Tropic Trooper Pivots to AdaptixC2 and Custom Beacon Listener

    Friday, April 24, 2026 In: Threat Research Print

    Date: 04/24/2026

    Severity: High

    Summary

    On March 12, 2026, ThreatLabz identified a malicious ZIP archive that used military-themed documents as bait to target Chinese-speaking users. The operation relied on a tampered SumatraPDF executable to deliver an AdaptixC2 Beacon, which eventually led to the installation of Visual Studio Code on compromised systems. The shellcode loader observed in this campaign closely mirrors the TOSHIS loader, previously linked to Tropic Trooper and documented in the TAOTH campaign. The attackers also set up a tailored AdaptixC2 Beacon listener, using GitHub as their command-and-control infrastructure. Additionally, the staging server used in this intrusion hosted both a Cobalt Strike Beacon and an EntryShell backdoor—tools and configurations that have been historically associated with Tropic Trooper activity.

    Indicators of Compromise (IOC) List

    Domains/URLs :

    https://api.github.com/repos/cvaS23uchsahs/rss/issues

    https://47.76.236.58:4430/Originate/contacts/CX4YJ5JI7RZ

    https://47.76.236.58:4430/Divide/developement/GIZWQVCLF

    https://stg.lsmartv.com:8443/Originate/contacts/CX4YJ5JI7RZ

    https://stg.lsmartv.com:8443/Divide/developement/GIZWQVCLF

    IP Address :

    158.247.193.100

    Hash : 

    3238d2f6b9ea9825eb61ae5e80e7365c

    67fcf5c21474d314aa0b27b0ce8befb2

    89daa54fada8798c5f4e21738c8ea0b4

    e2dc48ef24da000b8fc1354fa31ca9ae

    2d7cc3646c287d6355def362916c6d26

    71fa755b6ba012e1713c9101c7329f8d

    c620b4671a5715eec0e9f3b93e6532ba

    9a69b717ec4e8a35ae595aa6762d3c27

    2c65433696037f4ce0f8c9a1d78bdd6835c1b94d

    19e3c4df728e3e657cb9496cd4aaf69648470b63

    bd618c9e1e10891fe666839650fa406833d70afd

    6c68dc2e33780e07596c3c06aa819ea460b3d125

    adb47733c224fc8c0f7edc61becb578e560435ab

    c2051635ccfdc0b48c260e7ceeee3f96bf026fea

    343be0f2077901ea5b5b9fb97d97892ac1a907e6

    401cc16d79d94c32da3f66df21d66ffd71603c14

    a4f2131eb497afe5f78d8d6e534df2b8d75c5b9b565c3ec17a323afe5355da26

    47c7ce0e3816647b23bb180725c7233e505f61c35e7776d47fd448009e887857

    aeec65bac035789073b567753284b64ce0b95bbae62cf79e1479714238af0eb7

    7a95ce0b5f201d9880a6844a1db69aac7d1a0bf1c88f85989264caf6c82c6001

    3936f522f187f8f67dda3dc88abfd170f6ba873af81fc31bbf1fdbcad1b2a7fb

    6eaea92394e115cd6d5bab9ae1c6d088806229aae320e6c519c2d2210dbc94fe

    b92a3a1cf5786b6e08643483387b77640cd44f84df1169dd00efde7af46b5714

    3c29c72a59133dd9eb23953211129fd8275a11b91a3b8dddb3c6e502b6b63edb

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "https://stg.lsmartv.com:8443/Originate/contacts/CX4YJ5JI7RZ" or url like "https://stg.lsmartv.com:8443/Originate/contacts/CX4YJ5JI7RZ" or siteurl like "https://stg.lsmartv.com:8443/Originate/contacts/CX4YJ5JI7RZ" or domainname like "https://47.76.236.58:4430/Originate/contacts/CX4YJ5JI7RZ" or url like "https://47.76.236.58:4430/Originate/contacts/CX4YJ5JI7RZ" or siteurl like "https://47.76.236.58:4430/Originate/contacts/CX4YJ5JI7RZ" or domainname like "https://47.76.236.58:4430/Divide/developement/GIZWQVCLF" or url like "https://47.76.236.58:4430/Divide/developement/GIZWQVCLF" or siteurl like "https://47.76.236.58:4430/Divide/developement/GIZWQVCLF" or domainname like "https://api.github.com/repos/cvaS23uchsahs/rss/issues" or url like "https://api.github.com/repos/cvaS23uchsahs/rss/issues" or siteurl like "https://api.github.com/repos/cvaS23uchsahs/rss/issues" or domainname like "https://stg.lsmartv.com:8443/Divide/developement/GIZWQVCLF" or url like "https://stg.lsmartv.com:8443/Divide/developement/GIZWQVCLF" or siteurl like "https://stg.lsmartv.com:8443/Divide/developement/GIZWQVCLF"

    Detection Query 2 :

    dstipaddress IN ("158.247.193.100") or srcipaddress IN ("158.247.193.100")

    Detection Query 3 :

    md5hash IN ("3238d2f6b9ea9825eb61ae5e80e7365c","67fcf5c21474d314aa0b27b0ce8befb2","89daa54fada8798c5f4e21738c8ea0b4","e2dc48ef24da000b8fc1354fa31ca9ae","2d7cc3646c287d6355def362916c6d26","71fa755b6ba012e1713c9101c7329f8d","c620b4671a5715eec0e9f3b93e6532ba","9a69b717ec4e8a35ae595aa6762d3c27")

    Detection Query 4 :

    sha1hash IN ("2c65433696037f4ce0f8c9a1d78bdd6835c1b94d","19e3c4df728e3e657cb9496cd4aaf69648470b63","bd618c9e1e10891fe666839650fa406833d70afd","6c68dc2e33780e07596c3c06aa819ea460b3d125","adb47733c224fc8c0f7edc61becb578e560435ab","c2051635ccfdc0b48c260e7ceeee3f96bf026fea","343be0f2077901ea5b5b9fb97d97892ac1a907e6","401cc16d79d94c32da3f66df21d66ffd71603c14")

    Detection Query 5 :

    sha256hash IN ("47c7ce0e3816647b23bb180725c7233e505f61c35e7776d47fd448009e887857","a4f2131eb497afe5f78d8d6e534df2b8d75c5b9b565c3ec17a323afe5355da26","aeec65bac035789073b567753284b64ce0b95bbae62cf79e1479714238af0eb7","7a95ce0b5f201d9880a6844a1db69aac7d1a0bf1c88f85989264caf6c82c6001","3936f522f187f8f67dda3dc88abfd170f6ba873af81fc31bbf1fdbcad1b2a7fb","6eaea92394e115cd6d5bab9ae1c6d088806229aae320e6c519c2d2210dbc94fe","b92a3a1cf5786b6e08643483387b77640cd44f84df1169dd00efde7af46b5714","3c29c72a59133dd9eb23953211129fd8275a11b91a3b8dddb3c6e502b6b63edb")

    Reference:    

    https://www.zscaler.com/blogs/security-research/tropic-trooper-pivots-adaptixc2-and-custom-beacon-listener#introduction 


    Tags

    MalwareBackdoorDefense Industrial BaseChinaTOSHISTAOTHGitHubCobalt Strike

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.