Last seven days
- First activity
- Jul 12, 2026
- Last activity
- Jul 18, 2026
- Feed role
- C2
- Host form
- 63 IP / 1 hostnames
AdaptixC2 is an open-source post-exploitation command-and-control framework used both for legitimate red-team/adversarial emulation and in real-world intrusions.
Profile source: Mallory opens in a new tabAdaptixC2
AdaptixC2 is an open-source post-exploitation command-and-control framework used both for legitimate red-team/adversarial emulation and in real-world intrusions. The content describes it as a Go-based teamserver with Beacon and Gopher agents for Windows, Linux, and macOS, supporting command execution, file transfer and exfiltration, process control, SOCKS4/5 proxying, port forwarding, Beacon Object Files, and multiple transports including HTTP/S, DNS/DoH, SMB named pipes, and raw TCP. Beacon payloads can be generated as EXEs, DLLs, service executables, and raw shellcode, and configurations are RC4-encrypted. Default unauthenticated HTTP responses expose distinctive headers such as "Server: AdaptixC2" and "Adaptix-Version: v1.2," and default 404 content includes "AdaptixC2 404," making some deployments identifiable via passive scanning. Reported default or observed network artifacts include URIs such as /updates/check.php, /api/v1/status, /content.html, and in one documented default configuration /uri.php.
The framework has been observed in multiple malicious campaigns. In July 2025 Akira ransomware intrusions, BumbleBee delivered an AdaptixC2 beacon by injecting shellcode into AdgNsy.exe, a renamed WAB.exe, establishing persistent C2 to 172.96.137[.]160:443. In those intrusions, AdaptixC2 supported follow-on reconnaissance, credential theft from NTDS.dit, Veeam, and LSASS, RDP and SSH-based lateral movement, persistence alongside RustDesk, and data exfiltration via FileZilla/SFTP before Akira deployment. In a May 2026 phishing intrusion, payloads were staged from cloudpre-005[.]online using payload.zip and stub.zip; binaries including ms-op.exe, stub1.exe, and payload.exe beaconed to 23[.]20[.]229[.]225:443 and 98[.]81[.]111[.]167:443 and used the static user agent "Mozilla/5.0 (Windows NT 6.2; rv:20.0) Gecko/20121202 Firefox/20.0." Unit 42 also documented early May 2025 cases where AdaptixC2 was deployed via Microsoft Teams/Quick Assist social engineering and PowerShell-based loaders using in-memory shellcode execution, DLL hijacking with msimg32.dll, startup-folder persistence, and a Run key named "Updater." One observed C2 in that reporting was tech-system[.]online over HTTPS on port 443 using POST requests to /endpoint/api and the X-App-Id parameter.
The content further links AdaptixC2 to diverse threat activity: Operation Dragon Weave used an AdaptixC2 agent named AZUREVEIL with Microsoft Azure Blob Storage dead-drop C2 against targets in the Czech Republic and Taiwan across government, research, academic, technology, and financial sectors; pro-Ukrainian hacktivist-linked campaigns associated with 4BID/Hakerskii Kit/C.A.S./Goffee deployed AdaptixC2 alongside Sliver, Havoc, Mythic Apollo, BlackSalt, and ransomware after ProxyShell exploitation of Exchange; GOLD ENCOUNTER/PayoutsKing used AdaptixC2 or OpenSSH to establish SSH backdoors; Cisco Talos observed AdaptixC2 deployed post-compromise on exploited Cisco SD-WAN infrastructure; Sophos reported a March 2026 fake Claude-themed malware sample culminating in AdaptixC2-related shellcode; and Ctrl-Alt-Intel reported AdaptixC2 use after exploitation of CVE-2026-41940 against Southeast Asian government, military, MSP, and hosting targets. Additional infrastructure and indicators directly mentioned in the content include 194[.]163[.]175[.]135:4445 and :31337 in Talos cluster activity, 2.26.229[.]254 serving AdaptixC2 payloads and listeners on ports 4433, 4455, and 7000, and default agent watermarks be4c0149 for Beacon and 904e5493 for Gopher.
C2 tracking
Derp observations, rolling seven-day window
Samples
935603332954acd156b166f9bd8dc39d846acc562ca41153ace245e0a503914d 5561b6fc21a87b9fe542b2677b5c9d7a854f2d7d3b5f08a26735cc460fcb8d99 3d4c101372d5894caaf2c01223fd951c475c13f7083e55db4d67a5f51ab87e67 469f714c6abd33a7fc0e2ad2f0d7a253b6bfc7a5bc7a8ea206413829950d167e 48cff0294bd2f6afdbe03fa95b92749b48cf3f0fde5adb57c1bae37ac5c5dbd3 a3abe76ccb6b6d2aa718b789ff27d8347ecae1eac79902dd6b21cb975a916930 Reported operators
A new cyber espionage campaign codenamed Operation Dragon Weave has been observed targeting officials and citizens in the Czech Republic and Taiwan to deliver an AdaptixC2 agent... The loader then decrypts and runs the main payload, an AdaptixC2 agent codenamed AZUREVEIL owing to the use of Microsoft Azure Blob Storage for command-and-control (C2).
The group has also used a DLL sideloading technique to launch the Havoc C2 post-exploitation framework, and establishes an SSH backdoor via AdaptixC2 or OpenSSH.
83.142.209[.]11 is shown below, confirming ASN membership, TeamPCP attribution, and the AdaptixC2 malware classification.
The March sample is markedly different... the decryption of a .log file culminating in the execution of AdaptixC2-related shellcode. (AdaptixC2 is an open-source red-teaming framework that we’ve seen used in ransomware attacks...)
...DUPERUNNER ... finally executes the Adaptix C2 Beacon...
Exploited software
MITRE ATT&CK
Reporting
AdgNsy.exe (instance renommée de WAB.exe) est déployé et injecté avec le shellcode AdaptixC2 , établissant un canal C2 persistant
About five hours after infection, BumbleBee dropped AdgNsy.exe, a renamed copy of the legitimate Windows Address Book utility, which was injected with AdaptixC2 shellcode. This established a persistent command-and-control channel to 172.96.137[.]160.
The intrusion progressed with AdaptixC2, credential theft from the domain controller, SSH-based lateral movement, and data exfiltration via FileZilla and SFTP.
Following initial access, BumbleBee dropped an AdaptixC2 beacon to facilitate further intrusion activities, allowing the threat actor to pivot to a domain controller and dump the NTDS.dit.
AdaptixC2 is an open-source post-exploitation C2 framework whose default configuration ships branded HTTP headers ( Server: AdaptixC2, Adaptix-Version: v1.2 ) on every unauthenticated request, making deployed servers trivially identifiable from passive scanning.
Primary C2 was AdaptixC2, an increasingly common open-source post-exploitation framework. The operator staged it through cloudpre-005[.]online (/wop/payload.zip, /wop/stub.zip) and ran multiple variants — dropped binaries (ms-op.exe, stub1.exe), a temp-directory variant, and the unpacked payload.exe.
AdaptixC2 is another post-exploitation framework in the attackers’ arsenal.
Еще один постэксплуатационный фреймворк в арсенале злоумышленников — AdaptixC2.
Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.