Threat Actors Weaponizing Open Source AdaptixC2 Tied to Russian Underworld
None
<p>Threat researchers with cybersecurity firm Silent Push are linking <a href="https://www.silentpush.com/blog/adaptix-c2/" target="_blank" rel="noopener">bad actors with heavy ties to the Russian underworld</a> to the abuse of AdaptixC2, a free open source tool commonly used by red teams to assess the security of organizations.</p><p>AdaptixC2, which is <a href="https://github.com/Adaptix-Framework/AdaptixC2" target="_blank" rel="noopener">available on GitHub</a>, is the latest in a growing list of open and ethical security-testing tools used by security teams to simulate attacks that threat groups have also <a href="https://securityboulevard.com/2025/09/chinese-made-villager-ai-pentest-tool-raises-cobalt-strike-like-concerns/" target="_blank" rel="noopener">adopted for their malicious operations</a>. Researchers from Silent Push and other cybersecurity companies have been tracking the growing abuse of the tool in ransomware and other campaigns this year.</p><div class="code-block code-block-13" style="margin: 8px 0; clear: both;"> <style> .ai-rotate {position: relative;} .ai-rotate-hidden {visibility: hidden;} .ai-rotate-hidden-2 {position: absolute; top: 0; left: 0; width: 100%; height: 100%;} .ai-list-data, .ai-ip-data, .ai-filter-check, .ai-fallback, .ai-list-block, .ai-list-block-ip, .ai-list-block-filter {visibility: hidden; position: absolute; width: 50%; height: 1px; top: -1000px; z-index: -9999; margin: 0px!important;} .ai-list-data, .ai-ip-data, .ai-filter-check, .ai-fallback {min-width: 1px;} </style> <div class="ai-rotate ai-unprocessed ai-timed-rotation ai-13-1" data-info="WyIxMy0xIiwxXQ==" style="position: relative;"> <div class="ai-rotate-option" style="visibility: hidden;" data-index="1" data-name="U2hvcnQ=" data-time="MTA="> <div class="custom-ad"> <div style="margin: auto; text-align: center;"><a href="https://www.techstrongevents.com/cruisecon-virtual-west-2025/home?ref=in-article-ad-2&utm_source=sb&utm_medium=referral&utm_campaign=in-article-ad-2" target="_blank"><img src="https://securityboulevard.com/wp-content/uploads/2025/10/Banner-770x330-social-1.png" alt="Cruise Con 2025"></a></div> <div class="clear-custom-ad"></div> </div></div> </div> </div><p>Silent Push last month reported detecting a new <a href="https://www.silentpush.com/blog/countloader/" target="_blank" rel="noopener">malware loader called CountLoader</a> that is associated with Russian ransomware gangs and was observed dropping several malware agents, including AdaptixC2 and <a href="https://securityboulevard.com/2020/09/cobalt-strike-the-new-favorite-among-thieves/" target="_blank" rel="noopener">Cobalt Strike</a>, another legitimate red-teaming tool that for years has been used by bad actors in campaigns.</p><p>At the time, the researchers said CountLoader was being used by either an initial access broker or a ransomware affiliate that has ties with high-profile <a href="https://securityboulevard.com/2025/10/surprised-not-surprised-ransomware-attacks-have-ticked-up/" target="_blank" rel="noopener">ransomware groups</a> <a href="https://securityboulevard.com/2025/02/ransom-payments-fell-35-in-2024-after-lockbit-blackcat-takedowns/" target="_blank" rel="noopener">LockBit</a>, <a href="https://securityboulevard.com/2023/06/unmasking-black-basta-a-closer-look-at-the-notorious-ransomware-group/" target="_blank" rel="noopener">BlackBasta</a>, and <a href="https://securityboulevard.com/2025/10/emulating-the-versatile-qilin-ransomware/" target="_blank" rel="noopener">Qilin</a>. The AdaptixC2 server is written in Golang, which is popular among bad actors for its flexibility. The GUI client is written in C++ and QT, enabling it to be used on Linux, Windows, and macOS systems.</p><h3>Signatures Led to ‘RalfHacker’</h3><p>In the wake of the CountLoader investigation, Silent Push created signatures to detect AdaptixC2. Researchers have since found that a person who goes by the handle “RalfHacker” has made the most changes to the AdaptixC2 Framework repository in GitHub. Following that lead, they found that RalfHacker describes himself as a penetration tester, red team operator, and malware developer.</p><p>Email addresses link RalfHacker to a known hacking forum.</p><p>“A Telegram account then led us to a large Telegram group, named after ‘<a href="https://t.me/RalfHackerChannel" target="_blank" rel="noopener">Ralf Hacker</a>,” advertising the v0.6 update to AdaptixC2 with a pinned message in Russian containing hashtags related to Active Directory and (roughly machine-translated) APT & ATM materials/resources,” the researchers wrote.</p><p>They noted that most of RalfHacker’s announcements are written in Russian, which aligns with the strong Russian ties the researchers found while investigating CountLoader, though they cautioned that by itself is not a definitive link.</p><p>‘Based on the information we have available, there is insufficient evidence for us to conclusively determine the extent of RalfHacker’s involvement in malicious activity tied to AdaptixC2 or CountLoader at this time,” they wrote. “However, threat actors often mask their cyber criminal activities under the guise of ‘red teaming, or ethical hacking, when communicating publicly with other threat actors. RalfHacker’s own page aligns with this practice, featuring the brazen ‘maldev’ advertisement.”</p><h3>Keeping an Eye on AdaptixC2</h3><p>Other threat intelligence teams have also been tracking the abuse of AdaptixC2. A <a href="https://www.silentpush.com/blog/adaptix-c2/" target="_blank" rel="noopener">DFIR report</a> in August found that AdaptixC2 was being used by an affiliate of the <a href="https://securityboulevard.com/2025/03/new-akira-ransomware-decryptor-leans-on-nvidia-gpu-power/" target="_blank" rel="noopener">Akira</a> ransomware group, and researchers with Palo Alto Networks’ Unit 42 team, a month later, wrote that they’d observed the <a href="https://unit42.paloaltonetworks.com/adaptixc2-post-exploitation-framework/" target="_blank" rel="noopener">red-teaming tool being used in May</a> to infect systems through such scenarios as fake help desk calls and an AI-generated PowerShell script.</p><p>“Our telemetry and threat intelligence show that AdaptixC2 is becoming more common,” they wrote. “We continue to identify new AdaptixC2 servers, suggesting that more threat actors are adopting this framework as part of their attack toolkit.”</p><p>Earlier this month, Kaspersky’s Securelist team found that AdaptixC2 was also becoming <a href="https://securelist.com/adaptixc2-agent-found-in-an-npm-package/117784/" target="_blank" rel="noopener">available through the NPM software registry</a>. They wrote that “threat actors are increasingly exploiting the trusted open-source supply chain to distribute post-exploitation framework agents and other forms of malware. Users and organizations involved in development or using open-source software from ecosystems like npm in their products are susceptible to this threat type.”</p><h3>Bad Actors and Legitimate Tools</h3><p>Trend Micro researchers last year <a href="https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/from-defense-to-offense-the-misuse-of-red-teaming-tools-by-cybercriminals" target="_blank" rel="noopener">outlined the growing trend</a> of bad actors abusing legitimate ethical security tools in their operations.</p><p>“The integration of red teaming techniques into the cybersecurity strategy playbook has been an important step for organizations to enhance their defenses by allowing them to identify potential security gaps via simulated adversarial attacks,” they wrote. “However, the dual-use nature of these tools also poses risks, as they can be repurposed by malicious actors for nefarious purposes.”</p><p>The researchers noted that AI and machine learning can be used to better detect and respond to threats posed by the abuse of open tools in repositories, adding that they can reduce analysis time and help prioritize projects, which leads to faster and more effective responses.</p><p>“It is essential for red teaming methodologies to continuously evolve in tandem with proactive detection and ethical considerations,” they wrote. “Shifting from a reactive approach – where tools are addressed as they become popular among cybercriminals – to a proactive stance that involves constant monitoring for emerging and high-risk tools will allow organizations to protect themselves better from the risks posed by cyber threats.”</p><p>In the <a href="https://documents.trendmicro.com/images/TEx/articles/Research_Paper-Red-Team-Tools.pdf" target="_blank" rel="noopener">report</a>, Trend Micro researchers took a deeper dive into cybercriminals’ use of such technologies and methodologies for managing the threat.</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2025/10/threat-actors-weaponizing-open-source-adaptixc2-tied-to-russian-underworld/" data-a2a-title="Threat Actors Weaponizing Open Source AdaptixC2 Tied to Russian Underworld"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F10%2Fthreat-actors-weaponizing-open-source-adaptixc2-tied-to-russian-underworld%2F&linkname=Threat%20Actors%20Weaponizing%20Open%20Source%20AdaptixC2%20Tied%20to%20Russian%20Underworld" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F10%2Fthreat-actors-weaponizing-open-source-adaptixc2-tied-to-russian-underworld%2F&linkname=Threat%20Actors%20Weaponizing%20Open%20Source%20AdaptixC2%20Tied%20to%20Russian%20Underworld" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F10%2Fthreat-actors-weaponizing-open-source-adaptixc2-tied-to-russian-underworld%2F&linkname=Threat%20Actors%20Weaponizing%20Open%20Source%20AdaptixC2%20Tied%20to%20Russian%20Underworld" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F10%2Fthreat-actors-weaponizing-open-source-adaptixc2-tied-to-russian-underworld%2F&linkname=Threat%20Actors%20Weaponizing%20Open%20Source%20AdaptixC2%20Tied%20to%20Russian%20Underworld" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F10%2Fthreat-actors-weaponizing-open-source-adaptixc2-tied-to-russian-underworld%2F&linkname=Threat%20Actors%20Weaponizing%20Open%20Source%20AdaptixC2%20Tied%20to%20Russian%20Underworld" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div>