๐Ÿ›ก๏ธ SecOps

Tropic Trooper APT Delivers AdaptixC2 via Trojanised SumatraPDF Installer and GitHub C2 Relay

The Chinese APT group Tropic Trooper has been observed deploying the AdaptixC2 post-exploitation framework through a malicious SumatraPDF installer distributed from a convincing lookalike site. Command-and-control communications are routed through GitHub's REST API, blending malicious traffic with the high-volume legitimate developer activity that most enterprises whitelist.

4 min read
#tropic-trooper#apt#china-nexus#github-c2#adaptixc2#threat-intel

Chinese APT Turns GitHub Into a Command Channel

Tropic Trooper โ€” also tracked as Earth Centaur โ€” has been linked to a campaign distributing the AdaptixC2 post-exploitation framework inside a trojanised SumatraPDF installer. The malicious installer is hosted on a convincing lookalike domain and distributed through targeted spear-phishing and watering-hole attacks aimed at technology sector and government-adjacent organisations.

SumatraPDF is a legitimate, widely trusted open-source Windows PDF reader with no automatic update mechanism. Users who install it from a third-party source receive no vendor notification about a compromised version, and the malicious installer behaves identically to the real application โ€” installing a fully functional copy while silently deploying AdaptixC2 in the background.

AdaptixC2 and the GitHub Relay Architecture

AdaptixC2 is a modular post-exploitation framework with capabilities similar to Cobalt Strike and Sliver: encrypted beacon communications, lateral movement modules, credential dumping, and a runtime-extensible plugin system. The framework is publicly available and has appeared in multiple China-nexus campaigns.

The operationally distinctive feature of this campaign is how the implant communicates. Rather than connecting directly to attacker-controlled infrastructure, AdaptixC2 communicates via the GitHub REST API โ€” reading base64-encoded tasking from attacker-controlled repository commits and issue bodies, and posting results the same way. From a network visibility perspective, all C2 traffic appears as HTTPS to api.github.com.

This technique โ€” using legitimate cloud platforms as command-and-control relay layers โ€” is known as โ€œliving off trusted sitesโ€ (LOTS). It has been observed with Slack, Discord, Dropbox, and OneDrive in previous campaigns. GitHub represents an escalation: the API is used at high volume by virtually every enterprise software team, making volumetric detection or behavioural baseline anomaly detection difficult to tune without generating significant false positive noise.

Targeting Profile

The campaign targets technology sector organisations and government-adjacent entities, consistent with Tropic Trooperโ€™s documented history across Taiwan, the Philippines, and Western government contractors. The use of SumatraPDF as a delivery lure is deliberate โ€” it skews toward technical users: developers, analysts, and security researchers who are more likely to seek lightweight PDF alternatives to Adobe Acrobat and are more likely to have administrative rights on their workstations.

The campaign has been active since at least early April 2026. Dwell time between installation and observable lateral movement activity has been measured in days to weeks in confirmed victim environments.

Why โ€œBlock Malicious Domainsโ€ Is Not Sufficient Detection

The LOTS technique directly undermines the most common network-level detection approach: blocking or alerting on connections to known-malicious domains. When C2 is relayed through api.github.com, the egress destination carries no malicious signal. Detection requires behavioural analytics that identify C2 patterns โ€” beacon interval regularity, unusual API call sequences, encoded payloads in commit or issue bodies โ€” regardless of whether the destination is itself flagged.

  • Block SumatraPDF execution from unapproved sources: If SumatraPDF is not in your approved software catalogue, block via application control. If it is approved, enforce hash verification against official Sumatra GitHub releases
  • Alert on GitHub API calls from non-developer endpoints: Workstations not part of software development workflows have limited legitimate reasons to issue api.github.com REST API calls outside of browser context โ€” alert and investigate
  • Hunt for AdaptixC2 indicators of compromise: Published IOC sets from Kaspersky and The Hacker News should be run against EDR telemetry and SIEM logs covering the past 30 days
  • Monitor SumatraPDF for anomalous child processes: Legitimate SumatraPDF does not spawn cmd.exe, PowerShell, or network connections on installation; such activity following installation is a direct compromise indicator
  • Review software download policies: Require all software installation to route through approved distribution channels (SCCM, Intune, corporate app catalogue); prevent installation from direct download links
  • Tune behavioural analytics for LOTS C2 patterns: Signature-based controls cannot detect this campaign; detection depends on identifying beacon cadence, encoded data exchange, and unusual GitHub API access patterns through endpoint and network telemetry

Share this article