Posted in

Tropic Trooper Attack Uses VS Code Tunnels for Stealth Access

by Rakesh0

A newly uncovered Tropic Trooper attack campaign is redefining stealth in cyber espionage by combining open-source tools with trusted developer infrastructure.

This advanced persistent threat (APT) group is now abusing technologies like Visual Studio Code tunnels and GitHub repositories to establish covert command-and-control (C2) channels—making detection significantly harder for traditional security systems.

Discovered in March 2026, this campaign targets individuals across Taiwan, South Korea, and Japan using highly convincing military-themed lures.

In this article, you’ll learn:

  • How the Tropic Trooper attack works
  • Why VS Code tunnels and GitHub are being abused
  • The full multi-stage infection chain
  • Key risks to enterprises and developers
  • Actionable detection and mitigation strategies

Who Is Tropic Trooper?

Tropic Trooper (also known as Earth Centaur or Pirate Panda) is a well-documented APT group known for:

  • Cyber espionage campaigns
  • Targeted attacks in the Asia-Pacific region
  • Long-term persistence in compromised environments

Key Characteristics

  • Nation-state-linked operations
  • Focus on intelligence gathering
  • Continuous evolution of tools and techniques

Attack Overview: What Makes This Campaign Unique?

This campaign stands out for three major reasons:

1. Abuse of Trusted Developer Infrastructure

  • VS Code tunnels for remote access
  • GitHub as a command-and-control platform

2. Use of Open-Source Offensive Tools

Instead of proprietary malware, attackers use:

  • AdaptixC2 framework
  • Custom beacon listeners
  • Modified loaders

3. Highly Convincing Social Engineering

Victims are lured using:

  • Military-themed documents
  • Region-specific language targeting
  • Legitimate-looking PDF content

Infection Chain Breakdown

Step 1: Malicious ZIP Archive

Victims receive a ZIP file containing:

  • Trojanized executable
  • Disguised as a PDF document

Example filename:

“Comparative Analysis of US-UK and US-Australia Nuclear Submarine Cooperation (2025).exe”

Step 2: Trojanized PDF Reader Execution

The file is actually a modified version of:

  • SumatraPDF (open-source reader)

What Happens:

  • A decoy PDF is displayed
  • Malware executes silently in the background
  • User sees legitimate content

Step 3: AdaptixC2 Beacon Deployment

A malicious agent is deployed:

  • Establishes persistence
  • Connects to remote infrastructure
  • Begins system reconnaissance

Persistence and Post-Exploitation

The attackers perform:

  • Scheduled task creation
  • Network reconnaissance (arp, net view)
  • System profiling

Use of VS Code Tunnels

One of the most advanced techniques in this campaign is the abuse of VS Code tunnels.

What This Enables:

  • Remote shell access
  • Interactive control of victim systems
  • Encrypted communication via trusted channels

Key Insight:
VS Code traffic is typically trusted—making this activity difficult to detect.

GitHub as a Command-and-Control Channel

The most innovative aspect of this attack is the use of GitHub as a C2 platform.

How It Works

The malware:

  1. Connects to a fake GitHub repository
  2. Reads commands from GitHub Issues
  3. Executes tasks locally
  4. Uploads results back as files

Technical Details

  • Commands are stored in issue titles
  • Data is encrypted using RC4
  • Responses are Base64-encoded
  • Messages are deleted within 10 seconds

Why This Is Dangerous

  • Traffic blends into normal developer activity
  • GitHub is widely trusted
  • No traditional C2 infrastructure required

Evasion Techniques Used

1. Legitimate Service Abuse

  • GitHub API
  • VS Code tunnels
  • IP lookup services (ipinfo.io)

2. Encrypted Communications

  • RC4 encryption
  • Base64 encoding
  • Rapid data deletion

3. File Masquerading

  • Executables disguised as PDFs
  • Trusted software impersonation

Attribution and Threat Intelligence

Researchers from Zscaler ThreatLabz linked the campaign to Tropic Trooper based on:

  • Code similarities to previous tools
  • Use of known loaders (TOSHIS)
  • Presence of Cobalt Strike with “520” watermark
  • Infrastructure overlap

Why This Attack Matters

1. Developer Tools Are Becoming Attack Vectors

Tools like:

  • VS Code
  • GitHub
  • CI/CD pipelines

are now part of the attack surface.

2. Open-Source Tools Lower the Barrier

Attackers can:

  • Reuse frameworks
  • Customize payloads
  • Scale operations quickly

3. Traditional Detection Is Failing

Because:

  • Traffic is legitimate
  • Domains are trusted
  • Behavior mimics real users

Common Mistakes Organizations Make

  • Trusting all GitHub traffic blindly
  • Allowing unrestricted VS Code tunnel usage
  • Failing to monitor developer endpoints
  • Not inspecting encrypted outbound traffic

Best Practices for Detection and Defense

1. Monitor GitHub API Activity

Flag:

  • Non-developer endpoints accessing GitHub
  • Suspicious repository interactions
  • Automated issue polling behavior

2. Restrict VS Code Tunnels

  • Disable where unnecessary
  • Monitor usage patterns
  • Log remote session activity

3. Enforce Application Allowlisting

Prevent execution of:

  • Unknown binaries
  • Trojanized software
  • Fake document files

4. Detect Persistence Mechanisms

Look for:

  • Suspicious scheduled tasks
  • Services mimicking system processes
  • Unauthorized startup entries

5. Hunt for Beaconing Behavior

Monitor:

  • Frequent IP lookup requests
  • Encrypted outbound traffic patterns
  • Short-lived communication bursts

Expert Insight: The Bigger Trend

1. Living-Off-the-Land Techniques Are Rising

Attackers increasingly rely on:

  • Legitimate tools
  • Trusted platforms
  • Built-in system utilities

2. Cloud and Dev Tools Are the New C2 Channels

We are seeing a shift toward:

  • GitHub-based C2
  • Slack/Discord abuse
  • API-driven malware communication

3. Attribution Is Becoming Harder

Using open-source tools allows attackers to:

  • Blend in with other campaigns
  • Reuse codebases
  • Obfuscate identity

Risk Impact Analysis

Severity: High (Advanced Espionage Threat)

  • Persistent remote access
  • Data exfiltration
  • Long-term surveillance

Affected Targets

  • Government organizations
  • Defense-related entities
  • Developers and researchers

FAQs

1. What is the Tropic Trooper attack?

A cyber espionage campaign using VS Code tunnels and GitHub for stealth remote access.

2. How does the malware spread?

Through malicious ZIP files containing disguised executables.

3. What is AdaptixC2?

An open-source command-and-control framework used by attackers.

4. Why is GitHub used as C2?

Because it is trusted and blends malicious traffic with legitimate activity.

5. What makes VS Code tunnels risky?

They allow remote access over trusted channels, bypassing traditional defenses.

6. How can organizations defend against this?

By monitoring developer tools, restricting access, and detecting abnormal behavior.

Conclusion

The Tropic Trooper campaign highlights a critical evolution in cyber threats: attackers are no longer building infrastructure—they are hijacking trusted ecosystems.

By leveraging GitHub and VS Code tunnels, they have created a stealthy, resilient attack model that challenges traditional security assumptions.

Key Takeaways:

  • Developer tools are now high-risk assets
  • Trusted platforms can be weaponized
  • Behavioral detection is essential
  • Zero trust must extend to developer environments

Final Thought:
In modern cybersecurity, the most dangerous traffic is the one that looks completely legitimate.

Subscribe

Leave a Reply

Your email address will not be published. Required fields are marked *