RTF Exploit Installs RAT: uWarrior
Essential information
- Published
- 24/04/2026 10:28
- Modified
- 27/04/2026 14:53
- Tags
- 2026-04-24 ctos rat rtf exploitation uwarrior
- Related entities
- 2 vulnerabilities (cve), 4 observables, 19 techniques (mitre), 2 malware, 2 others
Description
An unknown Italian-origin threat actor has developed uWarrior, a Remote Access Tool delivered through weaponized RTF documents containing multiple exploits. The attack chain leverages CVE-2012-1856 with a novel ROP chain and CVE-2015-1770 to bypass ASLR protections by loading non-DYNAMICBASE compiled DLLs through OLE objects. The fully-featured RAT uses compressed, optionally encrypted TCP communications with binary message protocols for command and control. Analysis reveals the actor borrowed components from off-the-shelf tools, particularly the ctOS RAT, sharing similar configuration structures and code functions. uWarrior provides extensive capabilities including remote command execution, file manipulation, system control, software enumeration and uninstallation, and data exfiltration. The malware establishes persistence and communicates with C2 servers using AES encryption.