Researchers and security firms report the open-source command-and-control framework AdaptixC2 is being used by a growing number of threat actors, including groups tied to Russian ransomware operations. The framework’s server component is written in Go and the GUI client in C++ QT, and its code and documentation are publicly available on GitHub via AdaptixC2 and the project’s documentation as an extensible post-exploitation and adversarial emulation framework.
An early iteration of the project was publicly released in August 2024 by a GitHub user identifying as RalfHacker. The account and related posts include a GitHub profile at RalfHacker, a social post on X, and an initial release link on Telegram at t.me/AdaptixFramework/4.
In recent months the tool has been adopted by multiple groups and has been observed in operations that include delivery of post-exploitation tooling. Palo Alto Networks Unit 42 produced a technical breakdown that characterized the framework as modular and capable of extensive control over impacted machines; that analysis also noted use cases such as fake help-desk calls over Microsoft Teams and an AI-generated PowerShell script. The Unit 42 write-up is available here, and the researchers compared it to other post-exploitation frameworks such as Empire.
Security vendor Silent Push said its investigation into the project’s author found email addresses tied to GitHub accounts and active marketing on Telegram, including a prominent channel. Silent Push’s findings are published here, and researchers identified the Telegram channels RalfHackerChannel and a dedicated channel for AdaptixC2 activity.
While the framework is presented as a red team tool for ethical testing, its uptake by criminal operators has raised concerns. It is not publicly known whether the project’s maintainer has direct involvement in criminal activity.