Tropic Trooper Weaponizes SumatraPDF and GitHub to Drop AdaptixC2

The Tropic Trooper APT group is abusing a trojanized build of the open-source SumatraPDF reader as a delivery vehicle for AdaptixC2, a newer command-and-control framework gaining traction as an alternative to Cobalt Strike. The weaponized binary side-loads a malicious DLL that ultimately pulls the C2 agent into memory, giving operators persistent access on compromised hosts.

GitHub is being used as staging infrastructure, with payloads and loaders hosted in repositories that blend into legitimate developer traffic and sidestep egress controls that would flag unknown domains. Reusing a trusted signed utility reduces the chance of endpoint tools flagging execution, and chaining it with GitHub delivery keeps the initial network indicators clean.

The campaign underscores two ongoing shifts: threat actors continuing to pivot away from Cobalt Strike toward less-fingerprinted offensive frameworks, and the steady abuse of public code-hosting platforms as malware CDNs. Defenders should treat outbound GitHub raw-content fetches from user endpoints as worth inspecting, and watch for DLL side-loading patterns in otherwise legitimate PDF readers.