Recent OTX pulses indicate a diverse and active threat landscape ranging from state-aligned espionage to financially motivated hybrid crimeware. The most significant development is the resurgence of Tropic Trooper, actively deploying a trojanized SumatraPDF installer to distribute the AdaptixC2 Beacon and CobaltStrike. This campaign specifically targets Chinese-speaking individuals, using military-themed lures to establish a persistent C2 presence, potentially leveraging Visual Studio Code as a signature-blind execution environment.
Concurrently, a novel Italian-origin threat actor has emerged deploying uWarrior RAT via weaponized RTF documents. Despite relying on older CVEs (CVE-2012-1856, CVE-2015-1770), the actor employs novel ROP chains to bypass ASLR, illustrating that legacy exploits remain highly effective when paired with modern evasion techniques.
Finally, the "crypto drainer" ecosystem has matured into a hybrid threat. Threat actors are now blending traditional malware loaders with smart-contract abusing drainers (e.g., StepDrainer, EtherRAT) in a "Drainer-as-a-Service" model, targeting finance and technology sectors with automated asset theft.
Threat Actor / Malware Profile
1. Tropic Trooper (AdaptixC2 Beacon)
- Distribution Method: Malicious ZIP archives containing a trojanized SumatraPDF executable. Initial access is achieved via social engineering using military-themed documents.
- Payload Behavior: The SumatraPDF binary drops a shellcode loader (EntryShell/TOSHIS) which injects the AdaptixC2 Beacon. Unusually, the campaign also deploys Visual Studio Code, likely to blend in with developer traffic or utilize a signed binary for LOLbin living-off-the-land attacks.
- C2 Communication: Utilizes AdaptixC2 infrastructure, known for configurable communication profiles to evade network detection.
2. uWarrior RAT (Unknown Italian Actor)
- Distribution Method: Weaponized Rich Text Format (RTF) files delivered via phishing.
- Payload Behavior: Exploits CVE-2012-1856 and CVE-2015-1770. The ROP chain bypasses ASLR by loading non-DYNAMICBASE compiled DLLs via OLE objects. The payload is a fully-featured RAT allowing remote control.
- C2 Communication: Uses compressed and optionally encrypted TCP protocols to communicate with C2 servers such as
login.loginto.me.
3. Crypto Drainers (StepDrainer, EtherRAT)
- Distribution Method: Wallet phishing sites and malvertising campaigns targeting crypto users.
- Payload Behavior: Browser-based scripts or malicious extensions that automate the approval of malicious transactions. They interact with RPC nodes like
rpc.flashbots.netoreth.merkle.ioto drain assets across multiple blockchains.
IOC Analysis
The provided indicators of compromise (IOCs) span multiple vectors requiring distinct operational responses:
- File Hashes (MD5/SHA256): Primarily associated with the trojanized SumatraPDF installers (MD5) and uWarrior RAT payloads (SHA256). SOC teams should immediately hash search across endpoints using EDR telemetry or tools like
Velociraptor. - Network Hostnames/IPs: Includes C2 infrastructure for uWarrior (
login.loginto.me,63.142.245.12) and legitimate-looking RPC nodes utilized by drainer campaigns (eth.merkle.io,rpc.flashbots.net). Blocking the malicious IPs is critical, while the RPC nodes require context-aware blocking (e.g., restricting access to non-finance endpoints) to avoid business impact. - CVEs: CVE-2012-1856 and CVE-2015-1770 highlight the need for patch management and vulnerability scanning, specifically for legacy Office installations.
Detection Engineering
YAML
title: Suspicious SumatraPDF Child Process - Tropic Trooper Activity
id: 5f8a3b12-9c8d-4e2f-9a6b-1c2d3e4f5a6b
description: Detects potential Tropic Trooper activity involving a trojanized SumatraPDF spawning unusual child processes like VS Code or shellcode loaders.
status: experimental
date: 2026/04/25
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/634567890/
tags:
- attack.execution
- attack.t1204
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\SumatraPDF.exe'
Image|endswith:
- '\Code.exe'
- '\powershell.exe'
- '\cmd.exe'
condition: selection
falsepositives:
- Legitimate use of SumatraPDF to open documents triggering scripts (rare)
level: high
---
title: RTF Exploit Suspicious Network Connection - uWarrior RAT
id: 6e7b4c23-0d9e-5f3a-0b7c-2d3e4f5a6b7c
description: Detects network connections to known uWarrior C2 infrastructure following the execution of Microsoft Office processes.
status: experimental
date: 2026/04/25
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/634567891/
tags:
- attack.command_and_control
- attack.t1071
logsource:
category: network_connection
product: windows
detection:
selection:
InitiatingProcessImage|endswith:
- '\WINWORD.EXE'
- '\excel.exe'
DestinationHostname|contains:
- 'loginto.me'
- 'collegefan.org'
condition: selection
falsepositives:
- Unknown
level: critical
---
title: Crypto Drainer RPC Node Usage
id: 7f8c5d34-1e0f-6g4b-1c8d-3e4f5a6b7c8d
description: Detects processes connecting to RPC nodes often abused by crypto drainers, excluding approved wallet applications.
status: experimental
date: 2026/04/25
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/634567892/
tags:
- attack.resource_hijacking
- attack.t1496
logsource:
category: network_connection
product: windows
detection:
selection:
DestinationHostname|contains:
- 'mevblocker.io'
- 'flashbots.net'
- 'payload.de'
- 'drpc.org'
filter:
Image|contains:
- '\browser\'
- '\wallet\'
condition: selection and not filter
falsepositives:
- Legitimate Web3 usage by developers or finance staff
level: medium
kql
// Hunt for Tropic Trooper IOCs (SumatraPDF)
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("SumatraPDF.exe", "Code.exe")
| where SHA256 in ("2d7cc3646c287d6355def362916c6d26", "3238d2f6b9ea9825eb61ae5e80e7365c", "67fcf5c21474d314aa0b27b0ce8befb2", "71fa755b6ba012e1713c9101c7329f8d", "89daa54fada8798c5f4e21738c8ea0b4", "9a69b717ec4e8a35ae595aa6762d3c27", "c620b4671a5715eec0e9f3b93e6532ba", "e2dc48ef24da000b8fc1354fa31ca9ae")
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, AccountName
| extend MatchType = "TropicTrooper_Hash"
;
// Hunt for uWarrior C2 Connections
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl in~ ("login.loginto.me", "login.collegefan.org") or RemoteIP == "63.142.245.12"
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP, RemotePort
| extend MatchType = "uWarrior_C2"
;
// Hunt for Crypto Drainer Domains
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any ("eth.merkle.io", "eth.drpc.org", "rpc.mevblocker.io", "rpc.flashbots.net", "eth-mainnet.public.blastapi.io", "mainnet.gateway.tenderly.co", "rpc.payload.de", "ethereum-rpc.publicnode.com")
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl
| extend MatchType = "CryptoDrainer_RPC"
powershell
<#
.SYNOPSIS
IOC Hunt Script for Tropic Trooper and uWarrior Campaigns
.DESCRIPTION
Scans the filesystem for specific MD5 and SHA256 hashes associated with the SumatraPDF trojan and uWarrior RAT.
#>
$TropicTrooperHashes = @(
"2d7cc3646c287d6355def362916c6d26",
"3238d2f6b9ea9825eb61ae5e80e7365c",
"67fcf5c21474d314aa0b27b0ce8befb2",
"71fa755b6ba012e1713c9101c7329f8d",
"89daa54fada8798c5f4e21738c8ea0b4",
"9a69b717ec4e8a35ae595aa6762d3c27",
"c620b4671a5715eec0e9f3b93e6532ba",
"e2dc48ef24da000b8fc1354fa31ca9ae"
)
$uWarriorHashes = @(
"5dce01ec5e1bc1b4f5012e0b4bf16532206284fc8c64cfb8dcf907f45caf98fc",
"57a5d0da72655df9c5ca9137df7210b86845eeabae488537c70e36587274937c",
"a6dea088c9e2c9191e4c2fc4ece7b7b7bd3f034f444362d35c8765f6ec4bd279"
)
Write-Host "Starting IOC Hunt for Tropic Trooper and uWarrior..." -ForegroundColor Cyan
# Scan C: Drive for matching MD5 hashes (Tropic Trooper)
Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | Where-Object { !$_.PSIsContainer } | ForEach-Object {
$hash = (Get-FileHash -Path $_.FullName -Algorithm MD5 -ErrorAction SilentlyContinue).Hash
if ($TropicTrooperHashes -contains $hash) {
Write-Host "[ALERT] Tropic Trooper File Found: $($_.FullName)" -ForegroundColor Red
}
}
# Scan C: Drive for matching SHA256 hashes (uWarrior)
Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | Where-Object { !$_.PSIsContainer } | ForEach-Object {
$hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
if ($uWarriorHashes -contains $hash) {
Write-Host "[ALERT] uWarrior File Found: $($_.FullName)" -ForegroundColor Red
}
}
Write-Host "IOC Hunt Complete." -ForegroundColor Green
# Response Priorities
* **Immediate:** Block all listed C2 IP addresses (`63.142.245.12`) and hostnames (`login.loginto.me`). Initiate a hash hunt across endpoints for the trojanized SumatraPDF MD5s and uWarrior SHA256s provided in the IOC lists.
* **24h:** If uWarrior or AdaptixC2 is suspected to have executed, perform credential resets for privileged accounts on affected segments. Analyze network logs for lateral movement indicators associated with CobaltStrike.
* **1 Week:** Verify patch status for CVE-2012-1856 and CVE-2015-1770. Implement application control policies to restrict the execution of unauthorized instances of SumatraPDF or unexpected installations of VS Code. Review web proxy logs for access to drainer-associated RPC nodes.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebotx-pulsedarkweb-malwaretropic-trooperadaptixc2uwarriorcrypto-drainersrat
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.