Open-Source Security Tool AdaptixC2 Fueling Ransomware Attacks

Cybercriminals have weaponized the framework of a relatively new, free, open-source security penetration tool, AdaptixC2, to deliver malicious payloads. Its rapid adoption by bad actors follows an intrusion path impacting similar commercial security toolsets.

Russian-linked threat actors, including ransomware gangs such as Akira and Fog, have adopted the tool for its advanced post-exploitation capabilities and evasion features, according to the preemptive cyber intelligence firm Silent Push. The company released new research on Oct. 30, which triggered an investigation into RalfHacker's GitHub bio, identifying the group as a "MalDev." Silent Push scans and clusters the internet to generate Indicators of Future Attack (IOFA).

Researchers found several email addresses for GitHub accounts linked to the account's owner, as well as a Telegram channel called RalfHackerChannel, with more than 28,000 subscribers. According to Silent Push, the channel re-shared messages posted on a dedicated channel for AdaptixC2.

First made public in August 2024 by developer RalfHacker, AdaptixC2 is intended for red teaming — a process in which ethical hackers simulate a real-world attack to test an organization's security defenses and identify vulnerabilities.

According to Mayuresh Dani, security research manager at Qualys Threat Research Unit, threat actors are constantly looking for new tooling to bypass security mechanisms. AdaptixC2's free cost and enterprise-grade post-exploitation capabilities available to anyone with an internet connection make it an attractive target for hackers.

"Due to these reasons and rapid ongoing development allowing simple static detection signatures evasion, AdaptixC2 has become a sought-after dual-use tool to be repurposed by threat actors in their campaigns," he told LinuxInsider.

What It Does

Dani pointed to the free factor as a driver of AdaptixC2's (short for Command and Control) appeal to legitimate users. The framework offers capabilities that rival commercial tools like Cobalt Strike. Its technical features are extensive, including support for encryption of communications, command execution, credential harvesting, and memory-resident execution via Beacon Object Files (BOFs).

"But unlike Cobalt Strike's $3,500 annual license, AdaptixC2 is free," he said.

AdaptixC2 is a modular and flexible framework that provides a range of functions for attackers, including fully encrypted communications, multi-platform support for Windows, Linux, and macOS, and mechanisms for command execution, credential harvesting, data exfiltration, and persistence, such as DLL hijacking and registry run keys.

Researchers report that attackers are using AdaptixC2 to establish long-term persistence inside target networks. Delivery methods for the malicious payloads include CountLoader malware, associated with Russian ransomware gangs, which delivers AdaptixC2 as a secondary payload.

Attackers also rely on social engineering, posing as help desk staff on Microsoft Teams to convince targets to initiate a remote session, which is then used to deploy AdaptixC2.

Attackers are using AI to generate sophisticated PowerShell scripts that download and execute the AdaptixC2 beacon. This tactic helps attackers exploit the software supply chain. Researchers found the AdaptixC2 agent hidden in malicious packages on the npm.

According to Louis Eichenbaum, federal CTO at breach security firm ColorTokens, AdaptixC2 poses a rising threat that requires updated detection strategies, behavior-based analytics, and proactive threat-hunting.

"Organizations should incorporate AdaptixC2 into adversary-emulation exercises, enhance telemetry to identify covert C2 traffic, and tune security tools for detection of its unique beaconing patterns, multi-protocol communication options, and in-memory payload execution," he told LinuxInsider.

Supporting Evidence

Palo Alto Networks Unit 42 characterized the framework as modular and versatile, capable of comprehensively controlling affected machines. Unit 42 researchers found that it is used as part of a fake help desk operation to support call scams via Microsoft Teams through an artificial intelligence (AI)-generated PowerShell script.

Cyber experts also described the server component as written in Golang, and the GUI client as written in C++ with Qt for cross-platform compatibility. In recent months, AdaptixC2 has been adopted by various hacking groups, including threat actors tied to the Fog and Akira ransomware operations, as well as an initial access broker that has leveraged CountLoader in attacks designed to deliver various post-exploitation tools.

According to Eichenbaum, AdaptixC2 is attracting significant attention for its rapid adoption by threat actors and its growing role in real-world intrusions.

"Its modular architecture, cross-platform agent support, encrypted communications, and flexible command-and-control channels (HTTP/S, SMB, TCP) make it effective for stealthy persistence and lateral movement," he said.

Perfect Attack Vector

Eichenbaum added that security researchers recently observed campaigns leveraging PowerShell loaders, in-memory shellcode execution, DLL hijacking, and registry-based persistence, all of which point to AdaptixC2 infrastructure. Features such as beacon scheduling, kill dates, and support for custom plugins further enhance adversaries' evasion capabilities and operational flexibility.

Jason Soroko, a senior fellow at Sectigo, a comprehensive certificate lifecycle management (CLM) provider, observed that attention is piling up because AdaptixC2 hits three pressure points at once. It is open source and easy to obtain, delivers mature features that rival pricier kits, and is already in the hands of operators tied to active ransomware crews and initial access brokers.

"That mix shortens the time from proof of concept to real intrusions, and the cross-platform design, plus encrypted traffic and built-in managers, make it simple for copycats to plug in and go," he told LinuxInsider.

The number of reports reflects both risk and incentives, he added. Vendors want to warn customers and ship detections, and they also race to lead the narrative with fresh indicators, infrastructure mapping, and attribution clues.

Palo Alto surfaced the technical core and early use. Kaspersky broadened the lens with threat activity context, and Silent Push tied the public developer persona and community channels to a growing distribution pipeline, he offered.

"Tie that to thousands of subscribers and the chance of rapid weaponization rises, so multiple firms pile on to keep visibility high and to shape how defenders prioritize controls," Soroko noted.

Threat Mitigation Challenges

Eichenbaum suggested that organizations defending against AdaptixC2-enabled attacks can implement five key strategies:

• Enhance endpoint security — Use advanced Endpoint Detection and Response (EDR) solutions to identify post-exploitation activities and behavioral anomalies that may indicate AdaptixC2's presence.
• Monitor network traffic — Hunt for encrypted command-and-control (C2) communication patterns used by AdaptixC2 over protocols like HTTP(S), SMB, and TCP.
• Improve email security — Configure gateways to block or quarantine suspicious attachments, especially those involving social engineering lures like fake law enforcement or IT support requests.
• Strengthen access control — Enforce the principle of least privilege to limit lateral movement and deploy multi-factor authentication (MFA) to prevent credential abuse.
• Educate users — Provide regular cybersecurity awareness training to help employees recognize and report social engineering attempts, including those conducted via platforms like Microsoft Teams.

Taken together, these measures help reduce the window of opportunity for attackers leveraging AdaptixC2. The challenge now is maintaining vigilance as the tool continues to evolve and spread across threat communities.