AdaptixC2: A New Open-Source Framework Leveraged in Real-World Attacks
Summary:
In May 2025, Unit 42 researchers observed threat actors deploying AdaptixC2, an open-source post-exploitation and adversarial emulation framework originally designed for penetration testers. AdaptixC2 has remained under the radar compared to more established C2 frameworks, but its flexibility and modularity make it a potent tool when misused. It allows attackers to execute commands, manipulate files, exfiltrate data, and maintain covert communications through HTTP, SMB, and TCP beacons. Two main infection scenarios were documented: (1) social engineering via fake help desk calls leading to Quick Assist misuse and fileless PowerShell loaders, and (2) AI-generated scripts deploying AdaptixC2 through in-memory injection and DLL hijacking. Both cases emphasized stealth, persistence, and adaptability, with attackers using obfuscation, evasion features, and operational security parameters to avoid detection. Telemetry also showed AdaptixC2 being used alongside ransomware, demonstrating its role as part of broader attack chains.
Security Officer Comments:
AdaptixC2 illustrates the ongoing trend of weaponizing open-source red teaming tools for malicious campaigns. Its use of AI-generated scripts signals a concerning shift toward automated, low-effort but highly effective malware development. Organizations should expect to see increased adoption of frameworks like AdaptixC2 as they provide customizable, hard-to-detect capabilities for adversaries.
Suggested Corrections:
https://unit42.paloaltonetworks.com/adaptixc2-post-exploitation-framework/
In May 2025, Unit 42 researchers observed threat actors deploying AdaptixC2, an open-source post-exploitation and adversarial emulation framework originally designed for penetration testers. AdaptixC2 has remained under the radar compared to more established C2 frameworks, but its flexibility and modularity make it a potent tool when misused. It allows attackers to execute commands, manipulate files, exfiltrate data, and maintain covert communications through HTTP, SMB, and TCP beacons. Two main infection scenarios were documented: (1) social engineering via fake help desk calls leading to Quick Assist misuse and fileless PowerShell loaders, and (2) AI-generated scripts deploying AdaptixC2 through in-memory injection and DLL hijacking. Both cases emphasized stealth, persistence, and adaptability, with attackers using obfuscation, evasion features, and operational security parameters to avoid detection. Telemetry also showed AdaptixC2 being used alongside ransomware, demonstrating its role as part of broader attack chains.
Security Officer Comments:
AdaptixC2 illustrates the ongoing trend of weaponizing open-source red teaming tools for malicious campaigns. Its use of AI-generated scripts signals a concerning shift toward automated, low-effort but highly effective malware development. Organizations should expect to see increased adoption of frameworks like AdaptixC2 as they provide customizable, hard-to-detect capabilities for adversaries.
Suggested Corrections:
- Detection & Monitoring: Organizations should monitor for abnormal PowerShell usage, particularly scripts that execute payloads in memory, as well as unusual Quick Assist or RMM activity linked to social engineering. Outbound network traffic should be analyzed for suspicious beacon patterns, such as unexpected HTTP POST requests and odd user agents.
- Endpoint & Network Controls: Advanced endpoint logging should be enabled to capture malicious script activity. RMM tools like Quick Assist should be restricted or tightly controlled, and DNS/URL filtering should be used to block AdaptixC2 C2 infrastructure or malicious payload hosting services.
- Hardening & Response: Multi-factor authentication should be enforced to limit the effectiveness of social engineering. Security teams should actively hunt for persistence mechanisms such as startup folder shortcuts, DLL hijacking, or malicious run keys, and leverage beacon configuration extractors or intel feeds to accelerate incident response.
https://unit42.paloaltonetworks.com/adaptixc2-post-exploitation-framework/