A sophisticated open-source command-and-control (C2) framework named AdaptixC2, once promoted as a legitimate tool for cybersecurity professionals, is increasingly being co-opted by criminal hackers — including groups linked to Russian ransomware operations.
Developed as an extensible post-exploitation and adversarial emulation platform, AdaptixC2 was designed to aid penetration testers and red teams in simulating real-world cyberattacks. Its server component, written in Golang, and a cross-platform C++ QT client make it adaptable across systems, allowing users to manage compromised machines with high precision.
However, researchers at Palo Alto Networks’ Unit 42 and Silent Push now warn that AdaptixC2 has been adopted by actors behind the Fog and Akira ransomware campaigns, as well as by an initial access broker leveraging the CountLoader malware to distribute it. The tool’s rise illustrates a familiar pattern: frameworks meant for defense and training being turned into offensive weapons in the hands of criminals.
From GitHub to the Dark Web
The framework was first released in August 2024 by a developer using the pseudonym “RalfHacker” — who describes themselves as a penetration tester, red team operator, and “MalDev” (malware developer). Their GitHub profile, which hosted the initial AdaptixC2 repository, drew attention for openly embracing the malware-development label, prompting cybersecurity analysts to dig deeper into their identity and affiliations.
Investigators from Silent Push uncovered several linked GitHub accounts, associated email addresses, and a Telegram presence — including a channel called RalfHackerChannel, boasting over 28,000 subscribers. The channel regularly cross-posts updates and discussions from a dedicated AdaptixFramework community, where the developer had once expressed a desire to build a “public C2” framework “like Empire,” a well-known post-exploitation tool used in both ethical and criminal operations.
While there is no confirmed evidence that RalfHacker is directly involved in malicious campaigns, the rapid adoption of AdaptixC2 by Russian-speaking cybercriminals has raised alarms. Analysts note that the framework’s dissemination through Telegram mirrors earlier patterns seen in the spread of cracked versions of Cobalt Strike and Brute Ratel C4, both of which became staples of ransomware and phishing attacks worldwide.
The Growing Appeal of AdaptixC2
AdaptixC2’s technical design offers a range of advanced capabilities: encrypted communications, credential and screenshot management, command execution, remote terminal control, and modular plugin support. These features make it an effective instrument for both legitimate penetration testing and illicit post-exploitation activity.
According to Unit 42, attackers have used AdaptixC2 in fake help desk scams conducted via Microsoft Teams, as well as in AI-generated PowerShell attacks, allowing them to “comprehensively control impacted machines.”
The accessibility of AdaptixC2’s codebase — paired with its active online community — has made it a low-cost, high-utility option for both security researchers and cybercriminals. Its open-source nature means anyone can download, modify, and deploy the framework without oversight or licensing restrictions.
For ransomware groups seeking to mask their operations behind legitimate tools, this presents a valuable advantage: attacks that appear, at first glance, to originate from penetration-testing activity rather than criminal intent.
The Ethics and Risks of Open-Source Security Tools
The rise of AdaptixC2 revives a long-standing debate within the cybersecurity community: the ethical boundaries of open-source red-teaming frameworks. Tools such as Havoc, Mythic, and Sliver were developed for defensive training, yet all have been misused by threat actors to compromise systems.
Silent Push analysts noted that the “Russian underground” connection surrounding AdaptixC2 — fueled by its promotion through Telegram channels — “raises significant red flags.” They warn that the project’s ongoing visibility in hacker forums could lead to broader abuse, particularly as smaller cybercriminal groups mimic ransomware affiliates’ tactics.
Attempts to contact AdaptixC2’s developer for comment were unsuccessful.
Experts say the case underscores an enduring paradox of cybersecurity: the very openness that fosters innovation and collaboration can also become the pathway for exploitation. As open-source red-teaming tools proliferate, the line between ethical research and operational threat continues to blur — leaving defenders to face adversaries armed with the same instruments they once built to protect against them.
