCommandLine has "tunnel" 
   or ProcessCommandLine has "--accept-server-license-terms"
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, ProcessCommandLine, SHA256;
// 2. Detect SumatraPDF spawning suspicious children
let SumatraSuspicious = ProcessEvents
| where InitiatingProcessFileName =~ "SumatraPDF.exe"
| where FileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "regsvr32.exe", "rundll32.exe")
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, FileName, ProcessCommandLine, SHA256;
// 3. Network connections to GitHub from non-browser processes
let GithubC2 = DeviceNetworkEvents
| where RemoteUrl contains "githubusercontent.com"
| where InitiatingProcessFileName !in~ ("chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe", "git.exe", "node.exe")
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemotePort;
// Union results
union VSCodeTunnels, SumatraSuspicious, GithubC2
| order by Timestamp desc

Velociraptor VQL

This artifact hunts for the presence of VS Code processes with tunnel arguments and checks for SumatraPDF execution in non-standard locations.

VQL — Velociraptor
-- Hunt for Tropic Trooper Indicators
SELECT 
  Pid, 
  Name, 
  CommandLine, 
  Exe, 
  Username, 
  Created 
FROM pslist()
WHERE Name = "code.exe" 
   AND CommandLine =~ "tunnel"

-- Check for suspicious SumatraPDF instances
UNION
SELECT 
  Pid, 
  Name, 
  Exe, 
  Username, 
  Created 
FROM pslist()
WHERE Name = "SumatraPDF.exe"
   AND Exe NOT =~ "C:\\Program Files\\SumatraPDF\\SumatraPDF.exe"
   AND Exe NOT =~ "C:\\Program Files (x86)\\SumatraPDF\\SumatraPDF.exe"

Remediation Script (PowerShell)

This script identifies active VS Code tunnels and checks for the execution of SumatraPDF from suspicious paths. Note: Stopping VS Code tunnels may disrupt legitimate developer work.

PowerShell
# Tropic Trooper Response Script
Write-Host "[*] Scanning for VS Code Tunnel abuse and Suspicious SumatraPDF instances..." -ForegroundColor Cyan

# 1. Identify processes creating tunnels
$codeProcesses = Get-Process -Name "Code" -ErrorAction SilentlyContinue

if ($codeProcesses) {
    Write-Host "[!] Found VS Code processes running. Checking for Tunnel usage..." -ForegroundColor Yellow
    # WMI query to get command lines of code.exe processes
    $tunnelProcesses = Get-WmiObject Win32_Process | Where-Object { $_.Name -eq "Code.exe" -and $_.CommandLine -like "*tunnel*" }
    
    if ($tunnelProcesses) {
        Write-Host "[!!!] ALERT: VS Code Tunnel Detected!" -ForegroundColor Red
        $tunnelProcesses | ForEach-Object {
            Write-Host "    PID: $($_.ProcessId)" -ForegroundColor Red
            Write-Host "    Command: $($_.CommandLine)" -ForegroundColor Red
            # Option to kill: Stop-Process -Id $_.ProcessId -Force
        }
    } else {
        Write-Host "[+] No active VS Code tunnels detected." -ForegroundColor Green
    }
} else {
    Write-Host "[+] No VS Code processes found." -ForegroundColor Green
}

# 2. Check for SumatraPDF in non-standard paths
$standardPaths = @("C:\Program Files\SumatraPDF", "C:\Program Files (x86)\SumatraPDF")
$foundSuspicious = $false

Get-Process -Name "SumatraPDF" -ErrorAction SilentlyContinue | ForEach-Object {
    $procPath = $_.Path
    $isStandard = $false
    foreach ($path in $standardPaths) {
        if ($procPath -like "$path*") {
            $isStandard = $true
        }
    }
    
    if (-not $isStandard) {
        Write-Host "[!!!] ALERT: SumatraPDF running from non-standard path: $procPath" -ForegroundColor Red
        $foundSuspicious = $true
    }
}

if (-not $foundSuspicious) {
    Write-Host "[+] No suspicious SumatraPDF instances found." -ForegroundColor Green
}

Write-Host "[*] Scan complete." -ForegroundColor Cyan

Remediation

1. Network Segmentation & Firewalling:

  • Restrict VS Code Tunnel Endpoints: If your organization does not require remote access via VS Code, block access to *.tunnels.api.github.com, tunnels.githubusercontent.com, and related subdomains at the perimeter firewall and proxy.
  • Inspect GitHub Traffic: Monitor and, if necessary, restrict access to raw.githubusercontent.com to only authorized build servers or developer workstations.

2. Application Control:

  • Block Unauthorized Binaries: Implement application whitelisting (e.g., Windows Defender Application Control) to ensure that SumatraPDF.exe can only execute from signed, standard installation directories (e.g., C:\Program Files\SumatraPDF).
  • Restrict Developer Tools: Limit the execution of code.exe (VS Code) to authorized developer workstations. Prevent its execution on terminal servers or endpoints where coding is not a business requirement.

3. User Awareness & Training:

  • Alert users—specifically Chinese-speaking targets—regarding the risks of downloading PDF readers or software installers from unverified sources. Emphasize verifying the digital signature of downloaded installers before execution.

4. Incident Response Actions:

  • Isolate: Immediately isolate any host showing detections for SumatraPDF spawning shells or establishing VS Code tunnels.
  • Forensic Collection: Acquire memory dumps of code.exe and SumatraPDF.exe processes to identify the payload and C2 configurations.
  • Credential Reset: Assume credentials have been compromised due to the presence of C2 beacons (AdaptixC2) and reset passwords for affected accounts.

Official Vendor References:

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

managed-socmdrsecurity-monitoringthreat-detectionsiemtropic-trooperadaptixc2sumatrapdf

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action