Tropic Trooper Exploits SumatraPDF and VS Code Tunnels for Espionage
A sophisticated campaign by the threat group Tropic Trooper is targeting Chinese-speaking individuals. The attackers are leveraging a trojanized version of the SumatraPDF reader to deploy the AdaptixC2 post-exploitation agent. This allows them to gain a foothold and further abuse Microsoft Visual Studio Code (VS Code) tunnels for persistent remote access, as detailed by Zscaler ThreatLabz.
The exploit chain demonstrates a clear focus on covert operations. By compromising a legitimate, widely used PDF reader, Tropic Trooper aims to bypass initial detection. The subsequent use of VS Codeβs remote development features as a C2 channel is a novel approach, blending legitimate developer tools with malicious intent to maintain command and control with reduced suspicion.
What This Means For You
- If your organization utilizes SumatraPDF reader or Microsoft VS Code with remote tunneling enabled, you need to take immediate action. Audit your systems for any unauthorized instances or suspicious activity related to these applications. Ensure SumatraPDF is updated from official sources only and consider disabling or strictly monitoring VS Code remote tunnels if not essential for your development workflow. Assume any system with these components could be a potential entry point for Tropic Trooper.
Related ATT&CK Techniques
π‘οΈ Detection Rules
3 rules Β· 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free β export to any SIEM format via the Intel Bot.
Tropic Trooper SumatraPDF Execution with Suspicious Child Process
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| Tropic-Trooper-2026-04 | Trojan | Trojanized SumatraPDF reader |
| Tropic-Trooper-2026-04 | Malware Deployment | AdaptixC2 Beacon post-exploitation agent |
| Tropic-Trooper-2026-04 | Remote Access | Abuse of Microsoft Visual Studio Code (VS Code) tunnels |
| Tropic-Trooper-2026-04 | Threat Actor | Tropic Trooper (aka Earth Tiger, KeyBoy, or Pirate Panda) |