AdaptixC2
AdaptixC2 is an open-source post-exploitation and adversarial emulation command-and-control framework used by penetration testers and increasingly abused by threat actors in real-world intrusions. The provided content describes it as a Go-based C2/teamserver with Beacon and Gopher agent families, supporting Windows, Linux, and macOS, multiple transports including HTTP/S, DNS/DoH, SMB named pipes, and raw TCP, and capabilities such as remote shell/command execution, file transfer, data exfiltration, port forwarding, SOCKS proxying, process management, screenshot capture, and in-memory execution of Beacon Object Files. Beacon payloads can be generated as EXE, DLL, service executables, and raw shellcode for x86 and x64 architectures. AdaptixC2 configurations are RC4-encrypted and can be extracted from samples; default agent watermarks noted in the content are be4c0149 for Beacon and 904e5493 for Gopher.
The framework is readily fingerprintable when deployed with default or near-default settings. Version 1.2 ships branded unauthenticated HTTP headers including "Server: AdaptixC2" and "Adaptix-Version: v1.2", and a default 404 page containing "AdaptixC2 404" and "You need to enter the correct connection details." The content also notes JARM/TLS fingerprinting and a commonly observed default OpenSSL self-signed certificate with subject "C=AU, ST=Some-State, O=Internet Widgits Pty Ltd." Common observed ports include teamserver port 4321 and beacon listener port 43211.
Across the cited reporting, AdaptixC2 was used in multiple intrusion types. Unit 42 observed infections in early May 2025, including Microsoft Teams social-engineering and Quick Assist-based access followed by multi-stage PowerShell loaders, in-memory shellcode execution, DLL hijacking with msimg32.dll, and persistence via startup-folder shortcuts or a Run key named "Updater." In those cases, operators used AdaptixC2 for reconnaissance and post-compromise control; one beacon communicated with tech-system[.]online over HTTPS on port 443 using POST /endpoint/api and header X-App-Id. Seqrite reported Operation Dragon Weave, a China-aligned espionage campaign targeting officials and citizens in the Czech Republic and Taiwan across government, research, academic, technology, and financial sectors, where spear-phishing ZIP archives led through LNK/PowerShell or Rust dropper chains, DLL sideloading, and a Rust loader named RUSTCLOAK to an AdaptixC2 agent called AZUREVEIL that used Microsoft Azure Blob Storage as a dead-drop C2 channel and supported 36 commands.
The content also ties AdaptixC2 to ransomware and financially motivated activity. GOLD ENCOUNTER/PayoutsKing used AdaptixC2 or OpenSSH to establish SSH backdoors after initial access via Cisco or SonicWall SSL VPNs, a SolarWinds Web Help Desk vulnerability, or Teams vishing. Sophos reported a fake Claude AI campaign using DLL sideloading and DonutLoader, with a March 2026 sample deploying AdaptixC2-related shellcode and noting the framework had been seen in ransomware attacks. Cisco Talos observed malware agents compiled from the public AdaptixC2 framework during exploitation of Cisco SD-WAN vulnerabilities, alongside webshells, Sliver, XMRig, credential stealers, and other tooling. Ctrl-Alt-Intel reported an unknown actor exploiting CVE-2026-41940 in cPanel/WHM and a custom Indonesian defense-portal exploit chain, deploying an ELF AdaptixC2 payload named "1" configured to beacon to delicate-dew.serveftp[.]com:4455, with telemetry linking the C2 to 95.111.250[.]175. Sophos also documented QEMU-based hidden-VM tradecraft in STAC4713/PayoutsKing intrusions where the guest image used AdaptixC2 or OpenSSH to establish reverse SSH tunnels.
Additional high-confidence indicators and artifacts mentioned in the content include exposed AdaptixC2 infrastructure at 2.26.229[.]254 serving BeaconHTTP on port 4433, GopherTCP on port 4455, and payloads on port 7000; exposed files install.sh, timesync.bin, svhost.exe, svc_timesync.x64.exe, and agent.x86.exe; install.sh SHA256 479b7abd5df2f6ab3de8c32a36478c15012dbc8217f9fa825fd4b9cb7e9b8d13; a hardcoded SSH public key for user timesync-manager; Windows Beacon callbacks to hxxp://2.26.229[.]254:4433 using URIs /api/v1/status, /updates/check.php, and /content.html with header X-ISS and RC4 key 1baccab4cbd2b84f6bc54bf8e6551f93; Cluster 5 Talos activity using filename systemd-resolved with C2 194[.]163[.]175[.]135:4445; and the Indonesian campaign ELF payload hash 1CFEADF01D24182362887B7C5F683E8BDB0E84CDDCE03E3B7564B2D9AB5D15CF. The content repeatedly emphasizes that AdaptixC2 is dual-use tooling, so presence alone does not establish malicious intent, but it is clearly being operationalized by espionage, ransomware, and opportunistic intrusion actors.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
6 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
An AdaptixC2 malware payload was also identified, indicating active command-and-control operations. Analysis of exposed payloads shows the attacker used AdaptixC2 for command and control, along with a PowerShell reverse shell.
On Windows systems, the hack of the Telnyx Python SDK resulted in the deployment of an executable named "msbuild.exe" that employs several obfuscation techniques to evade detection and extracts DonutLoader, a shellcode loader, from a PNG image present within the binary to load a full-featured trojan and a beacon associated with AdaptixC2, an open-source command-and-control (C2) framework.
The tools deployed by these clusters range from webshells (Godzilla, Behinder, XenShell) and red team frameworks (AdaptixC2, Sliver) to cryptocurrency miners (XMRig) and credential stealers targeting admin hashes, JWT tokens and AWS credentials.
The tools deployed by these clusters range from webshells (Godzilla, Behinder, XenShell) and red team frameworks (AdaptixC2, Sliver) to cryptocurrency miners (XMRig) and credential stealers targeting admin hashes, JWT tokens and AWS credentials.
The tools deployed by these clusters range from webshells (Godzilla, Behinder, XenShell) and red team frameworks (AdaptixC2, Sliver) to cryptocurrency miners (XMRig) and credential stealers targeting admin hashes, JWT tokens and AWS credentials.
CVE-2026-20182 carries a CVSSv3.1 score of 10.0 (Critical) and is classified under CWE-287: Improper Authentication. The flaw affects the Cisco Catalyst SD-WAN Controller (formerly vSmart)... The peering authentication mechanism is not functioning correctly, allowing an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on the affected system.
Groups observed using it
5 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
A new cyber espionage campaign codenamed Operation Dragon Weave has been observed targeting officials and citizens in the Czech Republic and Taiwan to deliver an AdaptixC2 agent... The loader then decrypts and runs the main payload, an AdaptixC2 agent codenamed AZUREVEIL owing to the use of Microsoft Azure Blob Storage for command-and-control (C2).
The group has also used a DLL sideloading technique to launch the Havoc C2 post-exploitation framework, and establishes an SSH backdoor via AdaptixC2 or OpenSSH.
83.142.209[.]11 is shown below, confirming ASN membership, TeamPCP attribution, and the AdaptixC2 malware classification.
The March sample is markedly different... the decryption of a .log file culminating in the execution of AdaptixC2-related shellcode. (AdaptixC2 is an open-source red-teaming framework that we’ve seen used in ransomware attacks...)
Techniques & procedures
40 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
attackers used phishing attacks to impersonate IT support personnel (using subject lines like “Help Desk (External) | Microsoft Teams”). This convinced employees to initiate legitimate remote assistance sessions using tools like the Quick Assist Remote Monitoring and Management (RMM) tool.
Execution
8 techniques
Execution
Inside the VM, persistence and a command and control channel were established through the root crontab that launched two scripts at boot
In another case, threat actors deployed a PowerShell script that was designed to deploy AdaptixC2 beacons.
The attackers deployed the AdaptixC2 beacon using a multi-stage PowerShell loader that downloads an encoded and encrypted payload from a link to a legitimate service.
Inside the VM, persistence and a command and control channel were established through the root crontab that launched two scripts at boot... @reboot /bin/sh /sbin/syslogda.sh>/dev/null 2>&1 @reboot /bin/sh /sbin/syslogdb.sh>/dev/null 2>&1
Запускаемый файл расшифровывает встроенный шелл-код, после чего выделяет память и запускает вредоносную нагрузку с помощью WinAPI-функции CreateThread.
Persistence
2 techniques
Persistence
Inside the VM, persistence and a command and control channel were established through the root crontab that launched two scripts at boot
The script creates a registry entry in the run key named “Updater,” with a PowerShell command that executes the loader.ps1 script. | To guarantee the malicious process automatically starts after reboot, the script creates a shortcut in the startup folder.
Privilege Escalation
3 techniques
Privilege Escalation
Inside the VM, persistence and a command and control channel were established through the root crontab that launched two scripts at boot
A common technique for achieving this is injecting malicious code into the address space of a legitimate process. Consequently, the payload executes under the identity of a trusted system or user process...
The script creates a registry entry in the run key named “Updater,” with a PowerShell command that executes the loader.ps1 script. | To guarantee the malicious process automatically starts after reboot, the script creates a shortcut in the startup folder.
Stealth
7 techniques
Stealth
Additionally, threat actors can modify and enhance the agent using custom obfuscation, anti-analysis and evasion techniques, making it a continuously evolving threat.
This fileless approach significantly reduces the attacker’s footprint on the system.
A common technique for achieving this is injecting malicious code into the address space of a legitimate process. Consequently, the payload executes under the identity of a trusted system or user process...
Once downloaded, the PowerShell script decrypts the payload using a simple XOR key.
adversaries leveraging QEMU, an open-source machine emulator and virtualizer typically used for development and testing, to deploy virtual machines that contained and executed malicious payloads. This approach enabled them to maintain covert access and bypass host-based detection from AV and EDR solutions.
Credential Access
5 techniques
Credential Access
In addition, to gain access to credentials, an attacker may attempt to extract sensitive information directly from the memory of the lsass.exe process.
The teamserver exposes a full REST and WebSocket API for operator control — credential management... /creds/list GET List harvested credentials
KEDR Expert detects this activity using the credentials_from_web_browsers rule.
Discovery
4 techniques
Discovery
This included discovery commands such as nltest.exe, whoami.exe and ipconfig.exe.
This included discovery commands such as nltest.exe, whoami.exe and ipconfig.exe.
This included discovery commands such as nltest.exe, whoami.exe and ipconfig.exe.
adversaries leveraging QEMU, an open-source machine emulator and virtualizer typically used for development and testing, to deploy virtual machines that contained and executed malicious payloads. This approach enabled them to maintain covert access and bypass host-based detection from AV and EDR solutions.
Lateral Movement
4 techniques
Lateral Movement
This convinced employees to initiate legitimate remote assistance sessions using tools like the Quick Assist Remote Monitoring and Management (RMM) tool.
To establish communication between agents via the SMB protocol, the framework utilizes named pipes.
Collection
1 technique
Collection
Command and Control
9 techniques
Command and Control
AdaptixC2 is an open-source post-exploitation framework... The framework ships two agent families... listeners as loadable plugins (“extenders”) covering HTTP/S, DNS/DoH, SMB named pipes, and raw TCP transports. | BeaconHTTP : HTTP/S callback with configurable URIs, headers, and User-Agent rotation... BeaconDNS : DNS-based callback channel... BeaconTCP : Bind-style TCP channel for internal pivots
BEACON_HTTP for web-based communication... The beacon then established communication with a remote server, enabling the threat actors to obtain C2 on the infected machine.
AdaptixC2 supports the transmission of data and commands from C2 via both traditional DNS over UDP and DNS over HTTPS (DoH). This communication method enables the masking of the communication channel between the agent and the server.
the framework supports sophisticated tunneling capabilities, including SOCKS4/5 proxy functionality and port forwarding.
/tunnel/start/lportfwd POST Start a local port forward | /tunnel/start/socks5 POST Start a SOCKS5 proxy tunnel
the beacon’s local traffic was carried over the encrypted SSH channel to remote infrastructure, enabling command-and-control communication while blending into normal outbound traffic.
Internal (P2P): agents communicate with adjacent agents, establishing a chain back to a host that interfaces directly with the C2 server. This approach leverages TCP and SMB.
IOCs tracked for this family
108 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
37 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Open-source post-exploitation command-and-control framework written in Go and C++/Qt, used after initial compromise for maintaining access, tasking agents, lateral movement, data collection, screenshot capture, tunneling, and multi-operator collaboration. It supports multiple listener transports including HTTP/S, DNS/DoH, SMB named pipes, and raw TCP.
Open-source post-exploitation framework whose observed agents were packed beacons delivered through a custom x64 loader. The beacon decrypts shellcode, launches a DLL agent with RC4-encrypted configuration, and supports command execution, file operations, process control, program launch, SOCKS port forwarding, and BOF modules.
A post-compromise espionage implant that uses Azure Blob Storage as a dead-drop C2 channel. It supports 36 commands for file operations, uploads/downloads, shell execution, process control, port forwarding, SOCKS proxy control, C2 management, and in-memory BOF execution, giving attackers broad remote control and data exfiltration capability.
A red team command-and-control framework deployed by threat clusters exploiting Cisco SD-WAN devices.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.