Back to Intelligence

Tropic Trooper AdaptixC2 Beacon, uWarrior RAT, and Hybrid Crypto Drainers: OTX Pulse Analysis

SA
Security Arsenal Team
April 24, 2026
5 min read

Recent OTX pulses highlight a convergence of sophisticated espionage operations and financially motivated cybercrime. The Tropic Trooper threat actor is actively targeting Chinese-speaking entities with a trojanized SumatraPDF installer designed to deploy AdaptixC2 Beacons and Cobalt Strike. Simultaneously, an unknown Italian-origin actor is weaponizing RTF documents using legacy exploits (CVE-2012-1856, CVE-2015-1770) to distribute the uWarrior RAT. In parallel, a "Drainer-as-a-Service" ecosystem is maturing, utilizing tools like StepDrainer and EtherRAT to automate cryptocurrency theft via malicious RPC endpoints. The attack chains demonstrate a shift towards using legitimate tools (VS Code) and exploiting trust in standard document formats to bypass defenses.

Threat Actor / Malware Profile

Tropic Trooper (AdaptixC2 / TOSHIS)

  • Objective: Espionage and data exfiltration targeting Chinese-speaking military sectors.
  • Distribution: ZIP archives containing military-themed lures and a trojanized SumatraPDF executable.
  • Payload Behavior: The modified PDF reader executes shellcode to drop AdaptixC2 Beacon and CobaltStrike Beacon. Notably, it deploys Visual Studio Code as a LOLBin to facilitate execution or staging.
  • Persistence: Uses shellcode loaders and established C2 frameworks (Adaptix/Cobalt Strike) to maintain access.

Unknown Actor (uWarrior / ctOS)

  • Objective: Remote access and control via Italian-developed malware.
  • Distribution: Weaponized RTF documents sent via phishing.
  • Exploitation: Leverages CVE-2012-1856 and CVE-2015-1770 with a novel ROP chain to bypass ASLR. Uses OLE objects to load non-DYNAMICBASE compiled DLLs.
  • C2 Communication: Uses compressed and optionally encrypted TCP protocols to communicate with C2 servers (e.g., login.loginto.me).

Crypto Drainers (StepDrainer / EtherRAT)

  • Objective: Automated theft of cryptocurrency assets.
  • Ecosystem: "Drainer-as-a-Service" model allowing low-skilled actors to deploy sophisticated smart-contract abuse.
  • Infrastructure: Relies on a network of malicious or compromised RPC endpoints (e.g., eth.merkle.io) to intercept and manipulate blockchain transactions.

IOC Analysis

The provided IOCs span file hashes, network infrastructure, and vulnerability identifiers:

  • File Hashes:
    • MD5: 8 hashes associated with the trojanized SumatraPDF and related payloads (Tropic Trooper).
    • SHA256: 3 hashes for the uWarrior RAT binaries.
    • Action: SOC teams should blacklist these hashes in EDR solutions and scan user download directories and temp folders.
  • Network Indicators:
    • IPv4: 63.142.245.12 (uWarrior C2).
    • Hostnames: Includes C2 domains (login.loginto.me, login.collegefan.org) and a list of 8 RPC endpoints used for crypto draining (eth.merkle.io, rpc.flashbots.net, etc.).
    • Action: Block these domains and IPs at the firewall and proxy level. Investigate outbound traffic to non-standard RPC endpoints from corporate workstations.
  • CVEs:
    • CVE-2012-1856, CVE-2015-1770: These are critical for legacy Microsoft Office environments. Patching is essential, though application allow-listing is the primary mitigation against the RTF vector.

Detection Engineering

Sigma Rules

YAML
---
Title: Tropic Trooper AdaptixC2 Beacon Activity
Description: Detects trojanized SumatraPDF spawning Visual Studio Code or PowerShell, indicative of AdaptixC2 or TOSHIS deployment.
Date: 2026/04/24
Status: experimental
References: AlienVault OTX
Author: Security Arsenal
Tags:
    - attack.execution
    - attack.t1059
Logsource:
    category: process_creation
Detection:
    Selection:
        ParentImage|endswith: '\SumatraPDF.exe'
        Image|endswith:
            - '\Code.exe'
            - '\powershell.exe'
            - '\cmd.exe'
    Condition: Selection
FalsePositives: Low
---
Title: Potential uWarrior RAT RTF Exploitation
Description: Detects Microsoft Word spawning a shell, potentially exploiting CVE-2012-1856 or CVE-2015-1770 to deploy uWarrior RAT.
Date: 2026/04/24
Status: experimental
References: AlienVault OTX
Author: Security Arsenal
Tags:
    - attack.initial_access
    - attack.t1203
Logsource:
    category: process_creation
Detection:
    Selection:
        ParentImage|endswith: '\WINWORD.EXE'
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
    FilterLegit:
        CommandLine|contains: 'update'
    Condition: Selection and not FilterLegit
FalsePositives: Medium
---
Title: Crypto Drainer RPC Connection
Description: Detects connection to known or suspicious RPC endpoints associated with crypto drainers.
Date: 2026/04/24
Status: experimental
References: AlienVault OTX
Author: Security Arsenal
Tags:
    - attack.command_and_control
    - attack.c0001
Logsource:
    category: network_connection
Detection:
    Selection:
        Initiated: 'true'
        DestinationHostname|contains:
            - 'eth.merkle.io'
            - 'login.loginto.me'
            - 'eth.drpc.org'
            - 'rpc.mevblocker.io'
            - 'rpc.flashbots.net'
            - 'eth-mainnet.public.blastapi.io'
            - 'mainnet.gateway.tenderly.co'
            - 'rpc.payload.de'
            - 'ethereum-rpc.publicnode.com'
            - 'login.collegefan.org'
    Condition: Selection
FalsePositives: Low

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for uWarrior and Crypto Drainer Network Indicators
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl in~ ("login.loginto.me", "login.collegefan.org", "eth.merkle.io", "eth.drpc.org", "rpc.mevblocker.io", "rpc.flashbots.net", "eth-mainnet.public.blastapi.io", "mainnet.gateway.tenderly.co", "rpc.payload.de", "ethereum-rpc.publicnode.com")
   or RemoteIP == "63.142.245.12"
| summarize Count=count(), FirstSeen=min(Timestamp), LastSeen=max(Timestamp) by DeviceName, RemoteUrl, RemoteIP, InitiatingProcessFileName
| extend Alert = "Suspicious Network Connection Detected"
// Hunt for Tropic Trooper Process Behavior
union (
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName =~ "SumatraPDF.exe" and (ProcessFileName in~ ("Code.exe", "powershell.exe", "cmd.exe"))
| project Timestamp, DeviceName, InitiatingProcessFileName, ProcessFileName, FolderPath
)

PowerShell Hunt Script

PowerShell
# IOC Hunt Script for Tropic Trooper and uWarrior
# Scans common user directories for known malicious file hashes

$PathsToScan = @("C:\Users\*\Downloads", "C:\ProgramData", "C:\Windows\Temp")
$TargetMD5 = @("2d7cc3646c287d6355def362916c6d26", "3238d2f6b9ea9825eb61ae5e80e7365c", "67fcf5c21474d314aa0b27b0ce8befb2", "71fa755b6ba012e1713c9101c7329f8d", "89daa54fada8798c5f4e21738c8ea0b4", "9a69b717ec4e8a35ae595aa6762d3c27", "c620b4671a5715eec0e9f3b93e6532ba", "e2dc48ef24da000b8fc1354fa31ca9ae")
$TargetSHA256 = @("5dce01ec5e1bc1b4f5012e0b4bf16532206284fc8c64cfb8dcf907f45caf98fc", "57a5d0da72655df9c5ca9137df7210b86845eeabae488537c70e36587274937c", "a6dea088c9e2c9191e4c2fc4ece7b7b7bd3f034f444362d35c8765f6ec4bd279")

Write-Host "Starting IOC Hunt..." -ForegroundColor Cyan

foreach ($Path in $PathsToScan) {
    if (Test-Path $Path) {
        Write-Host "Scanning $Path..."
        Get-ChildItem -Path $Path -File -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
            # Check MD5 (Tropic Trooper)
            $Hash = (Get-FileHash -Path $_.FullName -Algorithm MD5 -ErrorAction SilentlyContinue).Hash
            if ($TargetMD5 -contains $Hash) { 
                Write-Host "[MATCH FOUND] Tropic Trooper IOC: $($_.FullName) | MD5: $Hash" -ForegroundColor Red 
            }
            
            # Check SHA256 (uWarrior)
            $Hash256 = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            if ($TargetSHA256 -contains $Hash256) { 
                Write-Host "[MATCH FOUND] uWarrior IOC: $($_.FullName) | SHA256: $Hash256" -ForegroundColor Red 
            }
        }
    }
}
Write-Host "Hunt Complete." -ForegroundColor Green

Response Priorities

  • Immediate: Block all network IOCs (IPs and domains) listed in the analysis at the perimeter firewall and proxy servers. Initiate a scan for the 8 MD5 hashes associated with Tropic Trooper across all endpoints.
  • 24h: Investigate logs for evidence of RTF exploitation (winword.exe spawning cmd.exe) and analyze systems that communicated with login.loginto.me or login.collegefan.org for signs of uWarrior RAT infection.
  • 1 Week: Harden the environment by applying patches for CVE-2012-1856 and CVE-2015-1770, restricting the execution of unsigned binaries, and enforcing strict software allow-listing for PDF readers like SumatraPDF.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-malwaretropic-trooperadaptixc2uwarriorcrypto-drainerrtf-exploit

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action