Tropic Trooper Uses Trojanized SumatraPDF and GitHub to Deploy AdaptixC2

Tropic Trooper, a Chinese‑speaking threat actor tracked by several threat‑intel firms, has launched a new campaign that weaponizes a trojanized version of the popular open‑source PDF viewer SumatraPDF. The malicious installer is hosted on GitHub, where the actor either created a fictitious repository or compromised a legitimate account to distribute the tampered binary. The campaign is aimed primarily at Chinese‑speaking individuals, including activists, journalists and NGOs, who are likely to trust a PDF reader they can download from a popular code‑hosting platform.

Once the victim runs the trojanized SumatraPDF, the executable decrypts an embedded shellcode using a simple XOR routine (key 0x5A) and spawns a PowerShell script. The script contacts a command‑and‑control (C2) server, downloads a second‑stage loader, and then fetches the AdaptixC2 Beacon – a post‑exploitation agent that provides remote shell, key‑logging, screenshot capture and the ability to move laterally within the infected network. The Beacon communicates over HTTPS, using a domain fronted by a legitimate CDN to obscure its traffic.

The abuse of GitHub as a distribution vector highlights a supply‑chain compromise that leverages the trust of a widely used development platform. By packaging the malicious code inside a seemingly benign PDF reader, the actors lower the suspicion barrier and increase the likelihood that targets will execute the payload. The focus on Chinese‑speaking victims suggests a strategic interest in espionage or credential harvesting rather than opportunistic ransomware.

Security teams can detect the activity by monitoring for SumatraPDF processes that launch PowerShell or make outbound HTTP(S) connections to newly registered domains associated with AdaptixC2. Endpoint detection and response (EDR) rules that flag anomalous child processes of PDF readers and network traffic to known C2 IP ranges are effective countermeasures. Indicators of compromise (IOCs) include the SHA‑256 hash of the trojanized installer (e.g., a3f9c2… ) and the C2 domains identified (e.g., adaptor‑c2[.]xyz). Organizations should also verify the integrity of executables against vendor‑published checksums and restrict execution of software downloaded from untrusted repositories.