The threat is a sophisticated campaign by Tropic Trooper using a trojanized SumatraPDF application as an initial vector, which delivers the AdaptixC2 Beacon agent and leverages GitHub for command and control. The campaign establishes persistent remote access via Microsoft Visual Studio Code tunnels on compromised, high-value targets. The article does not describe a specific software vulnerability with CVSS scores or fixed versions; it details a social engineering attack chain utilizing malicious software.
Malware , Threat Intelligence Tropic Trooper targets Chinese speakers with SumatraPDF trojan and VS Code tunnels April 27, 2026 Share By SC Staff (Adobe Stock Images) As reported by The Hacker News, a new sophisticated cyber campaign has been identified, leveraging a trojanized SumatraPDF reader to target Chinese-speaking individuals. This campaign deploys the AdaptixC2 Beacon post-exploitation agent, ultimately facilitating the misuse of Microsoft Visual Studio Code tunnels for remote access. The campaign, attributed with high confidence to the persistent threat group Tropic Trooper, utilizes a custom AdaptixC2 Beacon listener with GitHub as its command-and-control platform, according to Zscaler ThreatLabz. The attack begins with a ZIP archive containing military-themed lures to launch a rogue SumatraPDF version. This decoy application displays a fake PDF while secretly retrieving and executing encrypted shellcode. A loader, TOSHIS, a variant of Xiangoop malware linked to Tropic Trooper, then deploys both the lure document and the AdaptixC2 Beacon agent. The agent communicates via GitHub to receive commands. Once a target is deemed valuable, attackers establish VS Code tunnels for remote access, sometimes installing alternative trojanized applications for camouflage. The staging server has also hosted Cobalt Strike Beacon and a custom backdoor, EntryShell, previously used by Tropic Trooper. Source: The Hacker News SC Staff Related Malware Fast16 malware: Pre-Stuxnet sabotage tool discovered SC Staff April 27, 2026 Fast16, referenced in a 2005 ShadowBrokers leak of NSA tools, utilized a Lua 5.0 virtual machine embedded within a service binary, "svcmgmt.exe," which controlled a kernel driver named "fast16.sys." Malware Threat of ZionSiphon malware downplayed SC Staff April 24, 2026 Dragos technical lead malware analyst Jimmy Wylie said threat groups that had launched intrusions targeting critical infrastructure, such as water treatment facilities, are more concerning compared with the recently reported ZionSiphon malware targeting Israeli water facilities, reports CyberScoop. Malware CISA: Malware attack compromises US agency via Cisco exploit SC Staff April 24, 2026 Attacks weaponizing the Cisco Adaptive Security Appliance vulnerabilities, tracked as CVE-2025-20333 and CVE-2025-20362, were reported by the Cybersecurity and Infrastructure Security Agency to have successfully compromised a federal civilian executive branch agency with the FIRESTARTER malware in September, according to The Record, a news site by cybersecurity firm Recorded Future. Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Corruption Darknet Deauthentication Attack Defacement Dictionary Attack DumpSec Dumpster Diving Google Hacking Hybrid Attack Information Warfare You can skip this ad in 5 seconds