Malicious Campaign Deploying AdaptixC2 Beacon and VS Code via Trojanized SumatraPDF
On March 12, 2026, a sophisticated attack campaign was identified targeting Chinese-speaking individuals using military-themed document lures distributed through a malicious ZIP archive. The operation employed a trojanized SumatraPDF binary as the initial vector to deploy an AdaptixC2 Beacon and Visual Studio Code on victim systems. The shellcode loader demonstrated significant similarities to the TOSHIS loader previously linked to TAOTH campaigns. Attackers established a custom AdaptixC2 Beacon listener utilizing GitHub for command-and-control infrastructure. The staging server infrastructure additionally hosted CobaltStrike Beacon and EntryShell backdoor, both previously associated with this threat group. The campaign infrastructure included multiple compromised domains and IP addresses for malware distribution and C2 communications.
AI Analysis
Technical Summary
This threat involves a targeted campaign deploying a trojanized SumatraPDF executable as the initial infection vector. Upon execution, it installs an AdaptixC2 Beacon and Visual Studio Code on victim systems. The loader used shares significant code similarities with the TOSHIS loader previously attributed to TAOTH campaigns. The attackers established a custom AdaptixC2 Beacon listener leveraging GitHub repositories for command-and-control communications. The infrastructure also hosts CobaltStrike Beacon and EntryShell backdoor malware, both linked to the Tropic Trooper group. The campaign uses military-themed document lures delivered through malicious ZIP archives and multiple compromised domains and IP addresses to facilitate malware distribution and C2 operations.
Potential Impact
The campaign enables attackers to establish persistent command-and-control access on victim systems via AdaptixC2 Beacon, CobaltStrike Beacon, and EntryShell backdoor malware. This access can facilitate further malicious activities such as data exfiltration, lateral movement, and system compromise. The use of a trojanized legitimate application (SumatraPDF) and deployment of Visual Studio Code may aid evasion and persistence. The targeting of Chinese-speaking individuals indicates a focused threat actor intent on specific regional victims.
Mitigation Recommendations
No official patch or remediation is indicated for this campaign as it involves malware distribution rather than a software vulnerability. Defenders should focus on detecting and blocking the trojanized SumatraPDF binaries, monitoring for the presence of AdaptixC2 Beacon, CobaltStrike Beacon, and EntryShell backdoor activity, and restricting execution of unauthorized binaries. Network defenses should include blocking known malicious domains and IP addresses associated with this campaign. Since this is a malware campaign, standard endpoint detection and response (EDR) and threat hunting for the described indicators are recommended. Patch status is not applicable; check vendor advisories for any updates on detection signatures or mitigation tools.
Affected Countries
China
Indicators of Compromise
- hash: 2d7cc3646c287d6355def362916c6d26
- hash: 3238d2f6b9ea9825eb61ae5e80e7365c
- hash: 67fcf5c21474d314aa0b27b0ce8befb2
- hash: 71fa755b6ba012e1713c9101c7329f8d
- hash: 89daa54fada8798c5f4e21738c8ea0b4
- hash: 9a69b717ec4e8a35ae595aa6762d3c27
- hash: c620b4671a5715eec0e9f3b93e6532ba
- hash: e2dc48ef24da000b8fc1354fa31ca9ae
- hash: 19e3c4df728e3e657cb9496cd4aaf69648470b63
- hash: 2c65433696037f4ce0f8c9a1d78bdd6835c1b94d
- hash: 343be0f2077901ea5b5b9fb97d97892ac1a907e6
- hash: 401cc16d79d94c32da3f66df21d66ffd71603c14
- hash: 6c68dc2e33780e07596c3c06aa819ea460b3d125
- hash: adb47733c224fc8c0f7edc61becb578e560435ab
- hash: bd618c9e1e10891fe666839650fa406833d70afd
- hash: c2051635ccfdc0b48c260e7ceeee3f96bf026fea
- hash: 3936f522f187f8f67dda3dc88abfd170f6ba873af81fc31bbf1fdbcad1b2a7fb
- hash: 3c29c72a59133dd9eb23953211129fd8275a11b91a3b8dddb3c6e502b6b63edb
- hash: 47c7ce0e3816647b23bb180725c7233e505f61c35e7776d47fd448009e887857
- hash: 6eaea92394e115cd6d5bab9ae1c6d088806229aae320e6c519c2d2210dbc94fe
- hash: 7a95ce0b5f201d9880a6844a1db69aac7d1a0bf1c88f85989264caf6c82c6001
- hash: a4f2131eb497afe5f78d8d6e534df2b8d75c5b9b565c3ec17a323afe5355da26
- hash: aeec65bac035789073b567753284b64ce0b95bbae62cf79e1479714238af0eb7
- hash: b92a3a1cf5786b6e08643483387b77640cd44f84df1169dd00efde7af46b5714
- ip: 158.247.193.100
- ip: 47.76.236.58
- url: https://47.76.236.58:4430/Divide/developement/GIZWQVCLF
- url: https://47.76.236.58:4430/Originate/contacts/CX4YJ5JI7RZ
- url: https://stg.lsmartv.com:8443/Divide/developement/GIZWQVCLF
- url: https://stg.lsmartv.com:8443/Originate/contacts/CX4YJ5JI7RZ
- domain: stg.lsmartv.com
Malicious Campaign Deploying AdaptixC2 Beacon and VS Code via Trojanized SumatraPDF
Description
On March 12, 2026, a sophisticated attack campaign was identified targeting Chinese-speaking individuals using military-themed document lures distributed through a malicious ZIP archive. The operation employed a trojanized SumatraPDF binary as the initial vector to deploy an AdaptixC2 Beacon and Visual Studio Code on victim systems. The shellcode loader demonstrated significant similarities to the TOSHIS loader previously linked to TAOTH campaigns. Attackers established a custom AdaptixC2 Beacon listener utilizing GitHub for command-and-control infrastructure. The staging server infrastructure additionally hosted CobaltStrike Beacon and EntryShell backdoor, both previously associated with this threat group. The campaign infrastructure included multiple compromised domains and IP addresses for malware distribution and C2 communications.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This threat involves a targeted campaign deploying a trojanized SumatraPDF executable as the initial infection vector. Upon execution, it installs an AdaptixC2 Beacon and Visual Studio Code on victim systems. The loader used shares significant code similarities with the TOSHIS loader previously attributed to TAOTH campaigns. The attackers established a custom AdaptixC2 Beacon listener leveraging GitHub repositories for command-and-control communications. The infrastructure also hosts CobaltStrike Beacon and EntryShell backdoor malware, both linked to the Tropic Trooper group. The campaign uses military-themed document lures delivered through malicious ZIP archives and multiple compromised domains and IP addresses to facilitate malware distribution and C2 operations.
Potential Impact
The campaign enables attackers to establish persistent command-and-control access on victim systems via AdaptixC2 Beacon, CobaltStrike Beacon, and EntryShell backdoor malware. This access can facilitate further malicious activities such as data exfiltration, lateral movement, and system compromise. The use of a trojanized legitimate application (SumatraPDF) and deployment of Visual Studio Code may aid evasion and persistence. The targeting of Chinese-speaking individuals indicates a focused threat actor intent on specific regional victims.
Mitigation Recommendations
No official patch or remediation is indicated for this campaign as it involves malware distribution rather than a software vulnerability. Defenders should focus on detecting and blocking the trojanized SumatraPDF binaries, monitoring for the presence of AdaptixC2 Beacon, CobaltStrike Beacon, and EntryShell backdoor activity, and restricting execution of unauthorized binaries. Network defenses should include blocking known malicious domains and IP addresses associated with this campaign. Since this is a malware campaign, standard endpoint detection and response (EDR) and threat hunting for the described indicators are recommended. Patch status is not applicable; check vendor advisories for any updates on detection signatures or mitigation tools.
Affected Countries
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- []
- Adversary
- Tropic Trooper
- Pulse Id
- 69e9d8ba4c0b0df25b764711
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash2d7cc3646c287d6355def362916c6d26 | — | |
hash3238d2f6b9ea9825eb61ae5e80e7365c | — | |
hash67fcf5c21474d314aa0b27b0ce8befb2 | — | |
hash71fa755b6ba012e1713c9101c7329f8d | — | |
hash89daa54fada8798c5f4e21738c8ea0b4 | — | |
hash9a69b717ec4e8a35ae595aa6762d3c27 | — | |
hashc620b4671a5715eec0e9f3b93e6532ba | — | |
hashe2dc48ef24da000b8fc1354fa31ca9ae | — | |
hash19e3c4df728e3e657cb9496cd4aaf69648470b63 | — | |
hash2c65433696037f4ce0f8c9a1d78bdd6835c1b94d | — | |
hash343be0f2077901ea5b5b9fb97d97892ac1a907e6 | — | |
hash401cc16d79d94c32da3f66df21d66ffd71603c14 | — | |
hash6c68dc2e33780e07596c3c06aa819ea460b3d125 | — | |
hashadb47733c224fc8c0f7edc61becb578e560435ab | — | |
hashbd618c9e1e10891fe666839650fa406833d70afd | — | |
hashc2051635ccfdc0b48c260e7ceeee3f96bf026fea | — | |
hash3936f522f187f8f67dda3dc88abfd170f6ba873af81fc31bbf1fdbcad1b2a7fb | — | |
hash3c29c72a59133dd9eb23953211129fd8275a11b91a3b8dddb3c6e502b6b63edb | — | |
hash47c7ce0e3816647b23bb180725c7233e505f61c35e7776d47fd448009e887857 | — | |
hash6eaea92394e115cd6d5bab9ae1c6d088806229aae320e6c519c2d2210dbc94fe | — | |
hash7a95ce0b5f201d9880a6844a1db69aac7d1a0bf1c88f85989264caf6c82c6001 | — | |
hasha4f2131eb497afe5f78d8d6e534df2b8d75c5b9b565c3ec17a323afe5355da26 | — | |
hashaeec65bac035789073b567753284b64ce0b95bbae62cf79e1479714238af0eb7 | — | |
hashb92a3a1cf5786b6e08643483387b77640cd44f84df1169dd00efde7af46b5714 | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip158.247.193.100 | — | |
ip47.76.236.58 | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttps://47.76.236.58:4430/Divide/developement/GIZWQVCLF | — | |
urlhttps://47.76.236.58:4430/Originate/contacts/CX4YJ5JI7RZ | — | |
urlhttps://stg.lsmartv.com:8443/Divide/developement/GIZWQVCLF | — | |
urlhttps://stg.lsmartv.com:8443/Originate/contacts/CX4YJ5JI7RZ | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainstg.lsmartv.com | — |
Threat ID: 69e9e0fb87115cfb68ecdc9b
Added to database: 4/23/2026, 9:06:03 AM
Last enriched: 4/23/2026, 9:21:04 AM
Last updated: 4/24/2026, 7:03:46 AM
Views: 124
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.