- The open-source command-and-control (C2) framework AdaptixC2 is increasingly used by threat actors, including Russian Ransomware groups.
- AdaptixC2 supports encrypted communications and various post-exploitation features for controlling infected devices.
- The framework was publicly released in August 2024 by a GitHub user called RalfHacker.
- Groups linked to Fog and Akira ransomware and an initial access broker use AdaptixC2 and related tools in attacks.
- Concerns arise over potential criminal ties due to the framework’s growth in underground activity and its promotion on Telegram channels.
The open-source command-and-control framework called AdaptixC2 is seeing expanded use by cybercriminals, including groups associated with Russian ransomware gangs. The framework, designed for penetration testing, provides a variety of features to control compromised systems.
AdaptixC2 supports fully encrypted communications, remote command execution, credential and screenshot management, and a remote terminal. The server component is written in Golang, while its graphical user interface (GUI) client uses C++ QT for cross-platform compatibility.
The framework was initially released in August 2024 by a GitHub user known as RalfHacker, who describes himself as a penetration tester and Malware developer. The release is publicly available on GitHub.
Security researchers at Palo Alto Networks Unit 42 recently analyzed AdaptixC2, describing it as a modular tool that offers comprehensive control over infected devices. They noted its usage in fake Microsoft Teams help desk support scams and AI-generated PowerShell scripts. The framework is also employed by groups tied to the Fog and Akira ransomware operations and an initial access broker that uses CountLoader for delivering post-exploitation payloads.
Cybersecurity firm Silent Push investigated RalfHacker following a GitHub profile claiming “MalDev” (malware developer) status. They uncovered multiple associated email addresses and a Telegram channel, RalfHackerChannel, which has over 28,000 subscribers. This channel shares posts from the official AdaptixFramework channel.
In August 2024, a message on the AdaptixFramework channel mentioned plans to develop a “public C2” tool similar to the well-known Empire framework. While direct involvement of RalfHacker in criminal acts is not confirmed, Silent Push highlighted potential links to Russia’s cybercrime underground due to Telegram marketing and increased use by Russian threat actors.
The Hacker News reached out to RalfHacker for comment and will provide updates if a response is received.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
