← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
IOC - Tropic Trooper Pivots to AdaptixC2 and Custom Beacon Listener
WHITE celestre 2026-04-23 Modified: 2026-05-23
29
IOCs
MEDIUM VOLUME
On March 12, 2026, Zscaler ThreatLabz discovered a malicious ZIP archive containing military-themed document lures targeting Chinese-speaking individuals. Our analysis of this sample uncovered a campaign leveraging a multi-stage attack chain where a trojanized SumatraPDF reader deploys an AdaptixC2 Beacon agent, ultimately leading to the download and abuse of Visual Studio (VS) Code tunnels for remote access. During our analysis, we observed that the threat actor likely targeted Chinese-speaking individuals in Taiwan, and individuals in South Korea and Japan. Based on the tactics, techniques, and procedures (TTPs) observed in this attack, ThreatLabz attributes this activity to Tropic Trooper (also known as Earth Centaur and Pirate Panda) with high confidence.
url httpscobalt strikena decryptedbeaconbeacon loaderunknown zipsumatrapdfencryptednetworktype indicator
Indicators of Compromise (29)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL hostname
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 2d7cc3646c287d6355def362916c6d26 2026-04-23
FileHash-MD5 3238d2f6b9ea9825eb61ae5e80e7365c 2026-04-23
FileHash-MD5 67fcf5c21474d314aa0b27b0ce8befb2 MD5 of 19e3c4df728e3e657cb9496cd4aaf69648470b63 2026-04-23
FileHash-MD5 71fa755b6ba012e1713c9101c7329f8d 2026-04-23
FileHash-MD5 89daa54fada8798c5f4e21738c8ea0b4 2026-04-23
FileHash-MD5 9a69b717ec4e8a35ae595aa6762d3c27 2026-04-23
FileHash-MD5 c620b4671a5715eec0e9f3b93e6532ba 2026-04-23
FileHash-MD5 e2dc48ef24da000b8fc1354fa31ca9ae 2026-04-23
FileHash-SHA1 19e3c4df728e3e657cb9496cd4aaf69648470b63 2026-04-23
FileHash-SHA1 2c65433696037f4ce0f8c9a1d78bdd6835c1b94d 2026-04-23
FileHash-SHA1 343be0f2077901ea5b5b9fb97d97892ac1a907e6 2026-04-23
FileHash-SHA1 401cc16d79d94c32da3f66df21d66ffd71603c14 2026-04-23
FileHash-SHA1 6c68dc2e33780e07596c3c06aa819ea460b3d125 2026-04-23
FileHash-SHA1 adb47733c224fc8c0f7edc61becb578e560435ab 2026-04-23
FileHash-SHA1 bd618c9e1e10891fe666839650fa406833d70afd 2026-04-23
FileHash-SHA1 c2051635ccfdc0b48c260e7ceeee3f96bf026fea 2026-04-23
FileHash-SHA256 3936f522f187f8f67dda3dc88abfd170f6ba873af81fc31bbf1fdbcad1b2a7fb 2026-04-23
FileHash-SHA256 3c29c72a59133dd9eb23953211129fd8275a11b91a3b8dddb3c6e502b6b63edb 2026-04-23
FileHash-SHA256 47c7ce0e3816647b23bb180725c7233e505f61c35e7776d47fd448009e887857 SHA256 of 19e3c4df728e3e657cb9496cd4aaf69648470b63 2026-04-23
FileHash-SHA256 6eaea92394e115cd6d5bab9ae1c6d088806229aae320e6c519c2d2210dbc94fe 2026-04-23
FileHash-SHA256 7a95ce0b5f201d9880a6844a1db69aac7d1a0bf1c88f85989264caf6c82c6001 2026-04-23
FileHash-SHA256 a4f2131eb497afe5f78d8d6e534df2b8d75c5b9b565c3ec17a323afe5355da26 2026-04-23
FileHash-SHA256 aeec65bac035789073b567753284b64ce0b95bbae62cf79e1479714238af0eb7 2026-04-23
FileHash-SHA256 b92a3a1cf5786b6e08643483387b77640cd44f84df1169dd00efde7af46b5714 2026-04-23
URL https://47.76.236.58:4430/Divide/developement/GIZWQVCLF 2026-04-23
URL https://47.76.236.58:4430/Originate/contacts/CX4YJ5JI7RZ 2026-04-23
URL https://stg.lsmartv.com:8443/Divide/developement/GIZWQVCLF 2026-04-23
URL https://stg.lsmartv.com:8443/Originate/contacts/CX4YJ5JI7RZ 2026-04-23
hostname stg.lsmartv.com 2026-04-23
References (1)
↗ https://www.zscaler.com/blogs/security-research/tropic-trooper-pivots-adaptixc2-and-custom-beacon-listener#indicators-of-compromise--iocs-