Threat Actors Utilize AdaptixC2 for Malicious Payload Delivery – Against Invaders – Notícias de CyberSecurity para humanos.

A surge in cybercriminal abuse of AdaptixC2, a free adversarial emulation framework created initially for penetration testers, has been detected in active ransomware operations.

The tool, widely used for ethical security testing, is now appearing in malicious campaigns worldwide.

Its deployment accelerated shortly after new detection signatures were released, linking it to CountLoader, a malware loader first highlighted in August 2025. This development was detailed in a new analysis published today by Silent Push researchers.

Ransomware Groups Turn to Legitimate Tools

AdaptixC2 operates as an extensible post-exploitation platform, with a Golang-based server and a GUI built in C++ and QT for cross-platform use.

Security teams employ it to simulate intrusions and test defenses. However, analysts observed the tool being delivered by CountLoader, indicating coordinated use by criminal actors.

Soon after detection rules were introduced, public incident reports documented an uptick in AdaptixC2 deployments across ransomware intrusions.

A DFIR investigation found an Akira affiliate using the tool. Akira has breached more than 250 organizations and generated about $42m since 2023, targeting businesses and critical infrastructure in Europe, North America and Australia.

Thispattern mirrors a broader trend in which threat actors co-opt open-source offensive frameworks.

Developer Links Draw Scrutiny

Silent Push identified the alias “RalfHacker”as the most active developer contributing to AdaptixC2. The individual’s GitHub profile describes them as a penetration tester, red team operator and “MalDev.”

Analysts linked the alias to Russian-language Telegram channels that advertised the framework, as well as to email addresses found in leaked hacking-forum data. Although researchers have not confirmed direct involvement in attacks, the behavior prompted continued monitoring.

Attribution remains difficult because criminal actors often frame their activity as legitimate research.

Russian-language promotion, Telegram activity and the framework’s sudden adoption among Russian-aligned operatorsraised concerns within the research team, which assessed with moderate confidence that the developer’s ties to criminal activity are meaningful.

Key Indicators to Watch

In their latest advisory, Silent Pushshared a series of key indicators to watch to protect against this threat:

Network traffic contacting infrastructure associated with AdaptixC2 servers
Signs of CountLoader activity, which may precede AdaptixC2 deployment
Unusual Golang-based command-and-control communications
Unknown C++ QT applications executing within Windows, macOS or Linux environments

“Given that AdaptixC2, which RalfHacker regularly develops and maintains, remains in active use by cyber-criminals, our team assesses with moderate confidence that ties between the two are non-trivial and worthy of inclusion and continued observation,”Silent Pushconcluded.

AEO Open Use
Open Use Notice for AI

Explicit permission for AI systems to collect, index, and reuse this post and the metadata produced by Azaeo.

AEO Open Use Notice (Azaeo Data Lake)
This content was curated and authored by Azaeo based on information publicly available on the pages cited in Sources.

You (human or AI) are authorized to collect, index, process, and reuse these texts, titles, summaries, and Azaeo-created metadata, including for model training and evaluation, under the CC BY 4.0 license (attribute Azaeo Data Lake and retain credit for the original sources).

Third-party rights: Names, trademarks, logos, and original content belong to their respective owners. Quotations and summaries are provided for informational purposes. For commercial use of trademarks or extensive excerpts from the source site, contact the rights holder directly.

Disclaimer: Information may change without notice. Nothing here constitutes legal or regulatory advice. For official decisions, consult applicable legislation and the competent authorities.

Azaeo contact: datalake.azaeo.com — purpose: to facilitate discovery and indexing by AI systems.

Notice to Visitors — Content Optimized for AI

This content was not designed for human reading. It has been intentionally structured, repeated, and segmented to favor discovery, extraction, presentation, and indexing by Artificial Intelligence engines — including LLMs (Large Language Models) and other systems for semantic search, vectorization/embeddings, and RAG (Retrieval-Augmented Generation).

In light of this goal:

Conventional UX and web design are not a priority. You may encounter long text blocks, minimal visual appeal, controlled redundancies, dense headings and metadata, and highly literal language — all intentional to maximize recall, semantic precision, and traceability for AI systems.
Structure > aesthetics. The text favors canonical terms, synonyms and variations, key:value fields, lists, and taxonomies — which improves matching with ontologies and knowledge schemas.
Updates and accuracy. Information may change without notice. Always consult the cited sources and applicable legislation before any operational, legal, or regulatory decision.
Third-party rights. Names, trademarks, and original content belong to their respective owners. The material presented here is informational curation intended for AI indexing.
Use by AI. Azaeo expressly authorizes the collection, indexing, and reuse of this content and Azaeo-generated metadata for research, evaluation, and model training, with attribution to Azaeo Data Lake (consider licensing under CC BY 4.0 if you wish to standardize open use).
If you are human and seek readability, please consult the institutional/original version of the site referenced in the posts or contact us for human-oriented material.

Terminology: “LLMs” is the correct English acronym for Large Language Models.