{ "Event": { "analysis": "1", "date": "2026-04-23", "extends_uuid": "", "info": "[Threat Intel] Malicious Campaign Deploying AdaptixC2 Beacon and VS Code via Trojanized SumatraPDF", "protected": false, "publish_timestamp": "1779545415", "published": true, "threat_level_id": "2", "timestamp": "1779545414", "uuid": "36c9b38a-5ff3-4b8c-b0b0-5c0b244e338f", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-original-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#7da4ad", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Match Legitimate Resource Name or Location - T1036.005\"", "relationship_type": "" }, { "colour": "#47d9d3", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Malicious File - T1204.002\"", "relationship_type": "" }, { "colour": "#5539fe", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Attachment - T1566.001\"", "relationship_type": "" }, { "colour": "#7d7034", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#a92e1c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"", "relationship_type": "" }, { "colour": "#43c8db", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Injection - T1055\"", "relationship_type": "" }, { "colour": "#c8f8ef", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Binary Proxy Execution - T1218\"", "relationship_type": "" }, { "colour": "#20f80d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Command and Scripting Interpreter - T1059\"", "relationship_type": "" }, { "colour": "#0c0051", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"", "relationship_type": "" }, { "colour": "#9e0269", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Service - T1102\"", "relationship_type": "" }, { "colour": "#b76d96", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1547.001\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#356c41", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Encrypted Channel - T1573\"", "relationship_type": "" }, { "colour": "#30cc3b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File Deletion - T1070.004\"", "relationship_type": "" }, { "colour": "#3c0f50", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Software Packing - T1027.002\"", "relationship_type": "" }, { "colour": "#92e858", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#4c0fbb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"APT23\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"AdaptixC2\"", "relationship_type": "" }, { "colour": "#08b028", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Asymmetric Cryptography - T1573.002\"", "relationship_type": "" }, { "colour": "#57997c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Bidirectional Communication - T1102.002\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Cloud Accounts - T1585.003\"", "relationship_type": "" }, { "colour": "#68f2ff", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data from Local System - T1005\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Dynamic API Resolution - T1027.007\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Encrypted/Encoded File - T1027.013\"", "relationship_type": "" }, { "colour": "#a9f8b1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over C2 Channel - T1041\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"IDE Tunneling - T1219.001\"", "relationship_type": "" }, { "colour": "#4f539c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Invalid Code Signature - T1036.001\"", "relationship_type": "" }, { "colour": "#9edfba", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Malware - T1587.001\"", "relationship_type": "" }, { "colour": "#5bb38b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Malware - T1588.001\"", "relationship_type": "" }, { "colour": "#1b0fe1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Masquerade Task or Service - T1036.004\"", "relationship_type": "" }, { "colour": "#f5a258", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Native API - T1106\"", "relationship_type": "" }, { "colour": "#4494e4", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Protocol or Service Impersonation - T1001.003\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Reflective Code Loading - T1620\"", "relationship_type": "" }, { "colour": "#705cef", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Scheduled Task - T1053.005\"", "relationship_type": "" }, { "colour": "#bb2745", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Standard Encoding - T1132.001\"", "relationship_type": "" }, { "colour": "#56c932", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Symmetric Cryptography - T1573.001\"", "relationship_type": "" }, { "colour": "#9f6bd9", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Network Configuration Discovery - T1016\"", "relationship_type": "" }, { "colour": "#6fe7f4", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Tool - T1588.002\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Trusted Developer Utilities Proxy Execution - T1127\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Upload Malware - T1608.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Upload Tool - T1608.002\"", "relationship_type": "" }, { "colour": "#02475d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Windows Command Shell - T1059.003\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"APT\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#fdcb58", "local": false, "name": "rectifyq:MY-relevancy=\"somewhat-relevant\"", "relationship_type": "" }, { "colour": "#5887a6", "local": false, "name": "misp-galaxy:target-information=\"Japan\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:target-information=\"South Korea\"", "relationship_type": "" }, { "colour": "#2613b0", "local": false, "name": "misp-galaxy:target-information=\"Taiwan\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1776942038", "to_ids": false, "type": "text", "uuid": "ebf026bd-4b3f-4046-ad27-35e765092083", "value": "On March 12, 2026, a sophisticated attack campaign was identified targeting Chinese-speaking individuals using military-themed document lures distributed through a malicious ZIP archive. The operation employed a trojanized SumatraPDF binary as the initial vector to deploy an AdaptixC2 Beacon and Visual Studio Code on victim systems. The shellcode loader demonstrated significant similarities to the TOSHIS loader previously linked to TAOTH campaigns. Attackers established a custom AdaptixC2 Beacon listener utilizing GitHub for command-and-control infrastructure. The staging server infrastructure additionally hosted CobaltStrike Beacon and EntryShell backdoor, both previously associated with this threat group. The campaign infrastructure included multiple compromised domains and IP addresses for malware distribution and C2 communications." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1776942038", "to_ids": false, "type": "text", "uuid": "02b0949f-dba7-40cd-a764-4df08082ffd3", "value": "Name: Malicious Campaign Deploying AdaptixC2 Beacon and VS Code via Trojanized SumatraPDF\nAuthor: AlienVault\nAdversary: Tropic Trooper\nTags: [\"sumatrapdf\", \"cobaltstrike\", \"adaptixc2 beacon\", \"entryshell\", \"toshis\", \"tropic trooper\", \"chinese targets\", \"cobaltstrike beacon\", \"toshis loader\", \"adaptixc2\", \"github c2\"]\nTgtd countries: []\nMlwr families: [\"AdaptixC2 Beacon\", \"CobaltStrike Beacon\", \"EntryShell\", \"TOSHIS\"]\nAttack_ids: [\"T1036.005\", \"T1204.002\", \"T1566.001\", \"T1082\", \"T1140\", \"T1055\", \"T1218\", \"T1059\", \"T1083\", \"T1102\", \"T1547.001\", \"T1027\", \"T1573\", \"T1070.004\", \"T1027.002\", \"T1071.001\", \"T1105\"]\nIndustries: []" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1777603649", "to_ids": false, "type": "threat-actor", "uuid": "cad877f3-ae94-4fac-a87f-e25202f741e6", "value": "Tropic Trooper", "Tag": [ { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"APT23\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Encrypted Cobalt Strike Beacon loader No sample in VT\r\nLast check:01/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545388", "to_ids": true, "type": "md5", "uuid": "fad8c3aa-b517-4698-a4b9-d3b5703ddbf5", "value": "2d7cc3646c287d6355def362916c6d26", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Encrypted Cobalt Strike Beacon loader No sample in VT\r\nLast check:01/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545390", "to_ids": true, "type": "md5", "uuid": "406e6d4c-585b-431b-85d4-0a9e6d82abcb", "value": "71fa755b6ba012e1713c9101c7329f8d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Decrypted Cobalt Strike Beacon loader No sample in VT\r\nLast check:01/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545391", "to_ids": true, "type": "md5", "uuid": "cbf91ae4-b762-4b62-88ca-90a620593076", "value": "9a69b717ec4e8a35ae595aa6762d3c27", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Decrypted Cobalt Strike Beacon loader No sample in VT\r\nLast check:01/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545393", "to_ids": true, "type": "md5", "uuid": "d123f250-946d-4427-b411-2ab3054bbd1f", "value": "c620b4671a5715eec0e9f3b93e6532ba", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Decrypted AdaptixC2 Beacon agent DLL No sample in VT\r\nLast check:01/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545395", "to_ids": true, "type": "md5", "uuid": "6d150d5c-5b0e-4ec8-9fbc-07033eda86d7", "value": "e2dc48ef24da000b8fc1354fa31ca9ae", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Decrypted Cobalt Strike Beacon loader No sample in VT\r\nLast check:01/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545397", "to_ids": true, "type": "sha1", "uuid": "e7fd8d1b-c174-4aea-9b1d-c019a438e9e3", "value": "343be0f2077901ea5b5b9fb97d97892ac1a907e6", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Decrypted Cobalt Strike Beacon loader No sample in VT\r\nLast check:01/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545399", "to_ids": true, "type": "sha1", "uuid": "97c3fe29-a302-41f8-a1c8-04f5f4c64452", "value": "401cc16d79d94c32da3f66df21d66ffd71603c14", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Decrypted AdaptixC2 Beacon agent DLL No sample in VT\r\nLast check:01/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545401", "to_ids": true, "type": "sha1", "uuid": "ef5c14e3-c42c-4c15-8ae0-966aae8cd3b0", "value": "6c68dc2e33780e07596c3c06aa819ea460b3d125", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Encrypted Cobalt Strike Beacon loader No sample in VT\r\nLast check:01/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545403", "to_ids": true, "type": "sha1", "uuid": "75ad4a34-3d06-4379-8d50-c3f405d24d1a", "value": "adb47733c224fc8c0f7edc61becb578e560435ab", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Encrypted Cobalt Strike Beacon loader No sample in VT\r\nLast check:01/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545405", "to_ids": true, "type": "sha1", "uuid": "fdd29cd6-c499-451e-9a0d-56e7090141dd", "value": "c2051635ccfdc0b48c260e7ceeee3f96bf026fea", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Encrypted Cobalt Strike Beacon loader No sample in VT\r\nLast check:01/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545407", "to_ids": true, "type": "sha256", "uuid": "2cf26622-cdb2-441f-99ab-c3d3620c610e", "value": "3936f522f187f8f67dda3dc88abfd170f6ba873af81fc31bbf1fdbcad1b2a7fb", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Decrypted Cobalt Strike Beacon loader No sample in VT\r\nLast check:01/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545409", "to_ids": true, "type": "sha256", "uuid": "f92cd484-6b96-490b-b892-70cedb5a71d3", "value": "3c29c72a59133dd9eb23953211129fd8275a11b91a3b8dddb3c6e502b6b63edb", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Encrypted Cobalt Strike Beacon loader No sample in VT\r\nLast check:01/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545411", "to_ids": true, "type": "sha256", "uuid": "f6cfc548-0320-44bf-ab4c-4cbd3b022c55", "value": "6eaea92394e115cd6d5bab9ae1c6d088806229aae320e6c519c2d2210dbc94fe", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Decrypted AdaptixC2 Beacon agent DLL No sample in VT\r\nLast check:01/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545413", "to_ids": true, "type": "sha256", "uuid": "a929dcda-8197-4153-b212-2b6d4ce57dba", "value": "7a95ce0b5f201d9880a6844a1db69aac7d1a0bf1c88f85989264caf6c82c6001", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Decrypted Cobalt Strike Beacon loader No sample in VT\r\nLast check:01/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545414", "to_ids": true, "type": "sha256", "uuid": "54c20658-2b2c-48ba-a99d-be9531c0779f", "value": "b92a3a1cf5786b6e08643483387b77640cd44f84df1169dd00efde7af46b5714", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777610312", "to_ids": true, "type": "ip-dst", "uuid": "2e8bc823-f442-4dca-a133-afda8b292bd8", "value": "158.247.193.100", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777610333", "to_ids": true, "type": "ip-dst", "uuid": "f6c51eee-5abc-475b-9463-fbf73e3e5625", "value": "47.76.236.58", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777610354", "to_ids": true, "type": "url", "uuid": "2cab2ab0-da2b-406d-9e1d-735bd1d9cddc", "value": "https://47.76.236.58:4430/Divide/developement/GIZWQVCLF", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777610376", "to_ids": true, "type": "url", "uuid": "40e4b581-2483-421c-b290-9578f64a259d", "value": "https://47.76.236.58:4430/Originate/contacts/CX4YJ5JI7RZ", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777610397", "to_ids": true, "type": "url", "uuid": "726047a0-473e-47ac-9e7c-396263dacdc5", "value": "https://stg.lsmartv.com:8443/Divide/developement/GIZWQVCLF", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777610418", "to_ids": true, "type": "url", "uuid": "be1b68eb-012f-4e0a-81c1-3f74a3f33462", "value": "https://stg.lsmartv.com:8443/Originate/contacts/CX4YJ5JI7RZ", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777610439", "to_ids": true, "type": "hostname", "uuid": "c8b6a1c4-3820-432c-8247-c0c6d7c3ba51", "value": "stg.lsmartv.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777504927", "to_ids": false, "type": "link", "uuid": "b28a1d93-af83-4570-80cc-2e3aa55c1d18", "value": "https://www.zscaler.com/blogs/security-research/tropic-trooper-pivots-adaptixc2-and-custom-beacon-listener" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777504938", "to_ids": false, "type": "link", "uuid": "4b5d316f-96c8-4eb7-8764-f95f0bc23234", "value": "https://community.gurucul.com/articles/ThreatResearch/Tropic-Trooper-Pivots-to-AdaptixC2-and-24-4-2026" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777610460", "to_ids": true, "type": "url", "uuid": "a96f98ec-679b-494f-804f-b94620f7e1d8", "value": "https://api.github.com/repos/cvaS23uchsahs/rss/issues", "Tag": [ { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545381", "uuid": "b5da142c-253b-4eb5-b674-58bf489389f5", "Attribute": [ { "category": "Payload delivery", "comment": "ZIP archive containing lures and trojanized SumatraPDF", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545380", "to_ids": true, "type": "md5", "uuid": "cf009462-f0e4-4a8e-8d61-5fc4ccce2514", "value": "3238d2f6b9ea9825eb61ae5e80e7365c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ZIP archive containing lures and trojanized SumatraPDF", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545380", "to_ids": true, "type": "sha1", "uuid": "35752853-c08c-4d43-b685-7936a75af628", "value": "2c65433696037f4ce0f8c9a1d78bdd6835c1b94d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ZIP archive containing lures and trojanized SumatraPDF", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545381", "to_ids": true, "type": "sha256", "uuid": "849d721e-3ec5-479b-94c4-99783e9f2418", "value": "a4f2131eb497afe5f78d8d6e534df2b8d75c5b9b565c3ec17a323afe5355da26", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777607572", "to_ids": true, "type": "ssdeep", "uuid": "d0ac65cd-be69-43a0-b721-2b86576d90ce", "value": "98304:vhPp1qz5qz/sLC8TfymKuPJWCCzQx5IZvmiQ9f/Y6k0/Dnp6jTzMQRMIlNtOVfQD:5KzozkuCiiJVymP9f/Y4pmQQ1lNtOOa6" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777607572", "to_ids": false, "type": "size-in-bytes", "uuid": "c26e4b4b-346f-49b6-8558-6f04b4942685", "value": "5886947" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777607572", "to_ids": true, "type": "vhash", "uuid": "5ce63af9-25f0-4b25-bf9c-362d095cdbcc", "value": "39f3797cedef8e05236cd862363878b5" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777607572", "to_ids": true, "type": "filename", "uuid": "bf2677c3-e898-4f8d-a0a5-d926676a280c", "value": "svvhp.exe" }, { "category": "Other", "comment": "Checked: 01/05/2026\nLast-scan\t: 27/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777607572", "to_ids": false, "type": "text", "uuid": "b854ef4a-d10f-4899-b53e-323b0b4b4537", "value": "ZIP archive containing lures and trojanized SumatraPDF\r\nType Description: 7ZIP\nMicrosoft: None\nVT Total Detection:18/63\nFirst Submission:2026-03-12T11:43:24.000000+00:00\nLast Submission:2026-03-12T11:43:24.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545383", "uuid": "be57859b-5d98-49f9-bb41-6c98b2075bf2", "Attribute": [ { "category": "Payload delivery", "comment": "Trojanized SumatraPDF", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545383", "to_ids": true, "type": "md5", "uuid": "77388d82-3b64-47e3-8273-e467bf340cc1", "value": "67fcf5c21474d314aa0b27b0ce8befb2", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Trojanized SumatraPDF", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545383", "to_ids": true, "type": "sha1", "uuid": "48ef8962-9da4-4556-a715-da27f6fd8679", "value": "19e3c4df728e3e657cb9496cd4aaf69648470b63", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Trojanized SumatraPDF", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545383", "to_ids": true, "type": "sha256", "uuid": "4b9460ee-bd8b-4bbf-be0d-5425f1105f7b", "value": "47c7ce0e3816647b23bb180725c7233e505f61c35e7776d47fd448009e887857", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777607593", "to_ids": true, "type": "ssdeep", "uuid": "eba6cca5-78f9-4ece-8cb6-4e24058f6cba", "value": "196608:DQmDn+ulg+BKjEi2Z24CRSHEfqC7XBECgEkDm:nD+uVEz2rT+qKXCvEkS" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777607593", "to_ids": false, "type": "size-in-bytes", "uuid": "474e5901-d22b-407b-a3e2-e4bd020e5fa1", "value": "7266960" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777607593", "to_ids": true, "type": "vhash", "uuid": "9e0d890b-1c14-4672-9f94-f3f2fbfda5bf", "value": "0760a666757d15651d151070a04003500b97za065za0b01990309bz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777607593", "to_ids": true, "type": "filename", "uuid": "69b4e0bc-faae-432e-b4b1-3d7a70ecdf73", "value": "SumatraPDF.exe" }, { "category": "Other", "comment": "Checked: 01/05/2026\nLast-scan\t: 27/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777607593", "to_ids": false, "type": "text", "uuid": "21050c45-b1c5-4ee0-bc27-f5594429d488", "value": "Trojanized SumatraPDF\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/Qwexlafiba!rfn\nVT Total Detection:31/71\nFirst Submission:2026-03-12T12:44:42.000000+00:00\nLast Submission:2026-03-12T12:44:42.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545386", "uuid": "3f7c2862-0e0b-4607-980f-8b1be997edb8", "Attribute": [ { "category": "Payload delivery", "comment": "Encrypted reflective loader shellcode and AdaptixC2 Beacon agent", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545385", "to_ids": true, "type": "md5", "uuid": "c2809f67-c3ce-4088-9285-e2693b3ca2b1", "value": "89daa54fada8798c5f4e21738c8ea0b4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Encrypted reflective loader shellcode and AdaptixC2 Beacon agent", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545386", "to_ids": true, "type": "sha1", "uuid": "b664dc10-2713-4c80-adeb-d88dbadc0f8a", "value": "bd618c9e1e10891fe666839650fa406833d70afd", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Encrypted reflective loader shellcode and AdaptixC2 Beacon agent", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545386", "to_ids": true, "type": "sha256", "uuid": "141d0ab0-ecd8-4898-9a50-f9af823f52cd", "value": "aeec65bac035789073b567753284b64ce0b95bbae62cf79e1479714238af0eb7", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777607636", "to_ids": true, "type": "ssdeep", "uuid": "780d073a-c784-407f-ae45-8c08713fc2d0", "value": "24576:X+Ai8YmtezZxF8GalBQYLARW2S6ldoPM2FdZHM2oMPzipD:Xp2VX/alB/AgyoUCUILiN" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777607636", "to_ids": false, "type": "size-in-bytes", "uuid": "e696d88f-f297-413d-a912-a1f3a36e7b21", "value": "1044480" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777607636", "to_ids": true, "type": "filename", "uuid": "0ceeda90-52cf-405c-8f6b-75124cac3099", "value": "4D[1].dat" }, { "category": "Other", "comment": "Checked: 01/05/2026\nLast-scan\t: 29/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777607636", "to_ids": false, "type": "text", "uuid": "1f3c75e2-c50d-41c7-b299-d223c108b822", "value": "Encrypted reflective loader shellcode and AdaptixC2 Beacon agent\r\nType Description: unknown\nMicrosoft: None\nVT Total Detection:7/61\nFirst Submission:2026-03-31T03:04:21.000000+00:00\nLast Submission:2026-03-31T03:04:21.000000+00:00" } ] } ] } }