AdaptixC2: The New Tool for Malicious Payload Delivery

A notable escalation in cybercrime has emerged with the widespread misuse of AdaptixC2, a freely available adversarial emulation framework originally designed for legitimate penetration testing. Security researchers are now observing this tool being leveraged in active ransomware campaigns across the globe, marking a significant shift in attacker methodologies.

The adoption of AdaptixC2 by malicious actors accelerated soon after new detection signatures became public, connecting its use to CountLoader, a malware loader first identified in August 2025. According to a recent analysis from Silent Push researchers, this development highlights a coordinated effort by cybercriminals to integrate the tool into their attack chains.

Ransomware operators are increasingly turning to legitimate security tools to bypass defenses and maintain stealth. AdaptixC2 functions as an extensible post-exploitation platform, built with a Golang-based server and a graphical user interface developed in C++ and QT for compatibility across different operating systems. While security professionals legitimately use it to simulate advanced intrusions and test organizational resilience, it is now being distributed via the CountLoader malware. This indicates a deliberate strategy by threat actors to blend in with normal administrative or security software.

Following the publication of detection rules, multiple incident reports confirmed a sharp rise in AdaptixC2 deployments within ransomware incidents. One digital forensics and incident response (DFIR) investigation identified an affiliate of the Akira ransomware group actively using the framework. The Akira group itself has compromised over 250 organizations since 2023, resulting in approximately $42 million in damages, with victims spanning businesses and critical infrastructure sectors throughout Europe, North America, and Australia. This mirrors a larger industry trend where adversaries repurpose open-source offensive security tools for harmful purposes.

Developer associations have come under scrutiny as researchers attempt to trace the origins of this misuse. The alias “RalfHacker” has been identified as the most prolific contributor to the AdaptixC2 project. This individual’s GitHub profile lists their occupation as a penetration tester, red team operator, and “MalDev,” short for malware development. Investigators linked this alias to Russian-language Telegram channels that promoted the framework, as well as to email addresses discovered within leaked data from hacking forums. Although a direct role in attacks remains unconfirmed, this pattern of behavior has prompted ongoing surveillance by security firms.

Attributing malicious activity is notoriously challenging, as threat actors frequently disguise their operations as legitimate security research. However, the framework’s promotion in Russian-language circles, combined with its rapid adoption by ransomware groups with suspected ties to Russian-aligned actors, led analysts to assess with moderate confidence that the developer’s connections to cybercriminal ecosystems are substantive.

To help organizations defend against this emerging threat, Silent Push has released a set of critical indicators of compromise. Security teams should monitor for network traffic communicating with known AdaptixC2 server infrastructure and any signs of CountLoader activity, which often serves as a precursor to its deployment. Additional red flags include unexpected Golang-based command-and-control communications and the execution of unfamiliar C++ QT applications on Windows, macOS, or Linux systems.

In their final assessment, Silent Push stated that given the ongoing development and maintenance of AdaptixC2 by RalfHacker, and its continued use by cybercriminals, the relationship between the developer and malicious activity is considered non-trivial, warranting continued inclusion in threat intelligence monitoring.

(Source: Info Security)