{
	"id": "11c73c0e-234c-45f7-9406-81b09cb72f88",
	"created_at": "2026-04-06T00:19:04.881211Z",
	"updated_at": "2026-04-10T03:22:13.025504Z",
	"deleted_at": null,
	"sha1_hash": "f0d6ba837edee8146dee896d1e7e119e4d1aab31",
	"title": "AdaptixC2 Uncovered: Capabilities, Tactics \u0026 Hunting Strategies",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2621708,
	"plain_text": "AdaptixC2 Uncovered: Capabilities, Tactics \u0026 Hunting Strategies\r\nPublished: 2025-10-09 · Archived: 2026-04-05 15:02:41 UTC\r\nAdaptixC2 is a command-and-control (C2) framework designed to be simple, flexible, and easily customizable.\r\nUnlike larger C2 platforms that can be complex and heavy, its lightweight design makes it easier for attackers to\r\ndeploy and adapt across different environments.\r\nThe framework is modular, meaning its features can be extended or modified without requiring a complete rewrite\r\nof the system. It supports the basic functions you'd expect in a C2 tool, such as running commands on a\r\ncompromised machine, transferring files, injecting into processes, setting up persistence, and gathering system\r\ninformation. Communication usually happens through HTTP or HTTPS, which helps it blend in with normal web\r\ntraffic.\r\nBecause it's open-source, AdaptixC2 can be studied and modified by anyone, from researchers and defenders to\r\nred teamers and attackers. For defenders, it's a good example of how custom or lesser-known C2 frameworks are\r\nbeing used to avoid detection.\r\nFig 1. AdaptixC2 GUI client showing operator controls and session overview.\r\nKey Takeaways\r\nFramework: AdaptixC2 demonstrates that lightweight, open-source C2 frameworks can deliver full-featured capabilities, including multi-protocol communication, advanced evasion techniques, and modular\r\nhttps://hunt.io/blog/adaptixc2-uncovered-capabilities-tactics-hunting\r\nPage 1 of 18\n\nextensibility through BOF execution systems.\r\nReal-World Deployment Scale: The discovery of 102 active servers across multiple countries and hosting\r\nproviders indicates widespread operational use, not just research or testing activities, with attackers\r\nleveraging legitimate cloud infrastructure to blend malicious operations.\r\nMulti-Protocol Threat Model: The beacon's support for HTTP, SMB, and TCP protocols creates multiple\r\nattack vectors that require comprehensive network monitoring, as attackers can adapt communication\r\nmethods based on target environment restrictions.\r\nDetection Challenges: Dynamic API resolution, custom hash-based lookups, and RC4 encryption make\r\ntraditional signature-based detection ineffective, requiring behavioral analysis and network pattern\r\nrecognition for reliable identification.\r\nOperational Security Features: Built-in capabilities like kill dates, working hours restrictions, and\r\nconfigurable sleep intervals demonstrate that even lightweight frameworks incorporate sophisticated\r\noperational security measures for long-term persistence.\r\nLateral Movement Capabilities: SMB named pipe communication and multi-hop pivoting functionality\r\ntransform each infected system into a potential stepping stone for deeper network penetration, requiring\r\nnetwork segmentation as a critical defense.\r\nOpen Source Intelligence Impact: Exposed directories with deployment scripts, configuration files, and\r\ncompiled agents offer useful insight into attacker operations and support better countermeasures.\r\nInitial Discovery via AttackCapture™\r\nAttackCapture™ is Hunt.io's system for spotting and indexing open directories left exposed online by attackers. It\r\ncollects these directories, extracts the files inside, and tags them by malware family, tool name, or known\r\nbehavior. This helps analysts connect exposed files with active infrastructure and see how different frameworks,\r\nlike AdaptixC2, are being used in real operations.\r\nFor our research on AdaptixC2, the first step was filtering results by the AdaptixC2 tag. This quickly revealed\r\nservers linked to the framework. We then focused on hosts with open directories, since these often hold payloads,\r\nconfiguration files, or C2 web panels.\r\nReviewing these directories gave us a clearer view of how AdaptixC2 functions and where it's being deployed.\r\nFindings pointed to servers across multiple providers and countries, including Kazakhstan, Ireland, and\r\nSwitzerland, with ports such as 80, 8000, and 14531 frequently observed.\r\nhttps://hunt.io/blog/adaptixc2-uncovered-capabilities-tactics-hunting\r\nPage 2 of 18\n\nFigure 2: Hunting AdaptixC2 with Hunt.io using tags and open-directory pivots\r\nSome exposed open directories held files from a few megabytes up to more than 70 MB. These often include\r\npayloads, configuration files, or control pages that reveal how the server is set up.\r\nWhile analyzing one of the AdaptixC2 servers (85.202.193[.]88), we found .ssh/authorized_keys (possible\r\naccess keys), shell histories ( .bash_history , .history , nohup.out ), and profile files that show past\r\ncommands and environment details.\r\nWe also saw deployment traces such as Dockerfile, dist/, server.log, and install scripts (\r\npre_install_linux_all.sh , pre_install_macos_client.sh ) that show how the framework was built and run.\r\nhttps://hunt.io/blog/adaptixc2-uncovered-capabilities-tactics-hunting\r\nPage 3 of 18\n\nFigure 3: Investigating AdaptixC2 results with indexed files and metadata.\r\nThe exposed directory also contained compiled agents and traces of day-to-day use. User and system files like\r\n.bash_history , .bashrc , .profile , .wget-hsts , and .sudo_as_admin_successful reveal environment\r\nsetup and past activity on the host. We also found multiple compiled payloads ( agent.x64.bin ,\r\nagent.x86.dll/.exe , agent.smb.exe/.dll , agent_noheader.exe , svc_agent.* ) and encoded forms (\r\nagent.base64 , agent.hex ).\r\nhttps://hunt.io/blog/adaptixc2-uncovered-capabilities-tactics-hunting\r\nPage 4 of 18\n\nFigure 4: AdaptixC2 payloads including compiled agents and encoded variants.\r\nInvestigation and Analysis\r\nOur review of the collected AdaptixC2 files and code revealed several agent components that shed light on the\r\nframework’s client-side behavior. The analysis centered on the beacon, the malware responsible for establishing\r\ncommand and control on infected systems, where we identified seven key capability areas that define how\r\nAdaptixC2 operates in the wild.\r\nMulti-Protocol Communication\r\nThe beacon implements three different communication methods to establish command and control channels with\r\nremote operators. The HTTP method uses standard web traffic with custom headers and URIs to blend in with\r\nnormal browsing activity, while supporting multiple backup servers for redundancy.\r\nFor internal network operations, it creates SMB named pipes between infected machines, allowing commands to\r\npass through compromised systems without generating external traffic. The TCP option provides direct socket\r\nconnections when HTTP traffic is blocked, listening on configurable ports with a custom protocol implementation.\r\nAdvanced Evasion Techniques\r\nhttps://hunt.io/blog/adaptixc2-uncovered-capabilities-tactics-hunting\r\nPage 5 of 18\n\nThe malware avoids static API imports by resolving Windows function addresses at runtime using custom hash-based lookups, making signature detection significantly harder. It supports multiple deployment methods,\r\nincluding standalone executables, Windows services, DLL injection, and shellcode execution, providing flexibility\r\nto bypass different security controls and persistence mechanisms.\r\nFigure 5: API hashing technique with runtime function resolution by hash.\r\nSystem Administration Capabilities\r\nThe beacon provides comprehensive remote administration through an extensive command set that includes\r\ncomplete file system operations like directory listing, file reading, copying, and deletion. It also offers process\r\nmanagement capabilities, allowing attackers to list running applications, terminate processes, and execute new\r\nprograms with full output capture for interactive system control.\r\nhttps://hunt.io/blog/adaptixc2-uncovered-capabilities-tactics-hunting\r\nPage 6 of 18\n\nFigure 6: Commands executed by the attacker with captured task output.\r\nFile Transfer Functionality\r\nThe malware implements robust file transfer capabilities supporting both uploads and downloads through\r\nencrypted channels. Downloads use a chunked transfer system that breaks large files into smaller pieces with\r\nresume capability, helping avoid network monitoring alerts while ensuring reliable transfer completion even over\r\nunstable connections.\r\nhttps://hunt.io/blog/adaptixc2-uncovered-capabilities-tactics-hunting\r\nPage 7 of 18\n\nFigure 7: File transfer code used for uploads and downloads with chunking.\r\nNetworking and Lateral Movement\r\nThe beacon includes sophisticated tunneling and pivoting functionality that transforms infected systems into proxy\r\nservers for deeper network penetration. It implements TCP and UDP port forwarding to route traffic through\r\ncompromised machines and supports multi-hop connections where commands pass through multiple infected\r\nsystems to reach targets that cannot directly communicate with external C2 servers.\r\nBOF Execution System\r\nThe malware features a Beacon Object File system that allows loading and executing additional modules without\r\nrecompilation. This modular architecture provides loaded modules with a complete API for system interaction,\r\nmemory management, and output handling, essentially creating a platform for arbitrary code execution and\r\nfunctionality extension.\r\nhttps://hunt.io/blog/adaptixc2-uncovered-capabilities-tactics-hunting\r\nPage 8 of 18\n\nFigure 8: Executing additional modules through the BOF extension system.\r\nConfiguration Management\r\nThe beacon includes several operational security features designed for long-term persistence and stealth\r\noperations. It supports kill dates for automatic termination, working hours restrictions to blend with normal\r\nbusiness operations, and configurable sleep intervals with random jitter to evade network monitoring. All\r\ncommunications use RC4 encryption with session-specific keys to protect command and control traffic from\r\nanalysis.\r\nhttps://hunt.io/blog/adaptixc2-uncovered-capabilities-tactics-hunting\r\nPage 9 of 18\n\nFigure 9: Features for long-term persistence, sleep jitter, and kill dates.\r\nInfrastructure Discovery and Hunting\r\nAfter understanding the beacon's internal functions, we shifted focus to the infrastructure that supports it. Using\r\nconfiguration profiles and live telemetry from Hunt.io, we mapped active AdaptixC2 servers and analyzed how\r\nthey operate across hosting providers.\r\nConfiguration Profile Discovery\r\nDuring our investigation, we found a configuration profile for an AdaptixC2 teamserver that gave us several\r\nuseful leads. The profile shows the server listening on 0.0.0.0:4321 with an /endpoint path, default credentials,\r\ncertificate names (server.rsa.crt and server.rsa.key), and a list of enabled extenders (HTTP, SMB, TCP, Gopher). It\r\nalso includes token lifetimes, a custom server header, version string (v0.8), and templates for callbacks such as\r\nnew agent registration or file downloads.\r\nhttps://hunt.io/blog/adaptixc2-uncovered-capabilities-tactics-hunting\r\nPage 10 of 18\n\nFigure 10: JSON profile used by the AdaptixC2 server showing ports and headers.\r\nInfrastructure Fingerprinting\r\nThese details are valuable for tracking infrastructure. The ports and endpoints guide network searches, certificate\r\nnames reveal file locations in exposed webroots, and headers or version strings provide a fingerprint to link\r\nmultiple hosts. We exported these indicators into Hunt.io's index and used them to map related AdaptixC2 servers\r\nacross the internet.\r\nHuntSQL™ Query for AdaptixC2 Detection\r\nWe noticed the HTTP response header Server: AdaptixC2, which is a very useful fingerprint. Because that header\r\nis returned by the server, we can pivot from any host that shows it: search web server headers, proxy/WAF logs,\r\npassive DNS, or service scans for matches, and pull associated files and connection logs.\r\nIn this case, we crafted a HuntSQL™ query searching for HTTP headers containing the string %AdaptixC2%,\r\nallowing us to identify servers returning that value in their responses.\r\nSELECT\r\n ip\r\nFROM\r\n httpv2\r\nWHERE\r\nhttps://hunt.io/blog/adaptixc2-uncovered-capabilities-tactics-hunting\r\nPage 11 of 18\n\nhttp.headers.bytes.content LIKE '%AdaptixC2%'\r\n AND timestamp gt '2025-09-20'\r\n \r\nCopy\r\nThe results revealed 56 active hosts returning the Server: AdaptixC2 header, confirming live infrastructure tied to\r\nthe framework. Several of these servers were hosted on well-known providers, suggesting attackers rely on\r\ncommercial cloud environments to run their C2 operations.\r\nFigure 11: Results of SQL rule returning hosts with the AdaptixC2 header.\r\nThis query returns hosts matching the AdaptixC2 pattern and can be extended for certificate or JARM correlation,\r\nhelping uncover additional servers with shared infrastructure traits. Building on these results, we expanded the\r\nsearch across Hunt.io’s dataset to identify broader AdaptixC2 activity and confirm patterns observed in earlier\r\nfindings.\r\nAutomated Hunting\r\nhttps://hunt.io/blog/adaptixc2-uncovered-capabilities-tactics-hunting\r\nPage 12 of 18\n\nFiltering Hunt.io's C2 telemetry for the AdaptixC2 tag surfaced 102 active servers across several hosting\r\nproviders. Most were hosted on Hivelocity, OVHcloud, and Constant Company, showing that attackers rely on\r\nlegitimate cloud infrastructure to hide their activity among regular business traffic. Counts reflect\r\nAttackCapture™ and HuntSQL™ results collected between August and September 2025.\r\nPort analysis confirmed that 4321 is the default listening port for AdaptixC2 teamservers, with 6869 and 53362\r\nseen in custom setups or parallel listeners. These findings reinforce the configuration data seen earlier and provide\r\nreliable starting points for detection and blocking.\r\nFigure 12: Automated hunting of AdaptixC2 servers via Hunt.io C2 listing.\r\nWith this infrastructure mapped, the next step was to explore how analysts can pivot within Hunt.io to uncover\r\nrelated servers, shared certificates, and broader connections across the same attacker ecosystem.\r\nPivoting and Correlation in Hunt.io\r\nOnce analysts obtain this AdaptixC2 infrastructure listing in Hunt.io, they can pivot directly from the displayed\r\nfields to expand the investigation and uncover related infrastructure controlled by the same threat actor. For\r\nexample, by pivoting from one of the identified IPs - 23.227.203[.]190 - analysts can explore provider details, risk\r\nscores, and open ports to understand how this C2 node fits within the broader AdaptixC2 network.\r\nhttps://hunt.io/blog/adaptixc2-uncovered-capabilities-tactics-hunting\r\nPage 13 of 18\n\nFigure 13: IP pivoting reveals ASN, risk score, open ports, and software info.\r\nThe Info tab shows provider details, risk level, and open ports. Analysts can confirm if the host is active, review\r\nservices like TLS or SSH, and check non-standard ports such as 4321 that often appear in AdaptixC2\r\ndeployments.\r\nThe Domains tab lists hostnames tied to the IP. This helps reveal automatically generated subdomains or control\r\npanels that attackers might use for redirection or management.\r\nIn the Associations tab, Hunt.io displays all linked SSL certificates, keys, and configuration files. Matching\r\ncertificates across several IPs is one of the quickest ways to connect multiple C2 servers operated by the same\r\ngroup. In this example, identical certificate fingerprints were found across several Hivelocity IPs, confirming\r\nshared infrastructure within the same AdaptixC2 cluster.\r\nhttps://hunt.io/blog/adaptixc2-uncovered-capabilities-tactics-hunting\r\nPage 14 of 18\n\nFigure 14: Associations tab showing linked SSL certificates, keys, and configs.\r\nThe Pivots view brings these findings together. It lists hashes, headers, and TLS fingerprints that can be queried or\r\nexpanded through HuntSQL™. Analysts can search by SSL fingerprint, header hash, or JARM signature to\r\nuncover other hosts with the same traits. This pivoting ability helps build a clear map of how attackers distribute\r\nand reuse their C2 nodes.\r\nFigure 15: Pivots tab listing files, hashes, headers, and TLS fingerprints.\r\nTimeline and IOC Correlation\r\nhttps://hunt.io/blog/adaptixc2-uncovered-capabilities-tactics-hunting\r\nPage 15 of 18\n\nThe Timeline / IOCs view helps analysts understand how the AdaptixC2 infrastructure evolves. Each bar\r\nrepresents a port observed in activity, along with correlated JARM or SSL fingerprints. By hovering or zooming,\r\nanalysts can track when a C2 server first appeared, when it was last active, and which encrypted fingerprints were\r\nlinked to it during specific months.\r\nFigure 16: Timeline / IOCs showing evolution of ports, services, and fingerprints.\r\nIn this example, ports 443, 6579, and 43211 show consistent activity, with the AdaptixC2 signature clearly visible\r\non 43211. Seeing this progression allows threat hunters to confirm persistence, reuse of configurations, and the\r\nrollout of new servers that share identical TLS or SSH fingerprints.\r\nUsing these pivoting capabilities, Hunt.io enables analysts to move from a single AdaptixC2 indicator to a full\r\npicture of the surrounding infrastructure, revealing the scale and connections behind active campaigns. With this\r\nvisibility established, the next step is translating these findings into practical detection and defense measures.\r\nMitigation Strategies\r\nNetwork-Level Defenses: Since AdaptixC2 relies on RC4-encrypted C2 traffic and often listens on custom\r\nports like 4321, deep packet inspection can help identify unusual encryption patterns and HTTP headers\r\nlinked to its command structure. Monitor for connections to non-standard ports and recurring certificate\r\nnames such as server.rsa.crt. Apply network segmentation to contain SMB-based lateral movement and\r\nblock outbound communication from non-essential systems.\r\nHost-Based Protection: AdaptixC2’s runtime API resolution and process injection techniques can evade\r\nstatic detection, so focus on endpoint monitoring for suspicious memory activity and unsigned binary\r\nexecution. Whitelist critical applications, track BOF module loads, and monitor for unexpected service\r\ninstallations or registry modifications linked to persistence.\r\nhttps://hunt.io/blog/adaptixc2-uncovered-capabilities-tactics-hunting\r\nPage 16 of 18\n\nDetection and Response: AdaptixC2 operators reuse distinct HTTP headers, port combinations, and\r\ncertificates across their infrastructure. Build SIEM correlation rules around these indicators and integrate\r\nbehavioral detection for tunneling or multi-hop C2 communication. When detected, trigger automated\r\nresponse actions, isolate the host and capture forensic data for post-incident analysis.\r\nWrapping Up\r\nThis analysis of AdaptixC2 reveals a sophisticated yet lightweight command and control framework designed for\r\npersistent access and stealthy operations. The beacon's multi-protocol communication capabilities, advanced\r\nevasion techniques, and comprehensive system administration features make it a significant threat to\r\norganizational security. The framework's modular architecture and BOF execution system provide attackers with\r\nthe flexibility to adapt their operations to specific environments and objectives.\r\nThe discovery of active infrastructure across multiple countries and hosting providers demonstrates the\r\nframework's real-world adoption and operational deployment. The identified configuration patterns and network\r\nsignatures provide valuable intelligence for proactive defense and threat hunting activities. Organizations should\r\nprioritize implementing the recommended mitigation strategies and monitoring for the provided indicators to\r\ndetect and respond to AdaptixC2 activities effectively.\r\nAdaptixC2 IOCs\r\nBelow is a sample of verified servers observed during our HuntSQL™ searches, all confirmed through\r\nAttackCapture™ and host-level correlation.\r\nIP\r\nAttackCapture™\r\nData\r\nASN Company Notes\r\n20.234.49[.]186 AdaptixC2 AS8075\r\nMicrosoft\r\nCorporation\r\nExposed open directory\r\n85.202.193[.]88 AdaptixC2 AS39318\r\nPS Internet Company\r\nLLP\r\nExposed open directory\r\n144.91.103[.]204 AdaptixC2 AS51167 Contabo GmbH Exposed open directory\r\n185.196.10[.]96 AdaptixC2 AS42624\r\nGlobal-Data System\r\nIT Corporation\r\nExposed open directory\r\n166.1.160[.]69 AdaptixC2 AS41745\r\nAce Data Centers,\r\nInc.\r\nExposed open directory\r\n23.227.203[.]190 - AS29802 HIVELOCITY, Inc. C2 server\r\nOther 56 IPs - Multiple Multiple\r\nHTTP headers containing\r\nthe string %AdaptixC2%\r\nhttps://hunt.io/blog/adaptixc2-uncovered-capabilities-tactics-hunting\r\nPage 17 of 18\n\nThe table above includes a sample of confirmed AdaptixC2 servers. To access the rest of the 102+ servers detected\r\nthrough Hunt.io’s automated C2 detection, contact our team for details.\r\nSource: https://hunt.io/blog/adaptixc2-uncovered-capabilities-tactics-hunting\r\nhttps://hunt.io/blog/adaptixc2-uncovered-capabilities-tactics-hunting\r\nPage 18 of 18",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://hunt.io/blog/adaptixc2-uncovered-capabilities-tactics-hunting"
	],
	"report_names": [
		"adaptixc2-uncovered-capabilities-tactics-hunting"
	],
	"threat_actors": [],
	"ts_created_at": 1775434744,
	"ts_updated_at": 1775791333,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f0d6ba837edee8146dee896d1e7e119e4d1aab31.pdf",
		"text": "https://archive.orkl.eu/f0d6ba837edee8146dee896d1e7e119e4d1aab31.txt",
		"img": "https://archive.orkl.eu/f0d6ba837edee8146dee896d1e7e119e4d1aab31.jpg"
	}
}