Ddos
September 11, 2025
Researchers at Palo Alto Networks’ Unit 42 have published a report detailing the rise of AdaptixC2, an open-source post-exploitation and adversarial emulation framework that is increasingly being abused by threat actors. Originally designed for penetration testers, AdaptixC2 has quickly become a tool of choice for attackers seeking stealth, flexibility, and persistence in compromised environments.
According to the researchers, “AdaptixC2 is a recently identified, open-source post-exploitation and adversarial emulation framework made for penetration testers that threat actors are using in campaigns.” Unlike more widely known frameworks such as Cobalt Strike or Sliver, AdaptixC2 has largely flown under the radar, with limited public documentation of its real-world usage.
Its functionality includes executing commands, transferring files, and exfiltrating data. Because it is open-source, “threat actors can easily customize and adapt it for their specific objectives. This makes it a highly flexible and dangerous tool.”
AdaptixC2 offers extensive features that make it attractive to attackers:
- File and process manipulation – creating, deleting, and modifying files, and enumerating running processes.
- Network tunneling – supports SOCKS4/5 proxies and port forwarding to evade network restrictions.
- Modular design – “extenders” act like plugins, while Beacon Object Files (BOFs) allow attackers to run custom C code directly inside a process.
- Stealth features – configurable parameters like KillDate and WorkingTime help attackers blend malicious activity with legitimate traffic.
The beacons themselves support x86/x64 and can be deployed as executables, DLLs, service executables, or raw shellcode. The framework also includes encrypted configuration and multiple communication profiles (HTTP, SMB, TCP), allowing attackers to adapt to different environments.
Unit 42 tracked multiple AdaptixC2 infections in May 2025, with two distinct deployment scenarios:
- Scenario 1: Social Engineering via Fake Help Desk
Attackers impersonated IT support staff on Microsoft Teams, luring employees into granting remote access. “This convinced employees to initiate legitimate remote assistance sessions using tools like the Quick Assist Remote Monitoring and Management (RMM) tool,” the report explains.
The attackers then delivered an AdaptixC2 beacon through a multi-stage PowerShell loader. The payload was decrypted in memory and executed directly via dynamic invocation, avoiding disk artifacts and making detection harder.
- Scenario 2: AI-Generated PowerShell Loader
In another case, researchers assessed with high confidence that the attackers used AI-assisted code generation to create a PowerShell script. The script downloaded Base64-encoded shellcode, injected it into memory, and executed it using the GetDelegateForFunctionPointer method. Persistence was achieved through DLL hijacking and registry run keys.
Unit 42 notes that “the structure and composition of this PowerShell script strongly suggests that the attacker used AI-assisted generation.” This raises alarms about how generative AI can accelerate malicious code development.
The report highlights that AdaptixC2 is increasingly used alongside other malware families, such as Fog ransomware, in coordinated campaigns against financial institutions. As Unit 42 warns, “The emergence of AdaptixC2 as a tool used in the wild by threat actors highlights a growing trend of attackers using customizable frameworks to evade detection.”
