{ "id": "7be75d4f-1264-426a-987a-bbdd5cf32305", "created_at": "2026-04-06T00:22:10.061276Z", "updated_at": "2026-04-10T13:12:18.738779Z", "deleted_at": null, "sha1_hash": "cb4c3c7bcbad260922b370fa6d1f1555f3420f5f", "title": "AdaptixC2: A New Open-Source Framework Leveraged in Real-World Attacks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1277651, "plain_text": "AdaptixC2: A New Open-Source Framework Leveraged in Real-World\r\nAttacks\r\nBy Ofek Lahiani, Itay Cohen\r\nPublished: 2025-09-10 · Archived: 2026-04-05 14:38:12 UTC\r\nExecutive Summary\r\nIn early May 2025, Unit 42 researchers observed that AdaptixC2 was used to infect several systems.\r\nAdaptixC2 is a recently identified, open-source post-exploitation and adversarial emulation framework made for\r\npenetration testers that threat actors are using in campaigns. Unlike many well-known C2 frameworks, AdaptixC2 has\r\nremained largely under the radar. There is limited public documentation available demonstrating its use in real-world\r\nattacks. Our research looks at what AdaptixC2 can do, helping security teams to defend against it.\r\nAdaptixC2 is a versatile post-exploitation framework. Threat actors use it to execute commands, transfer files and\r\nperform data exfiltration on compromised systems. Because it’s open-source, threat actors can easily customize and\r\nadapt it for their specific objectives. This makes it a highly flexible and dangerous tool.\r\nThe emergence of AdaptixC2 as a tool used in the wild by threat actors highlights a growing trend of attackers using\r\ncustomizable frameworks to evade detection.\r\nPalo Alto Networks customers are better protected from the threats described in this article through the following\r\nproducts:\r\nAdvanced DNS Security\r\nAdvanced Threat Prevention\r\nAdvanced URL Filtering\r\nAdvanced WildFire\r\nCortex XDR and XSIAM\r\nIf you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team.\r\nTechnical Analysis of the AdaptixC2 Adversarial Framework\r\nAdaptixC2 is an open-source C2 framework that we recently saw being used in several real-world attacks.\r\nWe identified two AdaptixC2 infections. One case leveraged social engineering techniques. We assess with high\r\nconfidence that the other used AI-based code generation tools.\r\nAdaptixC2 Functionality\r\nAdaptixC2 is a red teaming tool that can be used to perform adversarial actions, which can be expanded for\r\ncustomization. If this were used by a threat actor, they could comprehensively control impacted machines, to execute a\r\nwide range of actions. These include:\r\nhttps://unit42.paloaltonetworks.com/adaptixc2-post-exploitation-framework/\r\nPage 1 of 31\n\nManipulating the file system\r\nListing directories\r\nCreating, modifying and deleting files and folders\r\nEnumerating running processes\r\nTerminating specific applications\r\nInitiating new program executions\r\nThreat actors use these capabilities to establish and maintain a foothold in an environment, further explore the\r\ncompromised system and move laterally within the network.\r\nTo facilitate covert communication and bypass network restrictions, the framework supports sophisticated tunneling\r\ncapabilities, including SOCKS4/5 proxy functionality and port forwarding. This enables attackers to maintain\r\ncommunication channels even if the network is heavily protected.\r\nAdaptixC2 is designed to be modular, using “extenders” that act like plugins for both listeners and agents. This lets\r\nhackers create custom payloads and ways to avoid detection that are specific to the system they're attacking. AdaptixC2\r\nalso supports Beacon Object Files (BOFs), which let attackers run small, custom programs written in C directly within\r\nthe agent's process to evade detection.\r\nAdaptixC2’s beacon agents are equipped with dedicated commands for transferring data quickly and secretly. These\r\nagents support both x86 and x64 architectures, and can be generated in various formats, including:\r\nStandalone executables (EXEs)\r\nDynamic-link libraries (DLLs)\r\nService executables\r\nRaw shellcode\r\nAttackers can use the AdaptixC2 framework to steal data from the compromised network. This data exfiltration\r\nfunctionality allows configurable chunk sizes for file downloads and uploads, as network-based detection is likely to see\r\nsmaller segments as less suspicious.\r\nThe AdaptixC2 interface shows linked agents and sessions in a graphical view. Figure 1 shows an attacker’s view of how\r\nmulti-stage attacks are progressing and what paths are available for moving around a targeted network.\r\nhttps://unit42.paloaltonetworks.com/adaptixc2-post-exploitation-framework/\r\nPage 2 of 31\n\nFigure 1. Graphical view – AdaptixC2 server. Source: AdaptixC2 GitHub.\r\nAdaptixC2 also has features to help the attacker maintain operational security (OpSec). These include parameters that\r\nhelp them blend in with normal network traffic:\r\nKillDate – This sets a date to make the beacon stop working\r\nWorkingTime – This sets the beacon to only be active during certain hours\r\nAdditionally, threat actors can modify and enhance the agent using custom obfuscation, anti-analysis and evasion\r\ntechniques, making it a continuously evolving threat.\r\nConfiguration\r\nAdaptixC2’s configuration is encrypted, and supports three primary beacon types through specialized profile structures:\r\nBEACON_HTTP for web-based communication\r\nBEACON_SMB for named pipe communication\r\nBEACON_TCP for direct TCP connections\r\nThe HTTP profile is the most common beacon variant and contains typical web communication parameters such as:\r\nServers\r\nPorts\r\nSSL settings\r\nHTTP methods\r\nURIs\r\nHeaders\r\nUser-agent strings\r\nThe SMB profile uses Windows named pipes when HTTP might be blocked or monitored. The TCP profile is used to\r\ncreate direct socket connections with the option to prepend data for basic protocol obfuscation.\r\nhttps://unit42.paloaltonetworks.com/adaptixc2-post-exploitation-framework/\r\nPage 3 of 31\n\nAdaptixC2 includes a built-in default configuration that demonstrates typical deployment parameters. The default HTTP\r\nprofile targets 172.16.196.1:4443 using HTTPS communication, with a POST method to the /uri.php endpoint and the X-Beacon-Id parameter for beacon identification.\r\nFigure 2 shows how to configure the beacon.\r\nFigure 2. Beacon HTTP builder UI. Source: AdaptixC2 documentation.\r\nAfter clicking “Create,” the beacon builder encrypts the configuration with RC4 and then embeds it in the compiled\r\nbeacon. The encrypted configuration is stored as follows:\r\n4 bytes: Configuration size (32-bit integer)\r\nN bytes: RC4-encrypted configuration data\r\n16 bytes: RC4 encryption key\r\nThe following code is the key extraction logic, taken from AgentConfig.cpp:\r\nULONG profileSize = packer-\u003eUnpack32();\r\nhttps://unit42.paloaltonetworks.com/adaptixc2-post-exploitation-framework/\r\nPage 4 of 31\n\nthis-\u003eencrypt_key = (PBYTE) MemAllocLocal(16);\r\nmemcpy(this-\u003eencrypt_key, packer-\u003edata() + 4 + profileSize, 16);\r\nDecryptRC4(packer-\u003edata()+4, profileSize, this-\u003eencrypt_key, 16);\r\nExtracting Configuration From Malicious Samples\r\nBecause the encryption is simple and predictable, defenders can develop an extractor that will extract configurations\r\nfrom samples automatically. This extraction tool should work in the same way that the beacon loads its own\r\nconfigurations.\r\nThe extractor locates the configuration in the PE file’s .rdata section. It then extracts the size (first four bytes), encrypted\r\ndata block and RC4 key (last 16 bytes). After using the embedded RC4 key to decrypt the data, it parses the plaintext\r\nconfiguration by unpacking the following fields:\r\nAgent type\r\nSSL flag\r\nServer count\r\nServers/ports\r\nHTTP parameters\r\nTiming settings\r\nUsing this method, we created a tool that can process AdaptixC2 samples and get their embedded configurations. The\r\ncomplete extractor code supports the BEACON_HTTP variant. This tool is provided in the Configuration Extractor\r\nExample section. Researchers can use this extractor to analyze AdaptixC2 samples or adapt the code for other variants.\r\nFollowing is the built-in default configuration of the beacon.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n{\r\n\"agent_type\": 3192652105,\r\n\"use_ssl\": true,\r\n\"servers_count\": 1,\r\n\"servers\": [\"172.16.196.1\"],\r\n\"ports\": [4443],\r\n\"http_method\": \"POST\",\r\n\"uri\": \"/uri.php\",\r\n\"parameter\": \"X-Beacon-Id\",\r\n\"user_agent\": \"Mozilla/5.0 (Windows NT 6.2; rv:20.0) Gecko/20121202 Firefox/20.0\",\r\nhttps://unit42.paloaltonetworks.com/adaptixc2-post-exploitation-framework/\r\nPage 5 of 31\n\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\n33\r\n34\r\n35\r\n36\r\n37\r\n38\r\n\"http_headers\": \"\\r\\n\",\r\n\"ans_pre_size\": 26,\r\n\"ans_size\": 47,\r\n\"kill_date\": 0,\r\n\"working_time\": 0,\r\n\"sleep_delay\": 2,\r\n\"jitter_delay\": 0,\r\n\"listener_type\": 0,\r\n\"download_chunk_size\": 102400\r\n}\r\nhttps://unit42.paloaltonetworks.com/adaptixc2-post-exploitation-framework/\r\nPage 6 of 31\n\n39\r\nAdaptixC2 Scenarios\r\nScenario 1: Fake HelpDesk Support Leads to AdaptixC2 Infection\r\nIn May 2025, we investigated multiple incidents where threat actors installed AdaptixC2 beacons. In some cases, we\r\nobserved threat actors using the same attack vector, shown in Figure 3.\r\nFigure 3. Attack vector of AdaptixC2 installation on victim machine. Source: Unit 42 X post.\r\nInitial Compromise\r\nThe threat actors leveraged trust in Microsoft Teams to trick people into giving them access to company systems. In one\r\ncase, attackers used phishing attacks to impersonate IT support personnel (using subject lines like “Help Desk (External)\r\n| Microsoft Teams”). This convinced employees to initiate legitimate remote assistance sessions using tools like the\r\nQuick Assist Remote Monitoring and Management (RMM) tool.\r\nThreat actors often misuse legitimate products for malicious purposes. This does not necessarily imply a flaw or\r\nmalicious quality to the legitimate product being misused.\r\nThe 2025 Unit 42 Global Incident Response Report: Social Engineering Edition noted that social engineering techniques\r\nlike this are the most prevalent initial access vector for compromises we observe. This initial access provides the\r\nattackers with a foothold within the targeted system, without having to bypass perimeter defenses such as firewalls and\r\nintrusion detection systems.\r\nAdaptixC2 Deployment and Persistence via Shellcode Execution\r\nThe attackers deployed the AdaptixC2 beacon using a multi-stage PowerShell loader that downloads an encoded and\r\nencrypted payload from a link to a legitimate service,\r\nOnce downloaded, the PowerShell script decrypts the payload using a simple XOR key. Instead of writing the decrypted\r\npayload to disk, which would make it easier to detect, the script leverages .NET capabilities to allocate memory within\r\nthe PowerShell process itself. The script then copies the decrypted payload, which is actually shellcode, into this\r\nallocated memory region. This fileless approach significantly reduces the attacker’s footprint on the system.\r\nhttps://unit42.paloaltonetworks.com/adaptixc2-post-exploitation-framework/\r\nPage 7 of 31\n\nFigure 4. PowerShell script to download and execute shellcode.\r\nThe script uses a technique called “dynamic invocation” to execute the shellcode directly from memory. It does this\r\nusing the GetDelegateForFunctionPointer method, which dynamically creates a delegate (a type-safe function pointer)\r\nthat points to the beginning of the shellcode in memory. The script then calls this delegate as if it were a normal function,\r\neffectively executing the shellcode without writing an executable file to disk. To guarantee the malicious process\r\nautomatically starts after reboot, the script creates a shortcut in the startup folder. Figure 4 shows the PowerShell script.\r\nFigure 5. PowerShell script to install AdaptixC2 beacon.\r\nThe beacon variant loaded in this attack had the following configuration:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n{\r\n\"agent_type\": 3192652105,\r\n\"use_ssl\": true,\r\n\"servers_count\": 1,\r\n\"servers\": [\r\n\"tech-system[.]online\"\r\nhttps://unit42.paloaltonetworks.com/adaptixc2-post-exploitation-framework/\r\nPage 8 of 31\n\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\n33\r\n34\r\n],\r\n\"ports\": [\r\n443\r\n],\r\n\"http_method\": \"POST\",\r\n\"uri\": \"/endpoint/api\",\r\n\"parameter\": \"X-App-Id\",\r\n\"user_agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)\r\nChrome/121.0.6167.160 Safari/537.36\",\r\n\"http_headers\": \"\\r\\n\",\r\n\"ans_pre_size\": 26,\r\n\"ans_size\": 47,\r\n\"kill_date\": 0,\r\n\"working_time\": 0,\r\n\"sleep_delay\": 4,\r\n\"jitter_delay\": 0,\r\n\"listener_type\": 0,\r\n\"download_chunk_size\": 102400\r\n}\r\nhttps://unit42.paloaltonetworks.com/adaptixc2-post-exploitation-framework/\r\nPage 9 of 31\n\n35\r\n36\r\n37\r\n38\r\n39\r\n40\r\n41\r\n42\r\n43\r\n44\r\n45\r\n46\r\n47\r\nPost-Exploitation Activity and Containment\r\nFollowing the successful deployment of AdaptixC2, the attackers initiated reconnaissance activities, using command-line\r\ntools to gather information about the compromised systems and network. This included discovery commands such as\r\nnltest.exe, whoami.exe and ipconfig.exe.\r\nThe beacon then established communication with a remote server, enabling the threat actors to obtain C2 on the infected\r\nmachine.\r\nScenario 2: Infection Involving AI-Generated Script\r\nIn another case, threat actors deployed a PowerShell script that was designed to deploy AdaptixC2 beacons. We assess\r\nwith high confidence that this script was AI-generated. This deployment was done both through in-memory shellcode\r\ninjection and using a file-based DLL hijacking persistence mechanism. The script, shown in Figure 5, focuses on staying\r\nhidden on the impacted system to give the hackers a strong foothold.\r\nhttps://unit42.paloaltonetworks.com/adaptixc2-post-exploitation-framework/\r\nPage 10 of 31\n\nFigure 6. AI-generated PowerShell installer for AdaptixC2.\r\nDetailed Analysis of the AI-Generated PowerShell\r\nDownloading and decoding shellcode: The script downloads a Base64-encoded shellcode payload from a\r\nremote server using Invoke-RestMethod. The downloaded content is then decoded.\r\nAllocating memory, copying shellcode and changing memory protection: The script allocates a block of\r\nunmanaged memory. The AdaptixC2 shellcode is then copied into the allocated memory and changes the memory\r\nprotection attributes of the allocated memory region via VirtualProtect to 0x40\r\n(PAGE_EXECUTE_READWRITE). This enables the execution of the shellcode.\r\nExecuting shellcode via dynamic invocation: As in the previous case, the attacker used\r\nGetDelegateForFunctionPointer to create a delegate instance that points to the beginning of the shellcode in\r\nmemory. The attacker then used the Invoke() method to execute the shellcode, launching the in-memory beacon.\r\nDLL hijacking persistence: The script targets the APPDATA\\Microsoft\\Windows\\Templates directory for DLL\r\nhijacking, using msimg32.dll. This DLL is also a beacon version.\r\nPersistence via registry run key: The script creates a registry entry in the run key named “Updater,” with a\r\nPowerShell command that executes the loader.ps1 script. This ensures that the loader.ps1 script runs every time\r\nthe user logs in, to execute the beacon.\r\nAI Script Generation\r\nhttps://unit42.paloaltonetworks.com/adaptixc2-post-exploitation-framework/\r\nPage 11 of 31\n\nThe structure and composition of this PowerShell script strongly suggests that the attacker used AI-assisted generation.\r\nThe following stylistic elements are commonly observed in code generated by AI tools:\r\nVerbose, numbered comments:\r\n\"# === [1] Download and decode shellcode ===\"\r\nCheck mark icons in the output message:\r\nWrite-Output \"[✔] Persistence set via Run key and DLL hijack DLL dropped to $templatesPath\"\r\nWe assess with high confidence that the code was generated with the assistance of AI. This is based on the factors above,\r\nas well as evidence gathered from the attacker’s server and results extracted from two separate AI detectors.\r\nAI tools without sufficient guardrails can let attackers rapidly develop malicious code, making it easier to execute\r\noperations in infected networks.\r\nSimilarities Between the Cases\r\nA consistent pattern emerged across both of these incidents:\r\nPowerShell-based loaders\r\nThreat actors used these loaders to deploy the AdaptixC2 beacon, prioritizing stealth and persistent access.\r\nDownloading a payload from a remote server and executing it in memory\r\nUsing a legitimate resource helped the attackers to stay under the radar, by minimizing detectable traces on\r\ndisk.\r\nRelying on .NET capabilities for memory allocation and dynamic invocation\r\nThreat actors leveraged built-in system functionalities like the GetDelegateForFunctionPointer method to\r\nexecute shellcode, for efficiency and stealth.\r\nPreventing beacon removal with persistence mechanisms\r\nWhile the first script relied solely on a shortcut in the startup folder for persistence, the second added DLL\r\nhijacking.\r\nThis gives attackers more ways to stay on the compromised system.\r\nUsing similar naming conventions for scripts and run keys\r\nIn one case, the attackers named the malicious script update.ps1. In another case, the run key for\r\npersistence was called Updater.\r\nThis naming helps scripts and keys to blend in with legitimate system processes.\r\nIncreasing Prevalence of AdaptixC2 Framework\r\nOur telemetry and threat intelligence show that AdaptixC2 is becoming more common. We continue to identify new\r\nAdaptixC2 servers, suggesting that more threat actors are adopting this framework as part of their attack toolkit.\r\nThis trend extends beyond typical post-exploitation scenarios. For example, attackers deployed Fog ransomware\r\nalongside AdaptixC2 in a recent attack on a financial institution in Asia. This shows that AdaptixC2 is versatile and can\r\nbe used with other malicious tools, like ransomware, to achieve broader objectives.\r\nConclusion\r\nAdaptixC2 is an adaptable threat, which is shown by its increasing popularity with threat actors and the complexity of its\r\ndeployment techniques. The framework’s modularity, combined with the potential for AI-assisted code generation, could\r\nhttps://unit42.paloaltonetworks.com/adaptixc2-post-exploitation-framework/\r\nPage 12 of 31\n\nallow threat actors to rapidly evolve their tactics. Security teams must remain aware of AdaptixC2’s capabilities and\r\nproactively adapt their defenses to counter this threat.\r\nPalo Alto Networks customers are better protected from the threats discussed above through the following products and\r\nservices:\r\nAdvanced URL Filtering and Advanced DNS Security identify known domains and URLs associated with this\r\nactivity as malicious.\r\nAdvanced Threat Prevention has an inbuilt machine learning-based detection that can detect exploits in real time.\r\nTheAdvanced WildFire machine-learning models and analysis techniques have been reviewed and updated in\r\nlight of the indicators shared in this research.\r\nCortex XDR and XSIAM help prevent malware by employing the Malware Prevention Engine. This approach\r\ncombines several layers of protection designed to prevent both known and unknown malware from causing harm\r\nto your endpoints. The mitigation techniques that the Malware Prevention Engine employs vary by endpoint type.\r\nIf you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response\r\nteam or call:\r\nNorth America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42)\r\nUK: +44.20.3743.3660\r\nEurope and Middle East: +31.20.299.3130\r\nAsia: +65.6983.8730\r\nJapan: +81.50.1790.0200\r\nAustralia: +61.2.4062.7950\r\nIndia: 00080005045107\r\nPalo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA members use\r\nthis intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors.\r\nLearn more about the Cyber Threat Alliance.\r\nIndicators of Compromise\r\nValue Type Description\r\nbdb1b9e37f6467b5f98d151a43f280f319bacf18198b22f55722292a832933ab SHA256\r\nPowerShell\r\nscript that\r\ninstalls an\r\nAdaptixC2\r\nbeacon\r\n83AC38FB389A56A6BD5EB39ABF2AD81FAB84A7382DA296A855F62F3CDD9D629D SHA256\r\nPowerShell\r\nscript that\r\ninstalls an\r\nAdaptixC2\r\nbeacon\r\n19c174f74b9de744502cdf47512ff10bba58248aa79a872ad64c23398e19580b SHA256 PowerShell\r\nscript that\r\nhttps://unit42.paloaltonetworks.com/adaptixc2-post-exploitation-framework/\r\nPage 13 of 31\n\ninstalls an\r\nAdaptixC2\r\nbeacon\r\n750b29ca6d52a55d0ba8f13e297244ee8d1b96066a9944f4aac88598ae000f41 SHA256\r\nPowerShell\r\nscript that\r\ninstalls an\r\nAdaptixC2\r\nbeacon\r\nb81aa37867f0ec772951ac30a5616db4d23ea49f7fd1a07bb1f1f45e304fc625 SHA256\r\nAdaptixC2\r\nbeacon as\r\nDLL\r\ndf0d4ba2e0799f337daac2b0ad7a64d80b7bcd68b7b57d2a26e47b2f520cc260 SHA256\r\nAdaptixC2\r\nbeacon as\r\nEXE\r\nAD96A3DAB7F201DD7C9938DCF70D6921849F92C1A20A84A28B28D11F40F0FB06 SHA256\r\nShellcode\r\nthat installs\r\nAdaptixC2\r\nbeacon\r\ntech-system[.]online Domain \r\nAdaptixC2\r\ndomain\r\nprotoflint[.]com Domain \r\nAdaptixC2\r\ndomain\r\nnovelumbsasa[.]art Domain \r\nAdaptixC2\r\ndomain\r\npicasosoftai[.]shop Domain \r\nAdaptixC2\r\ndomain\r\ndtt.alux[.]cc Domain \r\nAdaptixC2\r\ndomain\r\nmoldostonesupplies[.]pro Domain \r\nAdaptixC2\r\ndomain\r\nx6iye[.]site Domain \r\nAdaptixC2\r\ndomain\r\nbuenohuy[.]live Domain \r\nAdaptixC2\r\ndomain\r\nfiretrue[.]live Domain \r\nAdaptixC2\r\ndomain\r\nhttps://unit42.paloaltonetworks.com/adaptixc2-post-exploitation-framework/\r\nPage 14 of 31\n\nlokipoki[.]live Domain \r\nAdaptixC2\r\ndomain\r\nveryspec[.]live Domain \r\nAdaptixC2\r\ndomain\r\nmautau[.]live Domain \r\nAdaptixC2\r\ndomain\r\nmuatay[.]live Domain \r\nAdaptixC2\r\ndomain\r\nnicepliced[.]live Domain \r\nAdaptixC2\r\ndomain\r\nnissi[.]bg Domain \r\nAdaptixC2\r\ndomain\r\nexpress1solutions[.]com Domain \r\nAdaptixC2\r\ndomain\r\niorestore[.]com Domain \r\nAdaptixC2\r\ndomain\r\ndoamin[.]cc Domain \r\nAdaptixC2\r\ndomain\r\nregonalone[.]com Domain \r\nAdaptixC2\r\ndomain\r\nYara Rules\r\nDefenders can use these Yara rules to check for the presence of AdaptixC2 beacons on machines.\r\nAdaptixC2 HTTP/SMB/TCP Beacon\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\nrule u42_hacktool_beacon_adaptixC2\r\n{\r\nmeta:\r\ndescription = \"Detects AdaptixC2 beacon via basic functions\"\r\nreference = \"https://github.com/Adaptix-Framework/AdaptixC2\"\r\nstrings:\r\n$FileTimeToUnixTimestamp = {D1 65 F8 83 7D F4 1F 7E 17 8B 55 E4}\r\nhttps://unit42.paloaltonetworks.com/adaptixc2-post-exploitation-framework/\r\nPage 15 of 31\n\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n$Proxyfire_RecvProxy = {B9 FC FF 0F 00 E8 6A 04 00 00}\r\n$timeCalc1 = {8D 82 A0 05 00 00 89 44 24 3C EB 07}\r\n$timeCalc2 = {FF D2 0F B7 44 24 28 66 3B}\r\n$b64_encoded_size = {83 C0 01 39 45 18 7E 22 8B 45 E4 C1 E0 08 89 C1}\r\n$manage = {C6 44 24 5F 00 48 8B 45 10 48 8B 00}\r\ncondition:\r\nany of them\r\n}\r\nAdaptixC2 Go Beacon\r\n1\r\n2\r\n3\r\nrule u42_hacktool_beaconGo_adaptixC2\r\n{\r\nmeta:\r\nhttps://unit42.paloaltonetworks.com/adaptixc2-post-exploitation-framework/\r\nPage 16 of 31\n\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\ndescription = \"Detects AdaptixC2 beacon in GO via basic functions\"\r\nreference = \"https://github.com/Adaptix-Framework/AdaptixC2/tree/a7401fa3fdbc7ae6b632c40570292f844e40ff40/Extenders/agent_gopher\"\r\nstrings:\r\n$GetProcesses = {E8 96 4D E1 FF E8 96 4D E1 FF E8 96 4D E1 FF}\r\n$ConnRead = {0F 8E BD 00 00 00 4C 89 44 24 30 4C 89 54 24 40}\r\n$normalizedPath = {48 85 C9 74 0A 31 C0 31 DB 48 83 C4 38 5D C3 90 0F 1F 40 00}\r\n$Linux_GetOsVersion = {48 8D 05 51 D6 10 00 BB 0F 00 00 00}\r\n$Mac_GetOsVersion = {48 8D 05 AE 5A 0A 00 BB 30 00 00 00}\r\ncondition:\r\nany of them\r\n}\r\nAdaptixC2 Loader\r\n1 rule u42_hacktool_adaptixC2_loader\r\nhttps://unit42.paloaltonetworks.com/adaptixc2-post-exploitation-framework/\r\nPage 17 of 31\n\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n{\r\nmeta:\r\ndescription = \"Detects AdaptixC2 shellcode loader via API Hashing\"\r\nreference = \"https://github.com/Adaptix-Framework/AdaptixC2/blob/main/Extenders/agent_beacon/src_beacon/beacon/ApiDefines.h\"\r\nstrings:\r\n$hash_NtFlushInstructionCache = { 9E 65 A1 91 }\r\n$hash_VirtualAlloc = { 76 63 CE 63 }\r\n$hash_GetProcAddress = { DE 2A 4F 18 }\r\n$hash_LoadLibraryA = { FA D0 59 11}\r\n$Calc_Func_resolve_ApiFuncs = {06 00 00 0F B6 11 48 FF C1 85 D2 74 14 44 8D 42}\r\ncondition:\r\n(\r\n$hash_NtFlushInstructionCache and\r\n$hash_VirtualAlloc and\r\n$hash_GetProcAddress and\r\n$hash_LoadLibraryA\r\n) or\r\n(\r\n$Calc_Func_resolve_ApiFuncs\r\n)\r\n}\r\nhttps://unit42.paloaltonetworks.com/adaptixc2-post-exploitation-framework/\r\nPage 18 of 31\n\n30\r\n31\r\n32\r\n33\r\n34\r\n35\r\n36\r\n37\r\n38\r\n39\r\n40\r\n41\r\n42\r\n43\r\nHunting Rules\r\nQuery description: The following XQL query hunts for phishing activity conducted via the Teams application\r\nthat leads to RMM execution. These attributes are commonly targeted by attackers to deploy AdaptixC2 beacons.\r\nInvestigation notes: Start by checking the User Session Title. Look for RMM tool execution and child process or\r\nfile creation using the RMM tool. Look for alerts or suspicious executions such as cmd or PowerShell by the\r\ncompromised user (actor_effective_username).\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\nconfig case_sensitive = false\r\n| dataset=xdr_data\r\n| fields _time as TeamsTime ,event_type,agent_hostname,actor_effective_username,event_sub_type, title,\r\nactor_process_image_name as teams_image_name, actor_process_image_sha256 ,\r\nactor_process_image_command_line, agent_hostname, _time, action_process_image_name, agent_os_type,\r\nagent_id\r\n| filter agent_os_type = ENUM.AGENT_OS_WINDOWS and event_type = ENUM.USER_SESSION and\r\nteams_image_name in (\"ms-teams.exe\",\"updater.exe\") and ((title contains \"(external)\" and title not contains\r\n\"Chat |\" ) and (title contains \"help\" ))\r\n| join type = inner (\r\nhttps://unit42.paloaltonetworks.com/adaptixc2-post-exploitation-framework/\r\nPage 19 of 31\n\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\ndataset=xdr_data\r\n| fields _time as RmmStartTime ,agent_os_type , action_file_extension ,\r\nevent_type,agent_hostname,actor_effective_username,event_sub_type, actor_process_image_name ,\r\naction_process_image_path, agent_hostname, action_process_image_name, agent_id, event_id\r\n| filter agent_os_type = ENUM.AGENT_OS_WINDOWS and (event_type=ENUM.PROCESS and\r\nevent_sub_type = ENUM.PROCESS_START and action_process_image_name in\r\n(\"*quickassist.exe\",\"*anydesk.exe\",\"*screenconnect.*.exe\",\"*logmein.exe\"))\r\n) as rmm rmm.agent_id = agent_id and rmm.actor_effective_username = actor_effective_username and\r\n(timestamp_diff(rmm.RmmStartTime,TeamsTime , \"MINUTE\") \u003c 10 and\r\ntimestamp_diff(rmm.RmmStartTime,TeamsTime , \"MINUTE\") \u003e= 0)\r\n| comp values(TeamsTime) as _time ,values(RmmStartTime) as RmmStartTime, values(teams_image_name)\r\nas teams_image_name, values(action_process_image_path) as action_process_image_name,\r\nvalues(actor_process_image_name) as ActorProcess, count(Title) as CountOfTitle by\r\ntitle,actor_effective_username,agent_hostname , agent_id, event_id\r\n| filter (array_length(action_process_image_name)\u003e0)\r\nConfiguration Extractor Example\r\nThe following code is an example of a configuration extractor that extracts configurations from HTTP beacon files.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\nimport struct\r\nimport json\r\nimport sys\r\nfrom typing import Dict, Any\r\nfrom malduck import procmempe, rc4, int32, enhex\r\nclass ConfigParser:\r\ndef __init__(self, data: bytes):\r\nself.data = data\r\nself.offset = 0\r\ndef unpack32(self) -\u003e int:\r\nvalue = struct.unpack('\u003cI', self.data[self.offset:self.offset + 4])[0]\r\nhttps://unit42.paloaltonetworks.com/adaptixc2-post-exploitation-framework/\r\nPage 20 of 31\n\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\n33\r\n34\r\n35\r\n36\r\n37\r\n38\r\n39\r\nself.offset += 4\r\nreturn value\r\ndef unpack16(self) -\u003e int:\r\n\"\"\"Unpack a 16-bit unsigned integer (little-endian)\"\"\"\r\nvalue = struct.unpack('\u003cH', self.data[self.offset:self.offset + 2])[0]\r\nself.offset += 2\r\nreturn value\r\ndef unpack8(self) -\u003e int:\r\n\"\"\"Unpack an 8-bit unsigned integer\"\"\"\r\nvalue = self.data[self.offset]\r\nself.offset += 1\r\nreturn value\r\ndef unpack_string(self) -\u003e str:\r\n\"\"\"Unpack a length-prefixed string\"\"\"\r\nlength = self.unpack32()\r\nstring_data = self.data[self.offset:self.offset + length]\r\nself.offset += length\r\nif string_data and string_data[-1] == 0:\r\nstring_data = string_data[:-1]\r\nreturn string_data.decode('utf-8', errors='replace')\r\ndef unpack_bytes(self, length: int) -\u003e bytes:\r\n\"\"\"Unpack a fixed number of bytes\"\"\"\r\ndata = self.data[self.offset:self.offset + length]\r\nself.offset += length\r\nreturn data\r\ndef parse_beacon_http_config(data: bytes) -\u003e Dict[str, Any]:\r\n\"\"\"Parse BEACON_HTTP configuration from raw bytes\"\"\"\r\nparser = ConfigParser(data)\r\nhttps://unit42.paloaltonetworks.com/adaptixc2-post-exploitation-framework/\r\nPage 21 of 31\n\n40\r\n41\r\n42\r\n43\r\n44\r\n45\r\n46\r\n47\r\n48\r\n49\r\n50\r\n51\r\n52\r\n53\r\n54\r\n55\r\n56\r\n57\r\n58\r\n59\r\n60\r\n61\r\n62\r\n63\r\n64\r\n65\r\n66\r\n67\r\nconfig = {}\r\ntry:\r\n# Parse agent type\r\nconfig['agent_type'] = parser.unpack32()\r\n# Parse HTTP profile\r\nconfig['use_ssl'] = bool(parser.unpack8())\r\nconfig['servers_count'] = parser.unpack32()\r\n# Parse servers and ports\r\nconfig['servers'] = []\r\nconfig['ports'] = []\r\nfor i in range(config['servers_count']):\r\nserver = parser.unpack_string()\r\nport = parser.unpack32()\r\nconfig['servers'].append(server)\r\nconfig['ports'].append(port)\r\n# Parse HTTP settings\r\nconfig['http_method'] = parser.unpack_string()\r\nconfig['uri'] = parser.unpack_string()\r\nconfig['parameter'] = parser.unpack_string()\r\nconfig['user_agent'] = parser.unpack_string()\r\nconfig['http_headers'] = parser.unpack_string()\r\n# Parse answer sizes\r\nconfig['ans_pre_size'] = parser.unpack32()\r\nans_size_raw = parser.unpack32()\r\nconfig['ans_size'] = ans_size_raw + config['ans_pre_size']\r\n# Parse timing settings\r\nconfig['kill_date'] = parser.unpack32()\r\nconfig['working_time'] = parser.unpack32()\r\nhttps://unit42.paloaltonetworks.com/adaptixc2-post-exploitation-framework/\r\nPage 22 of 31\n\n68\r\n69\r\n70\r\n71\r\n72\r\n73\r\n74\r\n75\r\n76\r\n77\r\n78\r\n79\r\n80\r\n81\r\n82\r\n83\r\n84\r\n85\r\n86\r\n87\r\n88\r\n89\r\n90\r\n91\r\n92\r\n93\r\n94\r\n95\r\nconfig['sleep_delay'] = parser.unpack32()\r\nconfig['jitter_delay'] = parser.unpack32()\r\n# Default values from constructor\r\nconfig['listener_type'] = 0\r\nconfig['download_chunk_size'] = 0x19000\r\nreturn config\r\nexcept Exception as e:\r\nprint(f\"Failed to parse configuration: {e}\")\r\nraise\r\ndef parse_config(data: bytes, beacon_type: str = \"BEACON_HTTP\") -\u003e Dict[str, Any]:\r\n\"\"\"Main entry point for parsing beacon configurations\"\"\"\r\nif beacon_type == \"BEACON_HTTP\":\r\nreturn parse_beacon_http_config(data)\r\nelse:\r\nraise NotImplementedError(f\"Parser for {beacon_type} not implemented\")\r\nif __name__ == \"__main__\":\r\nif len(sys.argv) \u003c 2:\r\nprint(\"Usage: python extractor.py \u003cpath_to_config_file\u003e\")\r\nsys.exit(1)\r\npassed_arg = sys.argv[1]\r\ntry:\r\nsample = procmempe.from_file(passed_arg)\r\nrdata_section = sample.pe.section(\".rdata\")\r\nconfig_structure = sample.readp(rdata_section.PointerToRawData, rdata_section.SizeOfRawData)\r\nconfig_size = int32(config_structure)\r\nencrypted_config = config_structure[4:config_size+4]\r\nrc4_key = config_structure[config_size + 4 : config_size + 4 + 16]\r\nexcept Exception as e:\r\nhttps://unit42.paloaltonetworks.com/adaptixc2-post-exploitation-framework/\r\nPage 23 of 31\n\n96\r\n97\r\n98\r\n99\r\n100\r\n101\r\n102\r\n103\r\n104\r\n105\r\n106\r\n107\r\n108\r\n109\r\n110\r\n111\r\n112\r\n113\r\n114\r\n115\r\n116\r\n117\r\n118\r\n119\r\n120\r\n121\r\n122\r\n123\r\nprint(f\"Error reading file or extracting configuration: {e}\")\r\nprint(\"Using provided encrypted configuration bytes directly.\")\r\ntry:\r\nconfig_structure = bytes.fromhex(passed_arg)\r\nconfig_size = int32(config_structure)\r\nencrypted_config = config_structure[4:config_size+4]\r\nrc4_key = config_structure[config_size + 4 : config_size + 4 + 16]\r\nexcept Exception as e:\r\nprint(f\"Failed to process provided argument as configuration bytes: {e}\")\r\nsys.exit(1)\r\ntry:\r\ndecrypted_config = rc4(rc4_key, encrypted_config)\r\nprint(f\"Decrypted configuration size: {len(decrypted_config)} bytes\")\r\nprint(f\"Decrypted configuration content: {decrypted_config}\")\r\nprint(\"Decrypted configuration (hex): %s\", enhex(decrypted_config))\r\nconfig = parse_config(decrypted_config)\r\nprint(\"Parsed configuration:\")\r\nprint(json.dumps(config, indent=2))\r\nexcept Exception as e:\r\nprint(f\"Error parsing configuration: {e}\")\r\nhttps://unit42.paloaltonetworks.com/adaptixc2-post-exploitation-framework/\r\nPage 24 of 31\n\n124\r\n125\r\n126\r\n127\r\n128\r\n129\r\n130\r\n131\r\n132\r\n133\r\n134\r\n135\r\n136\r\n137\r\n138\r\n139\r\n140\r\n141\r\n142\r\n143\r\n144\r\n145\r\n146\r\n147\r\n148\r\n149\r\n150\r\n151\r\nhttps://unit42.paloaltonetworks.com/adaptixc2-post-exploitation-framework/\r\nPage 25 of 31\n\n152\r\n153\r\n154\r\n155\r\n156\r\n157\r\n158\r\n159\r\n160\r\n161\r\n162\r\n163\r\n164\r\n165\r\n166\r\n167\r\n168\r\n169\r\n170\r\n171\r\n172\r\n173\r\n174\r\n175\r\n176\r\n177\r\n178\r\n179\r\nhttps://unit42.paloaltonetworks.com/adaptixc2-post-exploitation-framework/\r\nPage 26 of 31\n\n180\r\n181\r\n182\r\n183\r\n184\r\n185\r\n186\r\n187\r\n188\r\n189\r\n190\r\n191\r\n192\r\n193\r\n194\r\n195\r\n196\r\n197\r\n198\r\n199\r\n200\r\n201\r\n202\r\n203\r\n204\r\n205\r\n206\r\n207\r\nhttps://unit42.paloaltonetworks.com/adaptixc2-post-exploitation-framework/\r\nPage 27 of 31\n\n208\r\n209\r\n210\r\n211\r\n212\r\n213\r\n214\r\n215\r\n216\r\n217\r\n218\r\n219\r\n220\r\n221\r\n222\r\n223\r\n224\r\n225\r\n226\r\n227\r\n228\r\n229\r\n230\r\n231\r\n232\r\n233\r\n234\r\n235\r\nhttps://unit42.paloaltonetworks.com/adaptixc2-post-exploitation-framework/\r\nPage 28 of 31\n\n236\r\n237\r\n238\r\n239\r\n240\r\n241\r\n242\r\n243\r\n244\r\n245\r\n246\r\n247\r\n248\r\n249\r\n250\r\n251\r\n252\r\n253\r\n254\r\n255\r\n256\r\n257\r\n258\r\n259\r\n260\r\n261\r\n262\r\n263\r\nhttps://unit42.paloaltonetworks.com/adaptixc2-post-exploitation-framework/\r\nPage 29 of 31\n\n264\r\n265\r\n266\r\n267\r\n268\r\n269\r\n270\r\n271\r\n272\r\n273\r\n274\r\nAdditional Resources\r\nAdaptixC2 – GitHub\r\nFog Ransomware: Unusual Toolset Used in Recent Attack – Symantec\r\n2025 Unit 42 Global Incident Response Report: Social Engineering Edition – Unit 42\r\nWhat is Phishing – Palo Alto Networks\r\nWhat is RMM – ManageEngine\r\nWhat Are Fileless Malware Attacks – Palo Alto Networks\r\nDLL Hijacking Techniques – Unit 42\r\nUnit 42 Develops Agentic AI Attack Framework – Palo Alto Networks\r\nMarshal.GetDelegateForFunctionPointer Method – Microsoft Docs\r\nInvoke-RestMethod (PowerShell) – Microsoft Docs\r\nVirtualProtect function – Microsoft Docs\r\nMemory Protection Constants – Microsoft Docs\r\nMITRE ATT\u0026CK T1547.001 – MITRE\r\nTable of Contents\r\nExecutive Summary\r\nTechnical Analysis of the AdaptixC2 Adversarial Framework\r\nAdaptixC2 Functionality\r\nConfiguration\r\nhttps://unit42.paloaltonetworks.com/adaptixc2-post-exploitation-framework/\r\nPage 30 of 31\n\nExtracting Configuration From Malicious Samples\r\nAdaptixC2 Scenarios\r\nScenario 1: Fake HelpDesk Support Leads to AdaptixC2 Infection\r\nInitial Compromise\r\nAdaptixC2 Deployment and Persistence via Shellcode Execution\r\nPost-Exploitation Activity and Containment\r\nScenario 2: Infection Involving AI-Generated Script\r\nDetailed Analysis of the AI-Generated PowerShell\r\nAI Script Generation\r\nSimilarities Between the Cases\r\nIncreasing Prevalence of AdaptixC2 Framework\r\nConclusion\r\nIndicators of Compromise\r\nYara Rules\r\nHunting Rules\r\nConfiguration Extractor Example\r\nAdditional Resources\r\nRelated Articles\r\nThreat Brief: March 2026 Escalation of Cyber Risk Related to Iran (Updated March 26)\r\nThreat Brief: Recruiting Scheme Impersonating Palo Alto Networks Talent Acquisition Team\r\nBoggy Serpens Threat Assessment\r\nEnlarged Image\r\nSource: https://unit42.paloaltonetworks.com/adaptixc2-post-exploitation-framework/\r\nhttps://unit42.paloaltonetworks.com/adaptixc2-post-exploitation-framework/\r\nPage 31 of 31\n\n5 reference 6 strings: = \"https://github.com/Adaptix-Framework/AdaptixC2\" \n7 $FileTimeToUnixTimestamp = {D1 65 F8 83 7D F4 1F 7E 17 8B 55 E4}\n Page 15 of 31", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://unit42.paloaltonetworks.com/adaptixc2-post-exploitation-framework/" ], "report_names": [ "adaptixc2-post-exploitation-framework" ], "threat_actors": [ { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-10T02:00:03.08136Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "G0069", "ATK51", "Mango Sandstorm", "TA450", "Static Kitten", "Boggy Serpens", "Earth Vetala" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-10T02:00:04.775749Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434930, "ts_updated_at": 1775826738, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/cb4c3c7bcbad260922b370fa6d1f1555f3420f5f.pdf", "text": "https://archive.orkl.eu/cb4c3c7bcbad260922b370fa6d1f1555f3420f5f.txt", "img": "https://archive.orkl.eu/cb4c3c7bcbad260922b370fa6d1f1555f3420f5f.jpg" } }