Skip to content
Malware family

AdaptixC2

AdaptixC2 is an open-source post-exploitation command-and-control framework used both for legitimate red-team/adversarial emulation and in real-world intrusions.

Profile source: Mallory opens in a new tab

AdaptixC2

Family profile

AdaptixC2 is an open-source post-exploitation command-and-control framework used both for legitimate red-team/adversarial emulation and in real-world intrusions. The content describes it as a Go-based teamserver with Beacon and Gopher agents for Windows, Linux, and macOS, supporting command execution, file transfer and exfiltration, process control, SOCKS4/5 proxying, port forwarding, Beacon Object Files, and multiple transports including HTTP/S, DNS/DoH, SMB named pipes, and raw TCP. Beacon payloads can be generated as EXEs, DLLs, service executables, and raw shellcode, and configurations are RC4-encrypted. Default unauthenticated HTTP responses expose distinctive headers such as "Server: AdaptixC2" and "Adaptix-Version: v1.2," and default 404 content includes "AdaptixC2 404," making some deployments identifiable via passive scanning. Reported default or observed network artifacts include URIs such as /updates/check.php, /api/v1/status, /content.html, and in one documented default configuration /uri.php.

The framework has been observed in multiple malicious campaigns. In July 2025 Akira ransomware intrusions, BumbleBee delivered an AdaptixC2 beacon by injecting shellcode into AdgNsy.exe, a renamed WAB.exe, establishing persistent C2 to 172.96.137[.]160:443. In those intrusions, AdaptixC2 supported follow-on reconnaissance, credential theft from NTDS.dit, Veeam, and LSASS, RDP and SSH-based lateral movement, persistence alongside RustDesk, and data exfiltration via FileZilla/SFTP before Akira deployment. In a May 2026 phishing intrusion, payloads were staged from cloudpre-005[.]online using payload.zip and stub.zip; binaries including ms-op.exe, stub1.exe, and payload.exe beaconed to 23[.]20[.]229[.]225:443 and 98[.]81[.]111[.]167:443 and used the static user agent "Mozilla/5.0 (Windows NT 6.2; rv:20.0) Gecko/20121202 Firefox/20.0." Unit 42 also documented early May 2025 cases where AdaptixC2 was deployed via Microsoft Teams/Quick Assist social engineering and PowerShell-based loaders using in-memory shellcode execution, DLL hijacking with msimg32.dll, startup-folder persistence, and a Run key named "Updater." One observed C2 in that reporting was tech-system[.]online over HTTPS on port 443 using POST requests to /endpoint/api and the X-App-Id parameter.

The content further links AdaptixC2 to diverse threat activity: Operation Dragon Weave used an AdaptixC2 agent named AZUREVEIL with Microsoft Azure Blob Storage dead-drop C2 against targets in the Czech Republic and Taiwan across government, research, academic, technology, and financial sectors; pro-Ukrainian hacktivist-linked campaigns associated with 4BID/Hakerskii Kit/C.A.S./Goffee deployed AdaptixC2 alongside Sliver, Havoc, Mythic Apollo, BlackSalt, and ransomware after ProxyShell exploitation of Exchange; GOLD ENCOUNTER/PayoutsKing used AdaptixC2 or OpenSSH to establish SSH backdoors; Cisco Talos observed AdaptixC2 deployed post-compromise on exploited Cisco SD-WAN infrastructure; Sophos reported a March 2026 fake Claude-themed malware sample culminating in AdaptixC2-related shellcode; and Ctrl-Alt-Intel reported AdaptixC2 use after exploitation of CVE-2026-41940 against Southeast Asian government, military, MSP, and hosting targets. Additional infrastructure and indicators directly mentioned in the content include 194[.]163[.]175[.]135:4445 and :31337 in Talos cluster activity, 2.26.229[.]254 serving AdaptixC2 payloads and listeners on ports 4433, 4455, and 7000, and default agent watermarks be4c0149 for Beacon and 904e5493 for Gopher.

C2 tracking

Seven-day C2 activity

Derp observations, rolling seven-day window

Observed infrastructure

Last seven days

First activity
Jul 12, 2026
Last activity
Jul 18, 2026
Feed role
C2
Host form
63 IP / 1 hostnames

Leading locations

  • US26
  • HK7
  • NL5
  • CN4
  • JP3
  • SG3
  • BR2
  • GB2
  • PL2
  • AE1
  • AT1
  • DE1

Leading providers

  • HIVELOCITY, Inc.9
  • M247 Europe SRL7
  • cognetcloud INC3
  • FASTNET DATA INC3
  • Shenzhen Tencent Computer Systems Company Limited3
  • The Constant Company, LLC3

Infrastructure traits

  • Hosting 60
  • Proxy 1

Samples

Recent associated samples

Reported operators

Threat actors

5 named in public reporting
NegativeGlimmer

A new cyber espionage campaign codenamed Operation Dragon Weave has been observed targeting officials and citizens in the Czech Republic and Taiwan to deliver an AdaptixC2 agent... The loader then decrypts and runs the main payload, an AdaptixC2 agent codenamed AZUREVEIL owing to the use of Microsoft Azure Blob Storage for command-and-control (C2).

GOLD ENCOUNTER

The group has also used a DLL sideloading technique to launch the Havoc C2 post-exploitation framework, and establishes an SSH backdoor via AdaptixC2 or OpenSSH.

TeamPCP

83.142.209[.]11 is shown below, confirming ASN membership, TeamPCP attribution, and the AdaptixC2 malware classification.

STAC4713

The March sample is markedly different... the decryption of a .log file culminating in the execution of AdaptixC2-related shellcode. (AdaptixC2 is an open-source red-teaming framework that we’ve seen used in ransomware attacks...)

UNG0902

...DUPERUNNER ... finally executes the Adaptix C2 Beacon...

Exploited software

Vulnerabilities linked to AdaptixC2

6 CVEs

MITRE ATT&CK

AdaptixC2 in ATT&CK

62 distinct techniques

Techniques

62 techniques
T1055 Process Injection T1071.001 Web Protocols T1036 Masquerading T1204.002 Malicious File T1140 Deobfuscate/Decode Files or Information T1567 Exfiltration Over Web Service T1105 Ingress Tool Transfer T1566.002 Spearphishing Link T1547.001 Registry Run Keys / Startup Folder T1059.001 PowerShell T1090 Proxy T1190 Exploit Public-Facing Application T1071 Application Layer Protocol T1041 Exfiltration Over C2 Channel T1033 System Owner/User Discovery T1082 System Information Discovery T1047 Windows Management Instrumentation T1059.003 Windows Command Shell T1482 Domain Trust Discovery T1018 Remote System Discovery T1059 Command and Scripting Interpreter T1046 Network Service Discovery T1090.001 Internal Proxy T1113 Screen Capture T1555 Credentials from Password Stores T1021.002 SMB/Windows Admin Shares T1027.011 Fileless Storage T1027 Obfuscated Files or Information T1620 Reflective Code Loading T1003.001 LSASS Memory T1016 System Network Configuration Discovery T1569.002 Service Execution T1071.004 DNS T1021.006 Windows Remote Management T1555.003 Credentials from Web Browsers T1566 Phishing T1572 Protocol Tunneling T1558.004 AS-REP Roasting T1574.001 DLL T1021 Remote Services T1558 Steal or Forge Kerberos Tickets T1090.003 Multi-hop Proxy T1106 Native API T1090.002 External Proxy T1053.003 Cron T1497 Virtualization/Sandbox Evasion T1021.004 SSH T1059.004 Unix Shell T1566.001 Spearphishing Attachment T1133 External Remote Services T1219 Remote Access Tools T1210 Exploitation of Remote Services T1583.003 Virtual Private Server T1027.001 Binary Padding T1553.001 Gatekeeper Bypass T1102 Web Service T1027.003 Steganography T1195 Supply Chain Compromise T1583 Acquire Infrastructure T1053 Scheduled Task/Job T1568 Dynamic Resolution T1570 Lateral Tool Transfer

Reporting

Research mentioning AdaptixC2

Jul 1
Cyberveille

BumbleBee et AdaptixC2 utilisés pour déployer le ransomware Akira via SEO poisoning | CyberVeille

AdgNsy.exe (instance renommée de WAB.exe) est déployé et injecté avec le shellcode AdaptixC2 , établissant un canal C2 persistant

Jun 30
Cyber Security News

Bing Search for 'ManageEngine OpManager' Delivers Akira Ransomware - Cyber Security News

About five hours after infection, BumbleBee dropped AdgNsy.exe, a renamed copy of the legitimate Windows Address Book utility, which was injected with AdaptixC2 shellcode. This established a persistent command-and-control channel to 172.96.137[.]160.

Jun 30
Gurucul Threat Research

From Bing Search to Ransomware: Bumblebee and AdaptixC2 Deliver Akira | Community Portal | Gurucul

The intrusion progressed with AdaptixC2, credential theft from the domain controller, SSH-based lateral movement, and data exfiltration via FileZilla and SFTP.

Jun 29
Dfir Report

From Bing Search to Ransomware: Bumblebee and AdaptixC2 Deliver Akira - The DFIR Report

Following initial access, BumbleBee dropped an AdaptixC2 beacon to facilitate further intrusion activities, allowing the threat actor to pivot to a domain controller and dump the NTDS.dit.

Jun 17
Censys

AdaptixC2: Fingerprinting an Open-Source C2 Framework at Scale - Censys

AdaptixC2 is an open-source post-exploitation C2 framework whose default configuration ships branded HTTP headers ( Server: AdaptixC2, Adaptix-Version: v1.2 ) on every unauthenticated request, making deployed servers trivially identifiable from passive scanning.

Jun 10
Malbeacon

[Op Report] From SSA Phish to AdaptixC2: A Multi-RAT Intrusion - Deception.Pro Blog

Primary C2 was AdaptixC2, an increasingly common open-source post-exploitation framework. The operator staged it through cloudpre-005[.]online (/wop/payload.zip, /wop/stub.zip) and ran multiple variants — dropped binaries (ms-op.exe, stub1.exe), a temp-directory variant, and the unpacked payload.exe.

Jun 8
Securelist

Hacktivists are broadening their scope beyond political motivation | Securelist

AdaptixC2 is another post-exploitation framework in the attackers’ arsenal.

Jun 8
Securelist Ru

Хактивисты выходят за рамки политически мотивированных атак | Securelist

Еще один постэксплуатационный фреймворк в арсенале злоумышленников — AdaptixC2.

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.