Tropic Trooper Exploits SumatraPDF and VS Code Tunnels for Espionage

/MEDIUM
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW threat-intelvulnerabilitymalwaremicrosofttools
Tropic Trooper Exploits SumatraPDF and VS Code Tunnels for Espionage

A sophisticated campaign by the threat group Tropic Trooper is targeting Chinese-speaking individuals. The attackers are leveraging a trojanized version of the SumatraPDF reader to deploy the AdaptixC2 post-exploitation agent. This allows them to gain a foothold and further abuse Microsoft Visual Studio Code (VS Code) tunnels for persistent remote access, as detailed by Zscaler ThreatLabz.

The exploit chain demonstrates a clear focus on covert operations. By compromising a legitimate, widely used PDF reader, Tropic Trooper aims to bypass initial detection. The subsequent use of VS Code’s remote development features as a C2 channel is a novel approach, blending legitimate developer tools with malicious intent to maintain command and control with reduced suspicion.

What This Means For You

  • If your organization utilizes SumatraPDF reader or Microsoft VS Code with remote tunneling enabled, you need to take immediate action. Audit your systems for any unauthorized instances or suspicious activity related to these applications. Ensure SumatraPDF is updated from official sources only and consider disabling or strictly monitoring VS Code remote tunnels if not essential for your development workflow. Assume any system with these components could be a potential entry point for Tropic Trooper.
πŸ›‘οΈ Am I exposed to this? Check if Microsoft impacts your environment β€” get SIEM detection rules instantly β†’

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1071.001 Web Protocols Command and Control T1547.001 Registry Run Keys / Startup Folder Persistence

πŸ›‘οΈ Detection Rules

3 rules Β· 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free β€” export to any SIEM format via the Intel Bot.

critical T1204.002 Execution

Tropic Trooper SumatraPDF Execution with Suspicious Child Process

Sigma YAML β€” free preview

Source: Shimi's Cyber World Β· License & reuse

βœ“ Sigma Β· Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM β†’

Indicators of Compromise

IDTypeIndicator
Tropic-Trooper-2026-04 Trojan Trojanized SumatraPDF reader
Tropic-Trooper-2026-04 Malware Deployment AdaptixC2 Beacon post-exploitation agent
Tropic-Trooper-2026-04 Remote Access Abuse of Microsoft Visual Studio Code (VS Code) tunnels
Tropic-Trooper-2026-04 Threat Actor Tropic Trooper (aka Earth Tiger, KeyBoy, or Pirate Panda)

Written by SCW Vulnerability Desk

Take action on this incident
πŸ“‘ Monitor microsoft.com Free Β· 1 watchlist slot Β· instant alerts on new breaches πŸ” Threat intel on Microsoft All breaches, IOCs & vendor exposure

Related Posts

Critical Flaws Hit CrowdStrike, Tenable Products; Patches Released

SecurityWeek reports that critical vulnerabilities have been addressed in products from CrowdStrike and Tenable. CrowdStrike has issued a fix for a severe flaw impacting its...

threat-intelvulnerability
/SCW Vulnerability Desk /MEDIUM /⚑ 1 IOC /⚙ 3 Sigma

Breeze Cache Plugin Exploit: Unauthenticated File Upload Hits WordPress

BleepingComputer reports active exploitation of a critical file upload vulnerability in the Breeze Cache WordPress plugin. This flaw allows unauthenticated attackers to upload arbitrary files...

threat-inteldata-breachmalwarevulnerabilityidentity
/SCW Vulnerability Desk /MEDIUM /⚑ 1 IOC /⚙ 3 Sigma

Frontier AI: CISO Questions and Defensive Realities

Palo Alto Unit 42 has published insights addressing the top questions security leaders are asking about frontier AI and its implications for defense. The report...

threat-intelAPTmalwareresearch
/SCW Research /MEDIUM