AdaptixC2: When Open-Source Tools Become Weapons

Threat actors are weaponizing AdaptixC2, an open-source Command and Control (C2) framework originally designed for red team activities.

Recent research by Silent Push reveals that cybercriminals have transformed this framework into a weapon for global ransomware operations.

A Legitimate Framework Turned Malicious

AdaptixC2 was created as a flexible, extensible post-exploitation and adversarial emulation framework intended for penetration testers. 

Written in Golang for its server component and C++ with a QT-based graphical interface, the tool is compatible across Linux, Windows, and macOS platforms. 

Its legitimate purpose is to simulate cyberattacks in controlled environments, helping organizations identify vulnerabilities and strengthen defenses. 

However, the same versatility that makes AdaptixC2 useful for defenders has also made it attractive to cybercriminals seeking stealth, adaptability, and multi-platform functionality.

The first evidence of AdaptixC2 abuse surfaced during Silent Push’s investigation into CountLoader, a malware loader that delivered malicious AdaptixC2 payloads from attacker-controlled infrastructure. 

Once researchers developed detection signatures for both CountLoader and AdaptixC2, a notable surge in their use was observed across ransomware campaigns, particularly those linked to the Akira ransomware group. 

The Features Making AdaptixC2 a Hacker’s Dream

AdaptixC2’s architecture offers features that make it ideal for both ethical testing and malicious exploitation.

It supports multiple listener types, including mTLS, HTTP, SMB, and BTCP, enabling diverse and resilient communication channels between compromised systems and attacker command servers. 

These capabilities complicate detection by traditional network-based security systems and allow attackers to maintain persistence within target environments.

The framework facilitates a range of post-exploitation functions, including remote command execution, privilege escalation, and lateral movement across networked systems. 

These features enable attackers to establish long-term footholds, exfiltrate sensitive data, and deploy ransomware with precision. 

Because AdaptixC2 is freely available on GitHub, malicious actors can easily download, modify, and redistribute it without oversight, accelerating its spread across the cybercriminal ecosystem.

Following the Trail to RalfHacker 

Silent Push’s open-source intelligence (OSINT) research traced AdaptixC2’s origins to a developer known as RalfHacker. 

GitHub activity logs show that this individual has made the most significant commits to the framework’s repository. 

Although RalfHacker’s GitHub profile presents them as a penetration tester and MalDev (malware developer), further investigation revealed connections to the Russian criminal underworld.

Analysts discovered multiple email addresses linked to RalfHacker — some appearing in leaked databases from prominent hacking forums such as RaidForums — and identified a Russian-language Telegram channel where the developer markets AdaptixC2 updates. 

Posts on this channel frequently include hashtags referencing Active Directory, APT tactics, and ATM-related exploits, indicating a potential association with cybercriminal communities. 

While Silent Push has not conclusively proven RalfHacker’s direct involvement in malicious campaigns, the convergence of technical activity, online presence, and language use points toward a strong connection with Russian threat actor networks.

When Security Tools Become Weapons

The AdaptixC2 case exemplifies a growing dual-use technology dilemma in cybersecurity — tools created for legitimate security research and defensive testing are increasingly weaponized by adversaries. 

Other well-known penetration-testing tools such as Cobalt Strike and Metasploit have faced similar issues, where pirated or modified versions circulate in underground forums. 

However, AdaptixC2’s open-source nature amplifies the problem because its codebase is freely accessible and its continuous development ensures that defensive measures are quickly countered by new versions.

Defending Against AdaptixC2 Abuse

To defend against the malicious use of open-source C2 frameworks like AdaptixC2, organizations need a mix of proactive monitoring, strong access controls, and continuous validation.

• Use behavioral and telemetry-based detection: Combine EDR or XDR and network analytics to identify abnormal protocol use, beaconing, or unauthorized command execution.
• Apply zero-trust and strong access controls: Enforce least privilege, multifactor authentication (MFA), and continuous verification for users and devices.
• Keep systems and software patched: Regularly update operating systems, frameworks, and open-source dependencies to eliminate exploitable weaknesses.
• Segment and monitor network traffic: Isolate critical assets, inspect outbound traffic for anomalies, and restrict lateral movement opportunities.
• Strengthen threat intelligence and testing: Participate in intel-sharing communities and run red/purple-team exercises to validate defenses against open-source C2 abuse.
• Train and equip security teams: Educate analysts and developers to recognize signs of open-source tool misuse and apply secure deployment practices.

By adopting these measures, organizations can detect and disrupt malicious activity early while strengthening overall cyber resilience.

The evolution of AdaptixC2 from a security testing tool to a ransomware tool highlights the growing sophistication of today’s threat landscape. 

Open-source accessibility, cross-platform design, and the anonymity of underground networks have made it easier for attackers to weaponize legitimate technologies.