In early May 2025, Unit 42 researchers observed multiple instances of AdaptixC2 being deployed to infect enterprise systems.
Unlike many high-profile command-and-control (C2) platforms, AdaptixC2 has flown under the radar, with scant public documentation demonstrating its use in live adversary operations.
Our research dissects AdaptixC2’s capabilities, deployment techniques, and evasion mechanisms to equip security teams with the knowledge needed to defend against this evolving threat.
AdaptixC2 is a newly identified, open-source post-exploitation and adversarial emulation framework originally created for penetration testers.
Palo Alto Networks customers benefit from protection via Advanced DNS Security, Advanced Threat Prevention, Advanced URL Filtering, Advanced WildFire, Cortex XDR, and XSIAM. For incident response assistance, contact the Unit 42 Incident Response team.
AdaptixC2 Overview and Capabilities
AdaptixC2 is a modular, open-source adversarial framework designed for red team operations.
The AdaptixC2 interface shows linked agents and sessions in a graphical view.
Its functionality spans command execution, file transfer, data exfiltration, and session management.
Agents support both x86 and x64 architectures and can be generated as standalone executables, DLLs, service binaries, or raw shellcode.
Core features include filesystem manipulation (directory listings, file creation, modification, deletion), process enumeration and control, and execution of arbitrary binaries.
For covert communications, AdaptixC2 supports SOCKS4/5 proxying, port forwarding, and configurable chunk sizes to blend exfiltration traffic into legitimate network flows.
Extenders—plugin-style modules—enable custom payloads and detection-evasion strategies, while Beacon Object Files (BOFs) allow C payloads to run within the agent’s process.
Configuration is encrypted with RC4, embedding a size field, encrypted data block, and 16-byte key multiple incidents where threat actors installed AdaptixC2 beacons.
Three beacon profiles—HTTP, SMB, and TCP—offer flexibility under varied network restrictions. The HTTP profile, most prevalent in the observed campaigns, configures servers, ports, SSL settings, HTTP methods, URIs, headers, and user-agent strings.
Real-World Attack Scenarios
Two distinct AdaptixC2 infections were investigated. The first relied on social engineering via counterfeit Microsoft Teams messages impersonating IT support, luring victims into Quick Assist sessions.
A multi-stage PowerShell loader downloaded an XOR-encoded shellcode payload from a legitimate hosting service, decrypted it in memory, and launched it using .NET’s dynamic invocation to avoid writing to disk.
Persistence was achieved by dropping a startup shortcut. Post-infection reconnaissance invoked nltest.exe, whoami.exe, and ipconfig.exe before establishing C2 connectivity.
The second incident involved a PowerShell script assessed to be AI-generated. It downloaded a Base64-encoded AdaptixC2 beacon, allocated unmanaged memory, copied and executed shellcode via VirtualProtect, and implemented dual persistence: DLL hijacking in the Templates folder and a Run-key registry entry.
Stylistic cues—verbose numbered comments and check-mark output messages—alongside AI detector flags, indicated the use of generative tools. This case underscores how AI assistance accelerates the development of sophisticated, fileless loaders.
The emergence of AdaptixC2 in live attacks signals a shift toward adversaries customizing red-team frameworks for illicit operations.
Monitor for anomalous memory-only execution behaviors indicative of dynamic invocation.
Extract and analyze RC4-encrypted configurations from suspect binaries to uncover C2 infrastructure.
Leverage endpoint protections to detect proxying and port-forwarding tunnels.
Indicators of Compromise
Here is the data in a structured table format:
| Value | Type | Description |
|---|---|---|
| bdb1b9e37f6467b5f98d151a43f280f319bacf18198b22f55722292a832933ab | SHA256 | PowerShell script that installs an AdaptixC2 beacon |
| 83AC38FB389A56A6BD5EB39ABF2AD81FAB84A7382DA296A855F62F3CDD9D629D | SHA256 | PowerShell script that installs an AdaptixC2 beacon |
| 19c174f74b9de744502cdf47512ff10bba58248aa79a872ad64c23398e19580b | SHA256 | PowerShell script that installs an AdaptixC2 beacon |
| 750b29ca6d52a55d0ba8f13e297244ee8d1b96066a9944f4aac88598ae000f41 | SHA256 | PowerShell script that installs an AdaptixC2 beacon |
| b81aa37867f0ec772951ac30a5616db4d23ea49f7fd1a07bb1f1f45e304fc625 | SHA256 | AdaptixC2 beacon as DLL |
| df0d4ba2e0799f337daac2b0ad7a64d80b7bcd68b7b57d2a26e47b2f520cc260 | SHA256 | AdaptixC2 beacon as EXE |
| AD96A3DAB7F201DD7C9938DCF70D6921849F92C1A20A84A28B28D11F40F0FB06 | SHA256 | Shellcode that installs AdaptixC2 beacon |
| tech-system[.]online | Domain | AdaptixC2 domain |
| protoflint[.]com | Domain | AdaptixC2 domain |
| novelumbsasa[.]art | Domain | AdaptixC2 domain |
| picasosoftai[.]shop | Domain | AdaptixC2 domain |
| dtt.alux[.]cc | Domain | AdaptixC2 domain |
| moldostonesupplies[.]pro | Domain | AdaptixC2 domain |
| x6iye[.]site | Domain | AdaptixC2 domain |
| buenohuy[.]live | Domain | AdaptixC2 domain |
| firetrue[.]live | Domain | AdaptixC2 domain |
| lokipoki[.]live | Domain | AdaptixC2 domain |
| veryspec[.]live | Domain | AdaptixC2 domain |
| mautau[.]live | Domain | AdaptixC2 domain |
| muatay[.]live | Domain | AdaptixC2 domain |
| nicepliced[.]live | Domain | AdaptixC2 domain |
| nissi[.]bg | Domain | AdaptixC2 domain |
| express1solutions[.]com | Domain | AdaptixC2 domain |
| iorestore[.]com | Domain | AdaptixC2 domain |
| doamin[.]cc | Domain | AdaptixC2 domain |
| regonalone[.]com | Domain | AdaptixC2 domain |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
