A new wave of cyber threats is emerging as criminals increasingly weaponize AdaptixC2, a free and open-source Command and Control framework originally designed for legitimate penetration testing and red team operations.
Security researchers have uncovered a disturbing trend where advanced threat actors deploy this extensible post-exploitation tool across global ransomware campaigns, transforming a utility meant for ethical hacking into a dangerous weapon for criminal enterprises.
The framework, written in Golang for its server component with a C++ and QT-based GUI client supporting Linux, Windows, and macOS, provides attackers with flexibility and multi-platform compatibility that makes it particularly attractive for coordinated operations.
The abuse of AdaptixC2 was first discovered during extensive research into CountLoader, a sophisticated malware loader that served malicious AdaptixC2 payloads from attacker-controlled infrastructure.
.webp "Threat Actors Actively Using Open-Source C2 Framework to Deliver Malicious Payloads 2")
Silent Push analysts identified and tracked these malicious deployments, subsequently creating dedicated detection signatures to identify both threats.
Following the implementation of these protective measures, multiple public reports highlighted a surge in AdaptixC2 usage among ransomware affiliates, particularly those connected to operations like Akira.
This has compromised over 250 organizations since March 2023 and allegedly claimed $42 million in ransom proceeds.
Silent Push researchers noted that the escalating abuse of AdaptixC2 reveals sophisticated threat actors leveraging legitimate development tools to mask their malicious intentions.
The framework enables post-exploitation capabilities that allow attackers to establish persistent command channels, execute arbitrary commands across compromised systems, and maintain lateral movement within target networks.
The technical architecture supports multiple listener types including mTLS, HTTP, SMB, and BTCP protocols, providing operators with diverse communication channels that complicate detection and network-based monitoring.
Russian Underground Ties and Developer Attribution
Investigation into the framework’s origins revealed significant connections to the Russian criminal underworld.
.webp "Threat Actors Actively Using Open-Source C2 Framework to Deliver Malicious Payloads 4")
An individual operating under the handle “RalfHacker” appears to be the primary developer behind AdaptixC2, managing the project through active GitHub commits and maintaining a Russian-language Telegram sales channel for the framework.
.webp "Threat Actors Actively Using Open-Source C2 Framework to Deliver Malicious Payloads 5")
OSINT research uncovered email addresses associated with RalfHacker’s accounts, including references in leaked databases belonging to established hacking forums such as RaidForums, establishing credible ties to organized cybercriminal communities.
The developer’s Telegram channel predominantly communicates in Russian, advertising framework updates with hashtags referencing Active Directory, APT tactics, and ATM-related materials, further solidifying connections to Russian threat actor networks actively exploiting the platform for ransomware operations.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
