
Tropic Trooper AdaptixC2 and VS Code Tunnel Campaign
Indicators of Compromise
APT Groups1
Summary of Actor:Pirate Panda, also known as APT 23, is a Chinese state-sponsored cyber espionage group. They have been active since at least 2009, primarily targeting entities in the defense, aerospace, and high-tech sectors. General Features:Pirate Panda is known for its sophisticated spear-phishing campaigns and custom malware development. They often use zero-day exploits and are adept at maintaining long-term access to compromised networks. Their operations are typically aligned with Chinese political and economic interests. Related Other Groups: APT10,APT1,Stone Panda Indicators of Attack (IoA): Use of spear-phishing emails with malicious attachments Deployment of custom malware like IXESHE, Etumbot Use of compromised legitimate websites for watering hole attacks Recent Activities and Trends: Latest Campaigns : Recent campaigns have involved targeting defense contractors with spear-phishing emails containing malicious document attachments. They've also been observed leveraging vulnerabilities in Microsoft Office and Adobe Flash Player to gain initial access. Emerging Trends : There is an increasing use of fileless malware techniques and advanced obfuscation methods to evade detection. Additionally, Pirate Panda has been seen aligning more closely with Chinese Belt and Road Initiative targets, suggesting a strategic pivot.
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
DETECTION
Technique ID | Technique Name | Tactic | Detection Method | Log Sources |
Spearphishing Attachment | Initial Access | Monitor for PDF files with embedded executables or unusual metadata. Alert on SumatraPDF processes spawning unexpected child processes or network connections. Detect TOSHIS loader signatures through YARA rules and hash-based detection. | Email gateway logs, Sysmon EID 1/3, EDR process telemetry, VirusTotal API, PDF analysis sandboxes | |
Process Hollowing | Defense Evasion | Detect abnormal memory allocations and process creation patterns. Monitor for legitimate processes (notepad.exe, explorer.exe) with unexpected network activity or injected code signatures. Alert on processes with mismatched memory regions. | Sysmon EID 8/10, Windows Security EID 4688, EDR memory analysis, Hollows Hunter, ProcessHacker telemetry | |
Screen Capture | Collection | Monitor for unusual GDI32.dll API calls and screenshot capture activities. Alert on processes performing repeated screen capture operations outside of legitimate screen sharing software. Detect clipboard access patterns. | API hooking solutions, Sysmon EID 7, Windows API monitoring, clipboard monitoring tools, DLP agent logs | |
Web Service: Dead Drop Resolver | Command and Control | Monitor for connections to suspicious GitHub repositories, particularly those with random names and limited commit history. Alert on GET/POST requests to raw.githubusercontent.com from unexpected processes. | Proxy logs, DNS query logs, GitHub API monitoring, network traffic analysis, EDR network telemetry | |
Remote Services: Cloud Services | Lateral Movement | Detect unauthorized VS Code tunnel sessions and remote development connections. Monitor for code-tunnel.exe processes and suspicious remote port forwarding activities. Alert on VS Code authentication outside normal development hours. | VS Code logs, authentication logs, remote access logs, network connection monitoring, process telemetry |