A sophisticated cyberattack campaign is actively targeting Chinese-speaking users through a weaponized version of SumatraPDF, a popular document reader. Security researchers have identified the malware delivery chain, which leverages GitHub as an intermediary platform to deploy the AdaptixC2 Beacon—a powerful post-exploitation tool designed to establish persistent remote access on compromised systems.
The campaign, attributed to Tropic Trooper with high confidence, exploits the trust users place in legitimate software. By distributing a trojanized variant of SumatraPDF, attackers can infiltrate systems while appearing benign to end users. Once installed, the malware facilitates deployment of AdaptixC2 Beacon, enabling attackers to execute commands and maintain long-term control over infected machines.
A particularly concerning aspect of this attack involves the abuse of Microsoft Visual Studio Code tunnels—a feature designed for remote development collaboration. Attackers weaponize VS Code tunnels to establish secure remote access channels, making detection and mitigation significantly more difficult for security teams. This multi-stage approach demonstrates considerable sophistication in operational tradecraft.
The discovery came during an investigation last month, revealing that GitHub served as a distribution vector in the attack chain. By hosting malicious payloads or instructions on the platform, threat actors leveraged GitHub's legitimate reputation to bypass security filters and increase successful infection rates among their target demographic.
Tropic Trooper, the threat group responsible, has demonstrated a sustained interest in targeting Chinese-speaking populations with advanced malware capabilities. The group's willingness to adopt legitimate development tools as attack infrastructure underscores an evolving threat landscape where attackers increasingly blend into normal network traffic and development practices.
Organizations should implement strict controls around document readers, monitor unusual Visual Studio Code tunnel activity, and educate users about the risks of downloading software from untrusted sources. Security teams are advised to watch for indicators of AdaptixC2 Beacon activity and implement network monitoring to detect suspicious remote access attempts using VS Code tunnels.