Threat Actors Leveraging Open-Source AdaptixC2 in Real-World Attacks

In early May 2025, security teams began observing a sudden rise in post-exploitation activity leveraging an open-source command-and-control framework known as AdaptixC2.

Originally developed to assist penetration testers, this framework offers a range of capabilities—file system manipulation, process enumeration, and covert channel tunneling—that have now been adopted by malicious actors.

The framework’s modular design and extensibility through “extenders” make it particularly attractive for adversaries seeking a customizable toolkit that can evade traditional defenses.

Palo Alto Networks researchers noted that AdaptixC2 remained largely under the radar until threat intelligence feeds began reporting infections across multiple sectors.

One early campaign relied on social engineering via fake help desk remote support requests, tricking users into executing Quick Assist sessions that unleashed a multi-stage PowerShell loader.

Within minutes, adversaries achieved in-memory execution of the beacon without dropping any files, sidestepping endpoint detection measures and establishing persistent control over the victim host.

As incidents proliferated, a different cluster of intrusions emerged involving AI-generated scripts designed to deploy AdaptixC2.

Palo Alto Networks analysts identified stylistic markers—numbered comments and verbose output confirmations—that pointed to code produced by large language models.

These scripts not only downloaded and decrypted a Base64-encoded payload, but also used .NET’s GetDelegateForFunctionPointer to execute shellcode directly in memory.

By leveraging built-in Windows APIs such as VirtualProtect and CreateProcess, attackers achieved stealthy deployment and reliable persistence.

Across both scenarios, the impact has been significant. Compromised environments have seen lateral movement facilitated by SOCKS4/5 tunneling and port forwarding, enabling data exfiltration in small chunks to blend with normal traffic patterns.

In one documented case, adversaries combined AdaptixC2 with Fog ransomware in an attack against a financial institution in Asia, demonstrating the framework’s versatility and potential to amplify downstream payloads.

Organizations relying on legacy detection systems found themselves ill-prepared for this modular, evolving threat.

The graphical view of linked agents and sessions, highlighting how attackers map available targets and plan multi-stage operations.

The encrypted configuration parameters—RC4-encrypted payloads stored alongside their keys in the PE header—allowing rapid customization of communication profiles.

Infection Mechanism via Fileless PowerShell Loader

One of the most insidious elements of AdaptixC2 deployment is its fileless infection mechanism, executed entirely in memory to evade disk-based defenses.

The initial vector often begins with a seemingly innocuous PowerShell script, delivered through a social engineering email or remote support prompt.

Upon execution, the script invokes Invoke-RestMethod to retrieve a Base64-encoded shellcode payload from a legitimate cloud storage service.

It then decodes this payload and calls VirtualAlloc to allocate a memory region with PAGE_EXECUTE_READWRITE permissions.

Using reflection and dynamic invocation, the loader constructs a delegate pointing to the shellcode entry point:-

var ptr = GetDelegateForFunctionPointer(shellcodePtr, typeof(Action));
((Action)ptr)();

This method sidesteps the need for written executables, leaving minimal forensic artifacts. Following successful execution, the script employs CreateShortcut in the user’s Startup folder or writes a Run key to the registry under a familiar name such as “Updater,” ensuring that the beacon survives reboots.

Detection evasion is further enhanced by configurable KillDate and WorkingTime parameters, which limit beacon activity to pre-defined windows, and by customizable user-agent strings and HTTP headers.

Security teams must therefore enrich telemetry with memory-based detections and network-behavior analytics to intercept these in-flight payloads before they fully establish their C2 channels.

Continuous monitoring for dynamic invocation APIs and anomalous PowerShell child processes remains critical to disrupting this modern, fileless infection chain.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.