Malicious Campaign Deploying AdaptixC2 Beacon and VS Code via Trojanized SumatraPDF
Essential information
- Published
- 23/04/2026 08:30
- Modified
- 27/04/2026 14:31
- Tags
- 2026-04-23 adaptixc2 adaptixc2 beacon chinese-targets cobaltstrike cobaltstrike beacon entryshell github c2 sumatrapdf toshis toshis loader tropic trooper
- Related entities
- 14 observables, 1 intrusion sets (apt), 17 techniques (mitre), 4 malware, 1 others
Description
On March 12, 2026, a sophisticated attack campaign was identified targeting Chinese-speaking individuals using military-themed document lures distributed through a malicious ZIP archive. The operation employed a trojanized SumatraPDF binary as the initial vector to deploy an AdaptixC2 Beacon and Visual Studio Code on victim systems. The shellcode loader demonstrated significant similarities to the TOSHIS loader previously linked to TAOTH campaigns. Attackers established a custom AdaptixC2 Beacon listener utilizing GitHub for command-and-control infrastructure. The staging server infrastructure additionally hosted CobaltStrike Beacon and EntryShell backdoor, both previously associated with this threat group. The campaign infrastructure included multiple compromised domains and IP addresses for malware distribution and C2 communications.