Tropic Trooper Weaponizes GitHub and VS Code for East Asian Espionage

A sophisticated cyber espionage campaign has been uncovered targeting individuals across East Asia, leveraging a deceptive mix of military-themed lures and legitimate developer tools. On March 12, 2026, researchers at Zscaler ThreatLabz identified a malicious ZIP archive containing documents designed to bait Chinese-speaking individuals, as well as targets in South Korea and Japan.

ThreatLabz has attributed this activity to the notorious threat actor Tropic Trooper (also known as Earth Centaur) with “high confidence,” citing the use of signature tools like the TOSHIS loader.

The attack begins with a ZIP archive filled with military and industrial documents. While many files are outdated, the primary hook is an executable masquerading as a PDF titled “Comparative Analysis of US-UK and US-Australia Nuclear Submarine Cooperation (2025).exe”.

This file is actually a trojanized version of the SumatraPDF reader. To the victim, everything looks normal: the binary features identical certificates and PDB paths to the legitimate software. However, once opened, it triggers a silent, multi-stage attack.

“When executed, this loader triggers a multi-stage attack: it downloads and displays a new decoy PDF that is shown to the victim while discreetly downloading and running an AdaptixC2 Beacon agent in the background.”

The first stage involves the TOSHIS loader, which hijacks the control flow of the SumatraPDF binary by overwriting a specific security initialization function. Once active, it downloads a second-stage shellcode—the open-source AdaptixC2 Beacon agent—and executes it directly in memory.

In a clever move to bypass traditional network defenses, the threat actors modified the AdaptixC2 agent to use GitHub as a command-and-control (C2) platform.

• Custom Listener: Unlike standard HTTP listeners, the agent retrieves its external IP address from ipinfo.io because the server cannot see it through GitHub.
• Tasking via Issues: The agent polls a specific GitHub repository, using “substring matching… to extract the issue number, title, and body fields” for commands.
• Operational Security: To remain evasive, “beacons are deleted very quickly, often within 10 seconds of being uploaded,” preventing researchers from easily intercepting and decrypting session keys.

Once Tropic Trooper establishes an initial foothold and identifies an “interesting” victim, they pivot to their final objective: persistent remote access.

They achieve this by deploying Visual Studio (VS) Code and utilizing its built-in tunnels. By running commands like code tunnel user login –provider github, the attackers can establish a secure, legitimate-looking remote connection that bypasses most firewalls. This technique allows them to camouflage their presence among the standard applications a developer or engineer might normally use.

The link to Tropic Trooper is supported by a mountain of technical evidence:

• TOSHIS Loader: The code is nearly identical to samples used in previous Tropic Trooper campaigns.
• Shared Infrastructure: The staging server was found hosting the EntryShell backdoor and a Cobalt Strike Beacon with the watermark “520”—both classic signatures of the group.
• Consistent TTPs: The specific use of VS Code tunnels and the “z.txt” file naming convention mirror techniques seen in their earlier TAOTH campaign.