Executive Summary

Russian ransomware gangs have recently escalated their operational sophistication by weaponizing the open-source AdaptixC2 command-and-control (C2) framework. Originally developed for legitimate red teaming and adversarial simulation, AdaptixC2 is now being actively abused to orchestrate advanced ransomware campaigns, facilitate initial access, maintain persistence, and deploy secondary payloads such as CountLoader. This development marks a significant evolution in the threat landscape, as the accessibility and modularity of AdaptixC2 lower the barrier for cybercriminals to conduct high-impact, multi-stage attacks. The framework’s cross-platform support, encrypted communications, and rapid adoption within Russian-language cybercriminal communities have enabled threat actors to evade traditional detection mechanisms and target organizations across Europe, North America, and Australia. This advisory provides a comprehensive technical analysis of the threat, observed tactics, techniques, and procedures (TTPs), victimology, and actionable mitigation strategies.

Threat Actor Profile

The primary threat actors leveraging AdaptixC2 are Russian-speaking ransomware gangs, most notably affiliates of the Akira and Fog ransomware operations. These groups are characterized by their agility in adopting new offensive tooling, their presence on Russian-language Telegram channels and underground forums, and their focus on high-value targets in critical infrastructure, finance, and enterprise sectors. The developer of AdaptixC2, known as “RalfHacker,” maintains a visible presence on GitHub and Russian cybercrime communities, where the tool is promoted and distributed. The Akira ransomware group, in particular, has been linked to over 250 breaches and $42 million in ransom payments since 2023, with confirmed use of AdaptixC2 in recent incidents. These actors demonstrate advanced operational security, leveraging dual-use tools to blend malicious activity with legitimate red team operations, complicating attribution and response.

Technical Analysis of Malware/TTPs

AdaptixC2 is a modular, open-source post-exploitation and C2 framework, featuring a Golang-based server and a C++/Qt cross-platform GUI. Its legitimate use cases include penetration testing and adversarial emulation, but its architecture is highly conducive to abuse. The framework supports encrypted communications, remote command execution, credential harvesting, screenshot capture, and the deployment of custom payloads via “extenders.” It is compatible with x86 and x64 architectures and can deliver payloads in EXE, DLL, service executable, and raw shellcode formats.

Threat actors typically gain initial access through spearphishing campaigns, distributing malicious PDFs that impersonate law enforcement agencies such as Ukraine’s national police. These documents deliver CountLoader, a loader that subsequently deploys the AdaptixC2 agent. Once established, the agent communicates with attacker-controlled C2 infrastructure using HTTP(S), SMB, or TCP beacons, often with custom profiles and RC4-encrypted configurations. Persistence is achieved through startup folder shortcuts, registry run keys, and DLL hijacking, while lateral movement and privilege escalation are facilitated by in-memory execution of Beacon Object Files (BOFs) and PowerShell-based loaders.

The following MITRE ATT&CK techniques have been observed in these campaigns: T1566.001 (Phishing: Spearphishing Attachment), T1105 (Ingress Tool Transfer), T1219 (Remote Access Software), T1071.001 (Application Layer Protocol: Web Protocols), T1059 (Command and Scripting Interpreter), and T1547.001 (Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder).

Exploitation in the Wild

Multiple security research teams, including Silent Push, Unit 42 (Palo Alto Networks), and Recorded Future, have documented the exploitation of AdaptixC2 in active ransomware campaigns. In August 2025, Silent Push observed the first abuse of AdaptixC2 to deliver CountLoader via phishing emails containing malicious PDFs. Subsequent incidents have confirmed the use of AdaptixC2 by Akira ransomware affiliates in breaches across Europe, North America, and Australia. Digital forensics and incident response (DFIR) teams have recovered AdaptixC2 artifacts in compromised environments, often alongside evidence of fileless in-memory execution, PowerShell-based loaders, and DLL hijacking.

The tool’s cross-platform capabilities have enabled attackers to target Windows, Linux, and macOS endpoints, with payloads tailored to each environment. In some cases, AdaptixC2 has been deployed in conjunction with Fog ransomware, particularly in attacks on financial institutions in Asia. The rapid adoption and customization of AdaptixC2 within Russian cybercriminal circles underscore its effectiveness and the growing threat it poses to organizations worldwide.

Victimology and Targeting

The primary victims of AdaptixC2-enabled attacks are organizations in critical infrastructure, finance, healthcare, and enterprise sectors. Geographically, the campaigns have targeted entities in Europe, North America, and Australia, with a notable concentration in countries with advanced digital economies and high-value data assets. Attackers employ highly targeted spearphishing techniques, often leveraging current events or impersonating trusted authorities to increase the likelihood of successful compromise. The use of AdaptixC2 allows threat actors to rapidly pivot within victim environments, deploy ransomware payloads, exfiltrate sensitive data, and maintain long-term persistence for follow-on operations.

Mitigation and Countermeasures

Organizations should implement a multi-layered defense strategy to detect and mitigate AdaptixC2-related threats. Key recommendations include monitoring for outbound network traffic to known AdaptixC2 C2 domains and IP addresses, inspecting for unusual C++/Qt application activity on endpoints, and hunting for artifacts associated with CountLoader and PowerShell-based loaders. Email gateways should be configured to block or quarantine suspicious attachments, particularly PDFs purporting to originate from law enforcement or government agencies.

Endpoint detection and response (EDR) solutions should be updated with YARA rules and indicators of compromise (IOCs) specific to AdaptixC2 and its associated payloads. Security teams should conduct regular threat hunts for persistence mechanisms such as startup folder shortcuts, registry run keys, and evidence of DLL hijacking. In the event of detection, affected systems must be isolated immediately, and a comprehensive incident response plan should be executed to contain and remediate the intrusion.

Continuous user awareness training is essential to reduce the risk of successful phishing attacks. Organizations leveraging AdaptixC2 for legitimate red teaming should ensure strict access controls, monitor for unauthorized use, and segregate testing environments from production networks.

References

Open-source AdaptixC2 hacking tool has fans in Russian cybercrime underground – The Record (Recorded Future): https://therecord.media/open-source-adaptixc2-red-teaming-tool-russian-cybercrime

Threat Actors Utilize AdaptixC2 for Malicious Payload Delivery – Infosecurity Magazine: https://www.infosecurity-magazine.com/news/adaptixc2-malicious-payload/

AdaptixC2: A New Open-Source Framework Leveraged in Real Attacks – Unit 42, Palo Alto Networks: https://unit42.paloaltonetworks.com/adaptixc2-post-exploitation-framework/

Silent Push research on AdaptixC2 and Russian cybercrime: https://malware.news/t/silent-push-unearths-adaptixc2s-ties-to-russian-criminal-underworld-tracks-threat-actors-harnessing-open-source-tool-for-malicious-payloads/100754

MITRE ATT&CK Techniques: https://attack.mitre.org/

AdaptixC2 GitHub: https://github.com/Adaptix-Framework/AdaptixC2

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their supply chain. Our advanced threat intelligence and automation capabilities empower security teams to proactively identify emerging threats, streamline vendor assessments, and enhance overall cyber resilience. For more information about our solutions or to discuss your organization’s unique risk profile, we are happy to answer questions at ops@rescana.com.