In early May 2025, Unit 42 researchers observed that AdaptixC2 was used to infect several systems.
While many C2 frameworks garner public attention, AdaptixC2 has remained largely under the radar—until Unit 42 documented its deployment by real-world threat actors.
This article examines AdaptixC2’s capabilities, recent infection scenarios, and guidance for defenders to anticipate and block its activity.
AdaptixC2 offers a broad suite of post-exploitation actions designed for comprehensive control of compromised endpoints.
AdaptixC2 is a newly identified, open-source post-exploitation and adversarial emulation framework originally crafted for penetration testers.
Operators can manipulate the file system to create, modify, delete, or enumerate files and directories, list and terminate processes, and launch new programs.
Its modular “extenders” function like plugins for listeners and agents, enabling attackers to craft bespoke payloads and communication protocols tailored to each target.
AdaptixC2 also supports Beacon Object Files (BOFs), which are small C-based programs that run directly in the agent’s process, further evading security monitoring.
Communication options include HTTP-based beacons, named-pipe (SMB) listeners, and direct TCP connections—each configurable with custom servers, ports, SSL settings, URIs, headers, and user-agent strings.
Advanced tunneling features such as SOCKS4/5 proxying and port forwarding help bypass network restrictions. Beacon agents support both x86 and x64 architectures and can be compiled as standalone executables, DLLs, service binaries, or raw shellcode.
Data transfer commands optimize exfiltration by segmenting files into configurable chunk sizes, reducing detection risk.
The AdaptixC2 interface shows linked agents and sessions in a graphical view.
AdaptixC2 implements operational-security controls via parameters like KillDate (automatically disable the beacon after a specified date) and WorkingTime (restrict beaconing to specific hours), and it permits custom obfuscation and anti-analysis routines.
Its configuration format—an RC4-encrypted blob stored in PE files—can be decrypted by defenders to extract server lists, HTTP parameters, timing settings, and more, enabling rapid analysis of malicious samples.
Real-World Infection Scenarios
Unit 42 documented two distinct AdaptixC2 campaigns in May 2025. In the first, threat actors leveraged social engineering and phishing to impersonate HelpDesk support via Microsoft Teams.
Victims were convinced to initiate Quick Assist remote-assistance sessions, allowing a PowerShell loader to fetch an XOR-encoded payload, decrypt and inject shellcode in memory, and deploy an HTTP beacon with a legitimate SSL-protected endpoint.
Persistence was achieved by creating a startup-folder shortcut to relaunch the loader after reboot.
The second incident exhibited sophisticated AI-generated code. Attackers used AI tools to script a multi-stage PowerShell installer that downloaded Base64-encoded shellcode via Invoke-RestMethod, allocated memory, adjusted protections via VirtualProtect, and executed the shellcode through .NET’s GetDelegateForFunctionPointer.
Persistence combined DLL hijacking in the Templates directory with a registry Run key. Stylistic hallmarks—verbose numbered comments and check-mark output messages—indicate AI assistance in crafting stealthy, dynamic loaders.
Both scenarios share hallmarks of modern post-exploitation: fileless execution, dynamic invocation of shellcode, abuse of legitimate services, modular beaconing, and robust persistence mechanisms.
The second case’s DLL hijack technique and registry-based persistence underscore AdaptixC2 evolving threat posture.
Defense Recommendations
Security teams must treat AdaptixC2 as a rising danger. Monitoring for in-memory RC4 decryption routines, unusual dynamic invocation calls, and RC4 key extraction logic in .NET processes can signal beacon deployments.
Hunting for PowerShell scripts using dynamic memory allocation, VirtualProtect, and GetDelegateForFunctionPointer provides early warnings.
Network defenses should inspect HTTP POST requests to atypical URIs with custom headers or user-agents and monitor named-pipe SMB traffic patterns.
Palo Alto Networks customers benefit from layered protections: Advanced DNS Security and Advanced URL Filtering block known malicious domains and URLs; Advanced Threat Prevention and WildFire detect exploit behaviors and novel samples; Cortex XDR and XSIAM combine endpoint prevention engines and telemetry analytics to identify anomalous in-memory injection and beaconing activities.
Regularly updating detection signatures with emerging AdaptixC2 indicators—server domains, unique URIs, and customized user-agent strings—will fortify defenses.
AdaptixC2’s open-source nature enables rapid customization by both red teams and threat actors. As defenders refine extraction tools for encrypted configurations, sharing extracted profiles and indicators across the community remains vital.
Organizations should periodically review and harden remote-assistance policies, enforce least-privilege remote-access controls, and maintain robust PowerShell logging to disrupt stealthy post-exploitation frameworks like AdaptixC2.
If you suspect a compromise, contact Unit 42 Incident Response. Stay vigilant against adaptable C2 tools and collaborate through the Cyber Threat Alliance to deploy timely protections.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
