Silent Push Unearths AdaptixC2's Ties to Russian Criminal Underworld, Tracks Threat Actors Harnessing Open-Source Tool for Malicious Payloads
Key Findings
- Silent Push Threat Analysts have uncovered threat actors using AdaptixC2, a free and open-source Command and Control (C2) framework commonly used by penetration testers, to deliver malicious payloads.
- Our team has observed heavy ties linking AdaptixC2 to Russia and the Russian criminal underworld.
- Abuse of AdaptixC2 was first discovered during our research on the new CountLoader malware loader, which we reported on back in August 2025.
- Soon after signatures were added to our detection methods, several public reports highlighted the surge in threat actors using AdaptixC2 in global ransomware campaigns.
- We identified a potential threat actor with significant ties to Russia who goes by the handle “RalfHacker,” appears to be a developer behind AdaptixC2, and manages a Russian-language sales Telegram channel for the framework.
Executive Summary
AdaptixC2 is a new and emerging extensible post-exploitation and adversarial emulation framework designed for penetration testers. Security researchers and red teams (groups of security experts authorized to act as adversaries, performing simulated attacks against an organization to identify vulnerabilities and test defensive capabilities) frequently utilize this open-source tool, which can be downloaded for free from GitHub.
Our threat team first observed AdaptixC2 being abused during our research into the CountLoader threat, which is highlighted in our August 2025 TLP: Amber report, exclusive for Enterprise clients, and the September 2025 blog that followed. We found malicious AdaptixC2 payloads being served from attacker infrastructure utilizing the CountLoader malware, indicating a preference for both tools.
Apart from creating detection signatures for CountLoader infrastructure, our team has also developed signatures to detect AdaptixC2, ensuring comprehensive coverage for our customers. Coincidentally, shortly after we added those signatures to our detection methods, several public reports highlighted a surge in the use of AdaptixC2 across global ransomware campaigns.
Table of contents
Background
AdaptixC2 is an extensible post-exploitation and adversarial emulation framework created for penetration testers. For flexibility, the AdaptixC2 server is written in Golang. The GUI Client is written in C++ and QT so that it can be used on either Linux, Windows, or macOS operating systems. The following GitHub repository provides the latest information on the AdaptixC2 framework. (Source: https://github.com/Adaptix-Framework/AdaptixC2).
In our recent client report on CountLoader, we detailed how a new malware loader was dropping malicious AdaptixC2 payloads. This prompted us to create a few dedicated Indicators Of Future Attack™ (IOFA™) feeds to cover both threats.
Our CountLoader research provided clear evidence that, beyond its use as an ethical pen-test tool, AdaptixC2 is being used by cyber criminals. This finding was also underscored in a recent DFIR Report, which observed AdaptixC2 use by an Akira ransomware affiliate.
According to a CISA bulletin, Akira ransomware has been used in attacks since March 2023 against a wide range of businesses and critical infrastructure providers in North America, Europe, and Australia. Akira has affected over 250 organizations and claimed an estimated $42 million (USD) in ransomware proceeds.
Interested in Getting Updates on this Emerging Threat?
Follow the Silent Push threat intelligence team on LinkedIn and X/Twitter for our latest research findings.
Initial Intelligence
Our CountLoader research initially provided us with a C2 IP address, 64[.]137[.]9[.]118, which was the starting point for our research into AdaptixC2’s use by threat actors. Using the Silent Push Web Scanner, our team created a technical fingerprint to track AdaptixC2 servers.
Unfortunately, for operational security (OPSEC) purposes, we are unable to share any technical details on the fingerprints outside of our client base. If you are interested in proactive protection against these threats, please reach out to our sales team.
Who’s Behind the AdaptixC2 Framework?
The individual making the most commits (changes) to the AdaptixC2 Framework repository is an individual who goes by the handle “RalfHacker.”
In the image below, taken from their GitHub biography, RalfHacker presents themselves as a penetration tester, red team operator, and—most importantly from our perspective—as a “MalDev,” or a malware developer. This, understandably, sparked further investigation.
![Screenshot of github[.]com/RalfHacker](https://www.silentpush.com/wp-content/uploads/adaptix-image-3-ralf-hacker.png)
Our team was able to recover several email addresses for GitHub accounts linked to “RalfHacker.” The first email address recovered was: cybersecurityaaron@protonmail[.]com, and an even older email address used by RalfHacker: hackerralf8@gmail[.]com.
From information obtained through an Open-Source Intelligence (OSINT) site, intelx.io, we confirmed this email address was also found listed in a leaked database belonging to a known hacking forum.
A Telegram account then led us to a large Telegram group, named after “Ralf Hacker,” advertising the v0.6 update to AdaptixC2 with a pinned message in Russian containing hashtags related to Active Directory and (roughly machine-translated) APT & ATM materials/resources.
It is interesting to note that RalfHacker makes its announcements primarily in Russian. This aligns with the strong ties to Russia our team discovered during the course of our CountLoader research, though it is not a definitive link by itself. Our team has compiled additional details on this individual’s activity, which, for OPSEC purposes, are only available to our enterprise customers.
We also identified a related second Telegram channel that promotes just the AdaptixC2 framework: t[.]me/AdaptixFramework.
Complex Mitigation Methods for Legit Tools
Based on the information we have available, there is insufficient evidence for us to conclusively determine the extent of RalfHacker’s involvement in malicious activity tied to AdaptixC2 or CountLoader at this time. However, threat actors often mask their cyber criminal activities under the guise of “red teaming,” or ethical hacking, when communicating publicly with other threat actors. RalfHacker’s own page aligns with this practice, featuring the brazen “maldev” advertisement.
Other legitimate red team tools, such as “evilginx2,” which corporate developers maintain, are also heavily utilized by threat actors. Separating malicious from ethical use requires significantly more evidence from defenders, which adds another layer of obfuscation for cyber criminals.
RalfHacker’s ties to Russia’s criminal underground, via the use of Telegram for marketing and the tool’s subsequent uptick in utilization by Russian threat actors, all raise significant red flags for our team.
Given that AdaptixC2, which RalfHacker regularly develops and maintains, remains in active use by cyber criminals, our team assesses with moderate confidence that ties between the two are non-trivial and worthy of inclusion and continued observation.
Learn More About Cyber Criminal Abuse of Ethical Tools
Our enterprise customers have access to the exclusive report we created for this campaign. If you would like to learn more about our capabilities for tracking adversarial frameworks—or how you can hunt for them on our platform—we encourage you/your organization to reach out to our team for a demonstration of Silent Push cyber defense technology.
Connect with our platform experts for an overview of the Silent Push Enterprise Edition platform. We are happy to provide you with a tailored walkthrough for your specific use case, along with insights into integrations and API capabilities.
Continuing to Track AdaptixC2 Infrastructure
Our threat team will continue to track and examine AdaptixC2’s infrastructure, as well as that of other post-exploitation frameworks, for malicious behavior and report new findings as our research progresses.
If you or your organization has any information to share on this topic or any related ones, we would love to hear from you.
