{
  "name": "Malicious Campaign Deploying AdaptixC2 Beacon and VS Code via Trojanized SumatraPDF",
  "slug": "malicious-campaign-deploying-adaptixc2-beacon-and-vs-code-via-trojanized-sumatrapdf",
  "description": "On March 12, 2026, a sophisticated attack campaign was identified targeting Chinese-speaking individuals using military-themed document lures distributed through a malicious ZIP archive. The operation employed a trojanized SumatraPDF binary as the initial vector to deploy an AdaptixC2 Beacon and Visual Studio Code on victim systems. The shellcode loader demonstrated significant similarities to the TOSHIS loader previously linked to TAOTH campaigns. Attackers established a custom AdaptixC2 Beacon listener utilizing GitHub for command-and-control infrastructure. The staging server infrastructure additionally hosted CobaltStrike Beacon and EntryShell backdoor, both previously associated with this threat group. The campaign infrastructure included multiple compromised domains and IP addresses for malware distribution and C2 communications.",
  "published": "2026-04-23T06:30:50+00:00",
  "created_at": "2026-04-23T06:30:50+00:00",
  "modified_at": "2026-04-27T12:31:02+00:00",
  "created_at_opencti": "2026-04-23T06:30:50+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2026-04-23",
    "adaptixc2",
    "adaptixc2 beacon",
    "chinese-targets",
    "cobaltstrike",
    "cobaltstrike beacon",
    "entryshell",
    "github c2",
    "sumatrapdf",
    "toshis",
    "toshis loader",
    "tropic trooper"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "158.247.193.100"
      },
      {
        "id": "",
        "name": "47.76.236.58"
      },
      {
        "id": "",
        "name": "https://stg.lsmartv.com:8443/Divide/developement/GIZWQVCLF"
      },
      {
        "id": "",
        "name": "https://stg.lsmartv.com:8443/Originate/contacts/CX4YJ5JI7RZ"
      },
      {
        "id": "",
        "name": "https://47.76.236.58:4430/Divide/developement/GIZWQVCLF"
      },
      {
        "id": "",
        "name": "https://47.76.236.58:4430/Originate/contacts/CX4YJ5JI7RZ"
      },
      {
        "id": "",
        "name": "aeec65bac035789073b567753284b64ce0b95bbae62cf79e1479714238af0eb7"
      },
      {
        "id": "",
        "name": "47c7ce0e3816647b23bb180725c7233e505f61c35e7776d47fd448009e887857"
      },
      {
        "id": "",
        "name": "b92a3a1cf5786b6e08643483387b77640cd44f84df1169dd00efde7af46b5714"
      },
      {
        "id": "",
        "name": "6eaea92394e115cd6d5bab9ae1c6d088806229aae320e6c519c2d2210dbc94fe"
      },
      {
        "id": "",
        "name": "7a95ce0b5f201d9880a6844a1db69aac7d1a0bf1c88f85989264caf6c82c6001"
      },
      {
        "id": "",
        "name": "a4f2131eb497afe5f78d8d6e534df2b8d75c5b9b565c3ec17a323afe5355da26"
      },
      {
        "id": "",
        "name": "3c29c72a59133dd9eb23953211129fd8275a11b91a3b8dddb3c6e502b6b63edb"
      },
      {
        "id": "",
        "name": "3936f522f187f8f67dda3dc88abfd170f6ba873af81fc31bbf1fdbcad1b2a7fb"
      }
    ],
    "malware": [
      {
        "id": "69b7f98c-f869-41cf-846b-e2727da9f386",
        "name": "EntryShell",
        "slug": "entryshell"
      },
      {
        "id": "0a8849fd-ad6f-4372-8850-f8e0989af09a",
        "name": "CobaltStrike Beacon",
        "slug": "cobaltstrike-beacon"
      },
      {
        "id": "legacy:malware:9f3387373179eb24",
        "name": "AdaptixC2 Beacon",
        "slug": "adaptixc2-beacon"
      },
      {
        "id": "legacy:malware:edfb76e20e3ee1b8",
        "name": "TOSHIS",
        "slug": "toshis"
      }
    ],
    "intrusion_sets": [
      {
        "id": "467c2774-6fda-4f74-835b-faeae8100eee",
        "name": "Tropic Trooper",
        "slug": "tropic-trooper"
      }
    ],
    "attack_patterns": [
      {
        "id": "6ccd4566-e15e-40cf-b7df-4a3f737ce5cd",
        "name": "T1036.005"
      },
      {
        "id": "eaff4611-3c78-4127-8745-726f77ed68ba",
        "name": "T1070.004"
      },
      {
        "id": "c3af9fd7-d307-4df4-9220-cc627938fb85",
        "name": "T1055"
      },
      {
        "id": "a72ebeae-8e62-4039-8135-e9c611011fdc",
        "name": "T1573"
      },
      {
        "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f",
        "name": "T1071.001"
      },
      {
        "id": "196f2a64-c55b-47a6-8e38-beb76ba700b6",
        "name": "T1204.002"
      },
      {
        "id": "dc410646-9cdd-427b-92e7-179a54f78f90",
        "name": "T1566.001"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571",
        "name": "T1105"
      },
      {
        "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221",
        "name": "T1059"
      },
      {
        "id": "5999052b-e9ae-49e8-9235-d9bf975c22af",
        "name": "T1547.001"
      },
      {
        "id": "870bd958-53a3-4d25-9f23-00aa8bd6674d",
        "name": "T1102"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      },
      {
        "id": "e1b18ecf-d74e-4fe6-9bd4-ca6a62e7d818",
        "name": "T1027.002"
      },
      {
        "id": "a7262c61-4567-4a00-8cec-aae6264234a9",
        "name": "T1218"
      },
      {
        "id": "45082a8e-9c79-470e-ad1b-decac7188e8f",
        "name": "T1083"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "stg.lsmartv.com"
      }
    ]
  },
  "external_refs": [
    "https://otx.alienvault.com/pulse/69e9d8ba4c0b0df25b764711"
  ]
}