{ "type": "URL", "indicator": "https://47.76.236.58:4430/Divide/developement/GIZWQVCLF", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://47.76.236.58:4430/Divide/developement/GIZWQVCLF", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4324125687, "indicator": "https://47.76.236.58:4430/Divide/developement/GIZWQVCLF", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "69e9d8ba4c0b0df25b764711", "name": "Malicious Campaign Deploying AdaptixC2 Beacon and VS Code via Trojanized SumatraPDF", "description": "On March 12, 2026, a sophisticated attack campaign was identified targeting Chinese-speaking individuals using military-themed document lures distributed through a malicious ZIP archive. The operation employed a trojanized SumatraPDF binary as the initial vector to deploy an AdaptixC2 Beacon and Visual Studio Code on victim systems. The shellcode loader demonstrated significant similarities to the TOSHIS loader previously linked to TAOTH campaigns. Attackers established a custom AdaptixC2 Beacon listener utilizing GitHub for command-and-control infrastructure. The staging server infrastructure additionally hosted CobaltStrike Beacon and EntryShell backdoor, both previously associated with this threat group. The campaign infrastructure included multiple compromised domains and IP addresses for malware distribution and C2 communications.", "modified": "2026-05-23T08:20:01.501000", "created": "2026-04-23T08:30:50.632000", "tags": [ "sumatrapdf", "cobaltstrike", "adaptixc2 beacon", "entryshell", "toshis", "tropic trooper", "chinese targets", "cobaltstrike beacon", "toshis loader", "adaptixc2", "github c2" ], "references": [], "public": 1, "adversary": "Tropic Trooper", "targeted_countries": [], "malware_families": [ { "id": "AdaptixC2 Beacon", "display_name": "AdaptixC2 Beacon", "target": null }, { "id": "CobaltStrike Beacon", "display_name": "CobaltStrike Beacon", "target": null }, { "id": "EntryShell", "display_name": "EntryShell", "target": null }, { "id": "TOSHIS", "display_name": "TOSHIS", "target": null } ], "attack_ids": [ { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA1": 8, "FileHash-SHA256": 8, "URL": 4, "hostname": 1 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 386481, "modified_text": "7 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f32bff38251e177e78b526", "name": "EbeeApril2026 Pt7", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-30T10:03:42.474000", "created": "2026-04-30T10:16:31.340000", "tags": [ "filehashsha256", "filehashsha1", "filehashmd5", "cve20243721 cve" ], "references": [ "IOCs.2026.csv" ], "public": 1, "adversary": "GopherWhisper, Seedworm (MuddyWater), Adware Bundles Delivering RAT, Donot", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 63, "CVE": 8, "FileHash-MD5": 216, "FileHash-SHA1": 220, "FileHash-SHA256": 246, "domain": 98, "hostname": 95 }, "indicator_count": 946, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "18 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69ecae6a156da44db667be66", "name": "imvfeoirewIVONVCIDJCJCW", "description": "", "modified": "2026-05-25T12:11:06.214000", "created": "2026-04-25T12:07:06.437000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MohammedRizwan2001", "id": "361933", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 508, "FileHash-MD5": 100, "FileHash-SHA1": 100, "FileHash-SHA256": 187, "domain": 17, "hostname": 159 }, "indicator_count": 1071, "is_author": false, "is_subscribing": null, "subscriber_count": 21, "modified_text": "5 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69eaf836399e049539fd0e83", "name": "Malicious Campaign Deploying AdaptixC2 Beacon and VS Code via Trojanized SumatraPDF", "description": "", "modified": "2026-05-23T08:20:01.501000", "created": "2026-04-24T04:57:26.712000", "tags": [ "sumatrapdf", "cobaltstrike", "adaptixc2 beacon", "entryshell", "toshis", "tropic trooper", "chinese targets", "cobaltstrike beacon", "toshis loader", "adaptixc2", "github c2" ], "references": [], "public": 1, "adversary": "Tropic Trooper", "targeted_countries": [], "malware_families": [ { "id": "AdaptixC2 Beacon", "display_name": "AdaptixC2 Beacon", "target": null }, { "id": "CobaltStrike Beacon", "display_name": "CobaltStrike Beacon", "target": null }, { "id": "EntryShell", "display_name": "EntryShell", "target": null }, { "id": "TOSHIS", "display_name": "TOSHIS", "target": null } ], "attack_ids": [ { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": "69e9d8ba4c0b0df25b764711", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA1": 8, "FileHash-SHA256": 8, "URL": 4, "hostname": 1 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "7 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69e98d335f48df553878a422", "name": "IOC - Tropic Trooper Pivots to AdaptixC2 and Custom Beacon Listener", "description": "On March 12, 2026, Zscaler ThreatLabz discovered a malicious ZIP archive containing military-themed document lures targeting Chinese-speaking individuals. Our analysis of this sample uncovered a campaign leveraging a multi-stage attack chain where a trojanized SumatraPDF reader deploys an AdaptixC2 Beacon agent, ultimately leading to the download and abuse of Visual Studio (VS) Code tunnels for remote access. During our analysis, we observed that the threat actor likely targeted Chinese-speaking individuals in Taiwan, and individuals in South Korea and Japan. Based on the tactics, techniques, and procedures (TTPs) observed in this attack, ThreatLabz attributes this activity to Tropic Trooper (also known as Earth Centaur and Pirate Panda) with high confidence.", "modified": "2026-05-23T03:09:17.599000", "created": "2026-04-23T03:08:35.441000", "tags": [ "url https", "cobalt strike", "na decrypted", "beacon", "beacon loader", "unknown zip", "sumatrapdf", "encrypted", "network", "type indicator" ], "references": [ "https://www.zscaler.com/blogs/security-research/tropic-trooper-pivots-adaptixc2-and-custom-beacon-listener#indicators-of-compromise--iocs-" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA1": 8, "FileHash-SHA256": 8, "URL": 4, "hostname": 1 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "8 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "IOCs.2026.csv", "https://www.zscaler.com/blogs/security-research/tropic-trooper-pivots-adaptixc2-and-custom-beacon-listener#indicators-of-compromise--iocs-" ], "related": { "alienvault": { "adversary": [ "Tropic Trooper" ], "malware_families": [ "Toshis", "Entryshell", "Cobaltstrike beacon", "Adaptixc2 beacon" ], "industries": [], "unique_indicators": 31 }, "other": { "adversary": [ "GopherWhisper, Seedworm (MuddyWater), Adware Bundles Delivering RAT, Donot", "Tropic Trooper" ], "malware_families": [ "Toshis", "Entryshell", "Cobaltstrike beacon", "Adaptixc2 beacon" ], "industries": [], "unique_indicators": 8775 } } }, "false_positive": [], "alexa": "", "whois": "http://whois.domaintools.com/47.76.236.58", "domain": "Unavailable", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "69e9d8ba4c0b0df25b764711", "name": "Malicious Campaign Deploying AdaptixC2 Beacon and VS Code via Trojanized SumatraPDF", "description": "On March 12, 2026, a sophisticated attack campaign was identified targeting Chinese-speaking individuals using military-themed document lures distributed through a malicious ZIP archive. The operation employed a trojanized SumatraPDF binary as the initial vector to deploy an AdaptixC2 Beacon and Visual Studio Code on victim systems. The shellcode loader demonstrated significant similarities to the TOSHIS loader previously linked to TAOTH campaigns. Attackers established a custom AdaptixC2 Beacon listener utilizing GitHub for command-and-control infrastructure. The staging server infrastructure additionally hosted CobaltStrike Beacon and EntryShell backdoor, both previously associated with this threat group. The campaign infrastructure included multiple compromised domains and IP addresses for malware distribution and C2 communications.", "modified": "2026-05-23T08:20:01.501000", "created": "2026-04-23T08:30:50.632000", "tags": [ "sumatrapdf", "cobaltstrike", "adaptixc2 beacon", "entryshell", "toshis", "tropic trooper", "chinese targets", "cobaltstrike beacon", "toshis loader", "adaptixc2", "github c2" ], "references": [], "public": 1, "adversary": "Tropic Trooper", "targeted_countries": [], "malware_families": [ { "id": "AdaptixC2 Beacon", "display_name": "AdaptixC2 Beacon", "target": null }, { "id": "CobaltStrike Beacon", "display_name": "CobaltStrike Beacon", "target": null }, { "id": "EntryShell", "display_name": "EntryShell", "target": null }, { "id": "TOSHIS", "display_name": "TOSHIS", "target": null } ], "attack_ids": [ { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA1": 8, "FileHash-SHA256": 8, "URL": 4, "hostname": 1 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 386481, "modified_text": "7 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f32bff38251e177e78b526", "name": "EbeeApril2026 Pt7", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-30T10:03:42.474000", "created": "2026-04-30T10:16:31.340000", "tags": [ "filehashsha256", "filehashsha1", "filehashmd5", "cve20243721 cve" ], "references": [ "IOCs.2026.csv" ], "public": 1, "adversary": "GopherWhisper, Seedworm (MuddyWater), Adware Bundles Delivering RAT, Donot", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 63, "CVE": 8, "FileHash-MD5": 216, "FileHash-SHA1": 220, "FileHash-SHA256": 246, "domain": 98, "hostname": 95 }, "indicator_count": 946, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "18 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69ecae6a156da44db667be66", "name": "imvfeoirewIVONVCIDJCJCW", "description": "", "modified": "2026-05-25T12:11:06.214000", "created": "2026-04-25T12:07:06.437000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MohammedRizwan2001", "id": "361933", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 508, "FileHash-MD5": 100, "FileHash-SHA1": 100, "FileHash-SHA256": 187, "domain": 17, "hostname": 159 }, "indicator_count": 1071, "is_author": false, "is_subscribing": null, "subscriber_count": 21, "modified_text": "5 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69eaf836399e049539fd0e83", "name": "Malicious Campaign Deploying AdaptixC2 Beacon and VS Code via Trojanized SumatraPDF", "description": "", "modified": "2026-05-23T08:20:01.501000", "created": "2026-04-24T04:57:26.712000", "tags": [ "sumatrapdf", "cobaltstrike", "adaptixc2 beacon", "entryshell", "toshis", "tropic trooper", "chinese targets", "cobaltstrike beacon", "toshis loader", "adaptixc2", "github c2" ], "references": [], "public": 1, "adversary": "Tropic Trooper", "targeted_countries": [], "malware_families": [ { "id": "AdaptixC2 Beacon", "display_name": "AdaptixC2 Beacon", "target": null }, { "id": "CobaltStrike Beacon", "display_name": "CobaltStrike Beacon", "target": null }, { "id": "EntryShell", "display_name": "EntryShell", "target": null }, { "id": "TOSHIS", "display_name": "TOSHIS", "target": null } ], "attack_ids": [ { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": "69e9d8ba4c0b0df25b764711", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA1": 8, "FileHash-SHA256": 8, "URL": 4, "hostname": 1 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "7 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69e98d335f48df553878a422", "name": "IOC - Tropic Trooper Pivots to AdaptixC2 and Custom Beacon Listener", "description": "On March 12, 2026, Zscaler ThreatLabz discovered a malicious ZIP archive containing military-themed document lures targeting Chinese-speaking individuals. Our analysis of this sample uncovered a campaign leveraging a multi-stage attack chain where a trojanized SumatraPDF reader deploys an AdaptixC2 Beacon agent, ultimately leading to the download and abuse of Visual Studio (VS) Code tunnels for remote access. During our analysis, we observed that the threat actor likely targeted Chinese-speaking individuals in Taiwan, and individuals in South Korea and Japan. Based on the tactics, techniques, and procedures (TTPs) observed in this attack, ThreatLabz attributes this activity to Tropic Trooper (also known as Earth Centaur and Pirate Panda) with high confidence.", "modified": "2026-05-23T03:09:17.599000", "created": "2026-04-23T03:08:35.441000", "tags": [ "url https", "cobalt strike", "na decrypted", "beacon", "beacon loader", "unknown zip", "sumatrapdf", "encrypted", "network", "type indicator" ], "references": [ "https://www.zscaler.com/blogs/security-research/tropic-trooper-pivots-adaptixc2-and-custom-beacon-listener#indicators-of-compromise--iocs-" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA1": 8, "FileHash-SHA256": 8, "URL": 4, "hostname": 1 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "8 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://47.76.236.58:4430/Divide/developement/GIZWQVCLF", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://47.76.236.58:4430/Divide/developement/GIZWQVCLF", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780203671.5862622 }