Campaigns
Tropic Trooper AdaptixC2 and VS Code Tunnel Campaign

Tropic Trooper AdaptixC2 and VS Code Tunnel Campaign

Tropic TrooperAPT23Earth CentaurAdaptixC2TOSHIS loaderVS Code tunnelsGitHub C2SumatraPDF trojanChinese targetingTaiwan espionagedefense contractor infiltration
A sophisticated cyber espionage campaign orchestrated by the Tropic Trooper APT group (APT23/Earth Centaur) targeting Chinese-speaking populations in Taiwan, South Korea, and Japan. The campaign utilizes trojanized SumatraPDF documents, TOSHIS loaders, AdaptixC2 beacons, and innovative persistence mechanisms, including Visual Studio Code tunnels, to maintain long-term access to government, military, and defense contractor networks.

Indicators of Compromise

stg.lsmartv.com

APT Groups1

Pirate PandaCN

Summary of Actor:Pirate Panda, also known as APT 23, is a Chinese state-sponsored cyber espionage group. They have been active since at least 2009, primarily targeting entities in the defense, aerospace, and high-tech sectors. General Features:Pirate Panda is known for its sophisticated spear-phishing campaigns and custom malware development. They often use zero-day exploits and are adept at maintaining long-term access to compromised networks. Their operations are typically aligned with Chinese political and economic interests. Related Other Groups: APT10,APT1,Stone Panda Indicators of Attack (IoA): Use of spear-phishing emails with malicious attachments Deployment of custom malware like IXESHE, Etumbot Use of compromised legitimate websites for watering hole attacks Recent Activities and Trends: Latest Campaigns : Recent campaigns have involved targeting defense contractors with spear-phishing emails containing malicious document attachments. They've also been observed leveraging vulnerabilities in Microsoft Office and Adobe Flash Player to gain initial access. Emerging Trends : There is an increasing use of fileless malware techniques and advanced obfuscation methods to evade detection. Additionally, Pirate Panda has been seen aligning more closely with Chinese Belt and Road Initiative targets, suggesting a strategic pivot.

BRONZE HOBARTEarth CentaurG0081KeyBoyAPT23Red OrthrusTropic TrooperAPT 23

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

DETECTION


Technique ID

Technique Name

Tactic

Detection Method

Log Sources

T1566.001

Spearphishing Attachment

Initial Access

Monitor for PDF files with embedded executables or unusual metadata. Alert on SumatraPDF processes spawning unexpected child processes or network connections. Detect TOSHIS loader signatures through YARA rules and hash-based detection.

Email gateway logs, Sysmon EID 1/3, EDR process telemetry, VirusTotal API, PDF analysis sandboxes

T1055.012

Process Hollowing

Defense Evasion

Detect abnormal memory allocations and process creation patterns. Monitor for legitimate processes (notepad.exe, explorer.exe) with unexpected network activity or injected code signatures. Alert on processes with mismatched memory regions.

Sysmon EID 8/10, Windows Security EID 4688, EDR memory analysis, Hollows Hunter, ProcessHacker telemetry

T1113

Screen Capture

Collection

Monitor for unusual GDI32.dll API calls and screenshot capture activities. Alert on processes performing repeated screen capture operations outside of legitimate screen sharing software. Detect clipboard access patterns.

API hooking solutions, Sysmon EID 7, Windows API monitoring, clipboard monitoring tools, DLP agent logs

T1102.001

Web Service: Dead Drop Resolver

Command and Control

Monitor for connections to suspicious GitHub repositories, particularly those with random names and limited commit history. Alert on GET/POST requests to raw.githubusercontent.com from unexpected processes.

Proxy logs, DNS query logs, GitHub API monitoring, network traffic analysis, EDR network telemetry

T1021.007

Remote Services: Cloud Services

Lateral Movement

Detect unauthorized VS Code tunnel sessions and remote development connections. Monitor for code-tunnel.exe processes and suspicious remote port forwarding activities. Alert on VS Code authentication outside normal development hours.

VS Code logs, authentication logs, remote access logs, network connection monitoring, process telemetry

Observed Countries3

JP (699)
KR (34)
TW (777)