Full Report
Available on GitHub and promoted to professional penetration testers, the tool AdaptixC2 has been used to spread loader malware associated with Russian ransomware groups, researchers said.
Analysis Summary
# Tool/Technique: AdaptixC2
## Overview
AdaptixC2 is an open-source command-and-control (C2) framework initially designed and promoted to professional penetration testers and red team operators. It has been observed being abused by Russia-linked cybercriminals to spread loader malware associated with ransomware groups following initial access.
## Technical Details
- Type: Attack Tool / Framework
- Platform: Not explicitly stated, but C2 frameworks typically target Windows, Linux, or macOS environments for post-exploitation.
- Capabilities: Post-exploitation, adversarial emulation, C2 communication for delivering payloads (e.g., malware loaders).
- First Seen: Abuse observed starting August 2025 (based on Silent Push reporting).
## MITRE ATT&CK Mapping
The primary observed utilization involves command and control and execution stages.
- **TA0011 - Command and Control**
- **T1071 - Application Layer Protocol**
- **TA0002 - Execution**
- **T1204 - User Execution** (If used to deliver stage 1 payload via malicious documents)
## Functionality
### Core Capabilities
- Serving as a Command-and-Control (C2) framework.
- Designed for post-exploitation activities.
- Marketed towards security professionals for adversarial emulation and red teaming exercises.
### Advanced Features
- The article highlights its utility for threat actors to mask criminal activities under the guise of "red teaming."
- Used specifically to deliver malicious payloads, such as the CountLoader malware.
## Indicators of Compromise
- File Hashes: Not provided in the context.
- File Names: Not provided in the context.
- Registry Keys: Not provided in the context.
- Network Indicators: C2 traffic associated with AdaptixC2 infrastructure (Source: Silent Push and Unit 42 research).
- Behavioral Indicators: Utilization of the framework to deploy secondary malware like **CountLoader**. Campaign included distribution of malicious PDFs impersonating Ukraine’s national police.
## Associated Threat Actors
- Russia-linked cybercriminals.
- Ransomware groups (associated with the CountLoader malware it was observed delivering).
- The tool's developer/promoter uses the handle "RalfHacker" and operates a Russian-language Telegram channel.
## Detection Methods
- **Signature-based detection:** Signatures targeting known AdaptixC2 C2 beaconing patterns or associated malware payloads (like CountLoader).
- **Behavioral detection:** Monitoring for unusual network traffic patterns indicative of C2 communication from compromised hosts, or processes attempting communications that align with post-exploitation frameworks.
## Mitigation Strategies
- **Prevention measures:** Organizations should vet and restrict the use of potentially dual-use open-source penetration testing tools in production environments.
- **Hardening recommendations:** Implement robust egress filtering to monitor and potentially block communications tied to known C2 frameworks if external communication is not strictly necessary for business functions.
## Related Tools/Techniques
- **CountLoader:** Malware family observed being distributed via AdaptixC2.
- Other post-exploitation frameworks frequently abused by threat actors (though not explicitly named in the context, this is a common TTP).