Back to Intelligence

APT28 PRISMEX, MuddyWater DinDoor, and Tropic Trooper AdaptixC2: OTX Pulse Analysis — Enterprise Detection Pack

SA
Security Arsenal Team
April 26, 2026
6 min read

Recent OTX pulses indicate a convergence of state-aligned cyber espionage activity targeting critical government infrastructure and financial sectors. Three distinct threat actors—APT28 (Pawn Storm), MuddyWater, and Tropic Trooper—are actively deploying sophisticated toolsets designed to evade standard defenses.

  • APT28 is leveraging the PRISMEX malware suite, exploiting critical vulnerabilities CVE-2026-21509 and CVE-2026-21513 to target Ukrainian and NATO-aligned defense entities. Their use of steganography and cloud storage C2 infrastructure (specifically filen.io) marks a shift toward "living-off-the-land" cloud abuse.
  • MuddyWater has been observed deploying "DinDoor," a novel backdoor utilizing the Deno JavaScript runtime to bypass traditional process monitoring. This campaign specifically targets finance sectors in the US and Russia using trojanized MSI installers.
  • Tropic Trooper is employing trojanized SumatraPDF installers to drop AdaptixC2 Beacons and Visual Studio Code, utilizing shellcode loaders reminiscent of Cobalt Strike to compromise Chinese-speaking targets.

These campaigns share common objectives: persistence within sensitive networks, data exfiltration via obfuscated channels, and the bypass of application control solutions through the abuse of legitimate tools (Deno, VS Code) and cloud services.

Threat Actor / Malware Profile

APT28 / Pawn Storm (PRISMEX)

  • Malware Families: PRISMEX, PrismexDrop, MiniDoor, NotDoor.
  • Distribution: Exploit kits targeting CVE-2026-21509 and CVE-2026-21513; spear-phishing with malicious documents.
  • Payload Behavior: Utilizes advanced steganography to hide malicious code within image files. Uses COM hijacking for persistence.
  • C2 Communication: Abuses cloud storage providers (e.g., filen.io) for command and control, blending in with legitimate traffic.
  • Anti-Analysis: Heavy use of obfuscation and steganography to hinder static analysis.

MuddyWater (DinDoor)

  • Malware Families: DinDoor, Tsundere Botnet, CastleLoader.
  • Distribution: Malicious MSI files distributed via compromised sites or phishing.
  • Payload Behavior: Exploits the Deno runtime (V8-based JavaScript/TypeScript) to execute obfuscated JavaScript in-memory or written to disk. Performs system fingerprinting.
  • C2 Communication: Uses dynamic DNS (DuckDNS) and newly registered TLDs (.cyou, .site) for C2 infrastructure.

Tropic Trooper (AdaptixC2)

  • Malware Families: AdaptixC2 Beacon, TOSHIS, EntryShell.
  • Distribution: Trojanized SumatraPDF installers within ZIP archives.
  • Payload Behavior: Shellcode loader that installs VS Code and AdaptixC2 Beacon. Uses military-themed lures.
  • C2 Communication: Custom beaconing over HTTP/HTTPS.

IOC Analysis

The provided indicators of compromise (IOCs) reveal a heavy reliance on abused infrastructure and specific file hashes:

  • Network Infrastructure: The pulses identify numerous hostnames and domains associated with C2, including gateway.filen.io (APT28 cloud abuse), agilemast3r.duckdns.org (MuddyWater), and various .cyou domains. SOC teams should immediately block these domains at the proxy and DNS layers.
  • File Hashes: MD5 and SHA256 hashes are provided for the DinDoor MSI installers and the trojanized SumatraPDF binaries. These should be added to allow-listing/block-listing configurations (EDR blocklists).
  • Operationalization:
    • SIEM: Ingest the domains and hashes into threat intelligence feeds (TIPs) and correlate against NetworkConnectionEvents and FileCreationEvents.
    • EDR: Hunt for process execution involving deno.exe, SumatraPDF.exe spawning child processes like Code.exe or cmd.exe, and unusual connections to filen.io.
    • Network: SSL inspection is crucial as much of this C2 traffic uses HTTPS.

Detection Engineering

Sigma Rules

YAML
---
title: Potential APT28 PRISMEX Cloud C2 Activity
id: 8a7b9c1d-0e3f-4a5b-8c6d-7e8f9a0b1c2d
description: Detects potential PRISMEX malware communication via abused filen.io cloud storage infrastructure.
status: experimental
date: 2026/04/27
author: Security Arsenal
references:
    - https://otx.alienvault.com/
tags:
    - attack.command_and_control
    - attack.t1071.001
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        DestinationHostname|endswith:
            - '.filen.io'
            - '.filen-1.net'
            - '.filen-2.net'
    filter:
        Initiated: 'true'
        Image|endswith:
            - '\chrome.exe'
            - '\firefox.exe'
            - '\edge.exe'
            - '\iexplore.exe'
    condition: selection and not filter
falsepositives:
    - Legitimate use of Filen.io sync client by authorized staff
level: high
---
title: MuddyWater DinDoor Deno Runtime Execution
id: 9b8c0d2e-1f4a-5b6c-9d7e-0f1a2b3c4d5e
description: Detects the execution of Deno runtime which is abused by DinDoor backdoor, often spawned from MSI installers or suspicious scripts.
status: experimental
date: 2026/04/27
author: Security Arsenal
references:
    - https://otx.alienvault.com/
tags:
    - attack.execution
    - attack.t1059.007
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\deno.exe'
        CommandLine|contains: 'run'
    condition: selection
falsepositives:
    - Legitimate development activity using Deno
level: medium
---
title: Tropic Trooper SumatraPDF Trojan Execution
id: 0c1d2e3f-2g5h-6i7j-8k9l-0m1n2o3p4q5r
description: Detects suspicious child processes spawned by SumatraPDF, indicative of the trojanized vector dropping AdaptixC2 or VS Code.
status: experimental
date: 2026/04/27
author: Security Arsenal
references:
    - https://otx.alienvault.com/
tags:
    - attack.initial_access
    - attack.t1204
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\SumatraPDF.exe'
        Image|endswith:
            - '\Code.exe'
            - '\mshta.exe'
            - '\powershell.exe'
            - '\cmd.exe'
    condition: selection
falsepositives:
    - Unknown
level: critical

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for APT28 PRISMEX C2 Infrastructure
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has "filen.io" or RemoteUrl has "duckdns.org" or RemoteUrl ends with ".cyou"
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP
| extend IOCPulse = "APT28 or MuddyWater C2"

// Hunt for DinDoor and Tropic Trooper Process Execution
DeviceProcessEvents
| where Timestamp > ago(7d)
| where (FileName == "deno.exe" or InitiatingProcessFileName == "SumatraPDF.exe")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine
| extend IOCPulse = iif(FileName == "deno.exe", "MuddyWater DinDoor", "Tropic Trooper Exploit")

PowerShell Hunt Script

PowerShell
# IOC Hunter for OTX Pulses 2026-04-27
# Checks for DinDoor processes and Suspicious Network Connections

Write-Host "[+] Hunting for DinDoor (Deno) Processes..."
$denoProcesses = Get-Process -Name "deno" -ErrorAction SilentlyContinue
if ($denoProcesses) {
    Write-Host "[!] ALERT: Deno runtime found! Possible DinDoor infection." -ForegroundColor Red
    $denoProcesses | Select-Object Id, ProcessName, Path, StartTime
} else {
    Write-Host "[-] No Deno processes found."
}

Write-Host "[+] Checking DNS Cache for Malicious Domains..."
$maliciousDomains = @(
    "filen.io",
    "duckdns.org",
    ".cyou",
    "ineracaspsl.site",
    "serialmenot.com"
)

Get-DnsClientCache | Where-Object { 
    ($maliciousDomains | ForEach-Object { $_ -like "*$($_)*" }) -contains $true
} | ForEach-Object {
    Write-Host "[!] ALERT: Suspicious DNS entry found: $($_.Entry) - $($_.Data)" -ForegroundColor Yellow
}

Write-Host "[+] Checking for Trojanned SumatraPDF spawning children..."
$sumatra = Get-Process -Name "SumatraPDF" -ErrorAction SilentlyContinue
if ($sumatra) {
    Write-Host "[*] SumatraPDF is running. Checking child processes..."
    # Note: Deep process tree inspection requires admin privileges and may need specific modules
    Write-Host "[!] Manual review recommended for processes spawned by SumatraPID $($sumatra.Id)"
}

Response Priorities

  • Immediate:

    • Block all identified filen.io, duckdns.org, and .cyou domains at the perimeter and DNS resolvers.
    • Block execution of the provided MD5/SHA256 hashes on endpoints.
    • Isolate any systems exhibiting Deno runtime execution (deno.exe) without approved business justification.

  • 24 Hours:

    • Hunt for the specific CVE-2026-21509 and CVE-2026-21513 exploit attempts in web server logs.
    • Review logs for SumatraPDF.exe spawning Code.exe or other shells.
    • Conduct credential audits for users who may have opened the trojanized PDFs or MSI files.

  • 1 Week:

    • Patch systems against CVE-2026-21509 and CVE-2026-21513 immediately upon vendor release.
    • Review and restrict policy regarding the use of cloud storage sync clients (like Filen) and runtimes (Deno) in the environment.
    • Update application allow-lists to block unverified versions of SumatraPDF.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-malwareprismexdindooradaptixc2apt28espionage

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action