Silent Push analysts discovered threat actors abusing the open-source AdaptixC2 post-exploitation framework to deliver malicious payloads, including via the CountLoader loader, and observed a surge in its use within global ransomware campaigns. The report highlights a likely developer/maintainer using the handle “RalfHacker” with Russian-language channels and ties to the Russian criminal underground. #AdaptixC2 #CountLoader
Keypoints
- AdaptixC2, an open-source post-exploitation and adversarial emulation framework, is being abused by threat actors to deliver malicious payloads.
- Initial abuse was discovered during research into the CountLoader malware loader, which dropped malicious AdaptixC2 payloads.
- Silent Push developed detections for both CountLoader and AdaptixC2 after identifying their malicious use and tracking associated infrastructure.
- Multiple public reports corroborated a surge in AdaptixC2 usage across global ransomware campaigns, including an Akira affiliate.
- Evidence links a primary contributor/maintainer using the handle “RalfHacker” to Russian-language Telegram channels and possible ties to the Russian criminal ecosystem.
- IOC collection began with a C2 IP 64[.]137[.]9[.]118 and a technical fingerprinting effort using the Silent Push Web Scanner.
- Silent Push recommends continued tracking of AdaptixC2 infrastructure and offers enterprise customers exclusive technical details and IOFA feeds.
MITRE Techniques
- [T1071 ] Application Layer Protocol – AdaptixC2 provides C2 communication channels to deliver payloads and control compromised hosts (“malicious AdaptixC2 payloads being served from attacker infrastructure”).
- [T1105 ] Ingress Tool Transfer – CountLoader dropped malicious AdaptixC2 payloads onto victim systems (“a new malware loader was dropping malicious AdaptixC2 payloads”).
- [T1584 ] Compromise Infrastructure – Threat actors hosted AdaptixC2 servers and attacker infrastructure including observed C2 IP 64[.]137[.]9[.]118 (“our CountLoader research initially provided us with a C2 IP address, 64[.]137[.]9[.]118”).
- [T1190 ] Exploit Public-Facing Application – Publicly available frameworks and GitHub-hosted code (AdaptixC2) were reused by attackers to build malicious C2 capabilities (“AdaptixC2 is an extensible … framework … available on GitHub”).
- [T1592 ] Gather Victim Identity Information – Threat actors and operators used Telegram channels and leaked forum data to advertise and coordinate, revealing account emails and handles (“Telegram group… advertising the v0.6 update”, “recovered email addresses… cybersecurityaaron@protonmail[.]com”).
Indicators of Compromise
- [IP Address ] initial C2 – 64[.]137[.]9[.]118
- [Domain/URL ] Telegram channels promoting AdaptixC2 – t[.]me/AdaptixFramework and a Russian-language channel for “Ralf Hacker”
- [Email Address ] accounts linked to repository contributor – cybersecurityaaron@protonmail[.]com, hackerralf8@gmail[.]com
- [Repository ] GitHub project and author pages – https[:]//github[.]com/Adaptix-Framework/AdaptixC2, https[:]//github[.]com/RalfHacker
Read more: https://www.silentpush.com/blog/adaptix-c2/?utm_source=rss&utm_medium=rss&utm_campaign=adaptix-c2