Threat intelligence researchers have uncovered a growing campaign where cybercriminals are weaponizing AdaptixC2, a legitimate open-source Command and Control framework designed for authorized penetration testers.
The discovery reveals how threat actors are exploiting ethical hacking tools to conduct sophisticated cyberattacks, with significant ties linking the framework’s development to Russian criminal networks.
Silent Push threat analysts initially observed AdaptixC2 abuse while investigating the CountLoader malware loader in August 2025.
The malicious payloads were being served through attacker infrastructure utilizing CountLoader, indicating a deliberate preference for combining these tools in coordinated attacks.
Shortly after the research team deployed detection signatures for AdaptixC2, public reports confirmed a surge in the framework’s use across global ransomware campaigns, particularly by Akira ransomware affiliates.
AdaptixC2 is an extensible post-exploitation framework originally designed for red teams and penetration testers.
Its architecture includes a flexible Golang-based server and a C++ GUI client compatible with Linux, Windows, and macOS systems.
The framework’s legitimate availability on GitHub made it an attractive option for cybersecurity professionals, but threat actors quickly recognized its potential for malicious purposes.
The DFIR Report documented AdaptixC2’s use by Akira ransomware affiliates, demonstrating how quickly the tool transitioned from ethical use to criminal exploitation.
From information obtained through an Open-Source Intelligence (OSINT) site, intelx.io, we confirmed this email address was also found listed in a leaked database belonging to a known hacking forum.
Akira ransomware alone has impacted over 250 organizations globally since March 2023, affecting businesses and critical infrastructure providers across North America, Europe, and Australia, with estimated ransomware proceeds exceeding $42 million USD.
Threat researchers traced AdaptixC2’s primary development back to an individual using the handle “RalfHacker,” who presents themselves as a penetration tester, red team operator, and malware developer on their GitHub profile.
This combination of roles raised immediate red flags for security analysts investigating the framework’s criminal exploitation.
Further research revealed these email addresses appeared in leaked databases from known hacking forums, suggesting deeper ties to the criminal underground than typical legitimate developers maintain.
The investigation led researchers to a large Telegram channel named after RalfHacker, where the developer announced AdaptixC2 updates exclusively in Russian with hashtags related to Active Directory, APT, and ATM materials.
This communication pattern aligns with intelligence gathered during parallel CountLoader research, pointing toward connections within Russia’s cybercriminal ecosystem.
The weaponization of AdaptixC2 highlights a critical challenge for defenders: distinguishing between authorized penetration testing and criminal activity when using legitimate tools. Other red team frameworks, such as evilginx2, similarly suffer from widespread criminal adoption while maintaining legitimate use cases.
Threat actors frequently mask their activities under the guise of ethical hacking when communicating with fellow criminals, allowing developers to maintain plausible deniability. RalfHacker’s profile, which brazenly advertises “maldev” credentials alongside red team qualifications, demonstrates this obfuscation tactic.
Ongoing Threat Assessment
While direct evidence linking RalfHacker personally to specific criminal operations remains insufficient for definitive conclusions, the circumstantial evidence warrants serious concern.
The framework’s active use by confirmed ransomware operators, RalfHacker’s apparent connections to Russian criminal networks through Telegram marketing, and the tool’s regular maintenance and updates all suggest non-trivial ties between the developer and malicious actors.
Security teams are advised to monitor AdaptixC2 infrastructure vigilantly, as the framework continues facilitating sophisticated attacks against organizations worldwide.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
