The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

AdaptixC2

Oct 20, 2025 4:00:36 PM / by The Hivemind

ADAPTIX2025Verticals Targeted: Financial
Regions Targeted: Asia
Related Families: Fog Ransomware

Executive Summary

AdaptixC2, an open-source command-and-control framework, has emerged as a potent tool for threat actors, enabling file manipulation, data exfiltration, and covert network communication in attacks. Its modular design and AI-assisted deployment methods underscore the need for robust defenses to counter its evolving tactics.

Key Takeaways

  • AdaptixC2 facilitates advanced post-exploitation activities, including file system manipulation, process enumeration, and data exfiltration, with support for SOCKS4/5 proxies and port forwarding for covert communication.  
  • Attackers deploy AdaptixC2 via social engineering and AI-generated PowerShell scripts, using fileless execution and persistence mechanisms like DLL hijacking and registry run keys.  
  • The framework’s encrypted configuration, stored in the PE file’s .rdata section, can be extracted using tools that parse RC4-encrypted data, aiding defenders in analysis.  
  • Recent incidents show AdaptixC2 paired with Fog ransomware targeting financial institutions in Asia, indicating its role in multifaceted attack campaigns.

What is AdaptixC2?

Palo Alto’s Unit 42 researchers identified AdaptixC2, an open-source post-exploitation framework originally designed for penetration testing, being exploited by threat actors in targeted attacks. Its low profile, combined with its modular architecture and customizable features, makes it a significant challenge for security teams. 

AdaptixC2 enables a wide range of malicious activities, including file system manipulation, process enumeration, and data exfiltration with configurable chunk sizes to evade network detection. Its modular design incorporates “extenders,” allowing attackers to tailor payloads and evasion techniques to specific environments. The framework supports Beacon Object Files (BOFs) written in C, executed within the agent’s process to avoid detection, and generates payloads as executables, DLLs, service executables, or raw shellcode, compatible with x86 and x64 architectures. For stealthy communication, AdaptixC2 employs tunneling via SOCKS4/5 proxies and port forwarding, maintaining connectivity in restricted networks. Operational security features like KillDate and WorkingTime allow beacons to operate only during specified periods, blending with legitimate traffic.

Two infection scenarios illustrate AdaptixC2’s deployment tactics. In the first, attackers used social engineering, impersonating IT support through Microsoft Teams phishing with subject lines like “Help Desk (External) | Microsoft Teams.” Victims were lured into initiating remote assistance via Quick Assist, granting attackers access without triggering perimeter defenses. A PowerShell loader then retrieved an encrypted payload from a legitimate service, decrypted it using an XOR key, and executed it in memory via .NET’s GetDelegateForFunctionPointer method. This fileless approach minimized detection risks, with persistence achieved through a startup folder shortcut. Post-exploitation reconnaissance involved tools like nltest.exe, whoami.exe, and ipconfig.exe, followed by C2 server communication.

The second scenario involved an AI-generated PowerShell script, identified by verbose comments and checkmark icons in output messages. This script downloaded Base64-encoded shellcode, allocated memory, and executed it using dynamic invocation. Persistence was ensured through DLL hijacking, placing a malicious msimg32.dll in the APPDATA\Microsoft\Windows\Templates directory, and a registry run key named “Updater.” These methods highlight attackers’ focus on stealth and persistence.

AdaptixC2’s configuration, encrypted with RC4, is stored in the PE file’s .rdata section, including a 4-byte size, encrypted data, and a 16-byte key. Defenders can use extraction tools to parse fields like agent type, SSL settings, and HTTP parameters, with the default HTTP profile targeting 172.16.196[.]1:4443 via HTTPS. The framework’s growing use is evident in its pairing with Fog ransomware in a recent attack on a financial institution in Asia, signaling its integration into broader malicious campaigns. Telemetry shows increasing AdaptixC2 server activity, indicating wider adoption among threat actors. PolySwarm analysts consider AdaptixC2 to be an emerging threat.  

IOCs

PolySwarm has multiple samples of AdaptixC2.

 

df0d4ba2e0799f337daac2b0ad7a64d80b7bcd68b7b57d2a26e47b2f520cc260

f316118ff8c2c209027923c38e09ef43ebeeca403086895122837b6ff0a1379d

e163dfcf86b9f835597fc39343ca47f30f66d054391532e6289254bd48c25ceb

38b05cad40c6957d7cd2516b615ab72b5cb43e65c84c50c3e831e8796f8237e6

54231b824ff662daa6df4cb66b1e1c3b9274623b255882fa7fadfd19fff1d151

b40a25f012c7afeff152dc55a141b19c4b9c6e7dc2a87114120029b1237bcfde

 

You can use the following CLI command to search for all AdaptixC2 samples in our portal:

$ polyswarm link list -f AdaptixC2

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 

Topics: Threat Bulletin, Emerging Threat, PowerShell malware, AdaptixC2, post-exploitation framework, C2 framework, AI-generated malware

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More