Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

Russian Ransomware Gangs Leverage Open-Source AdaptixC2 Framework for Highly Advanced Cyber Attacks


AdaptixC2, an open-source command-and-control framework designed for penetration testing, has been taken up by a growing number of threat actors, including some affiliated with Russian ransomware gangs. Despite its origins as a legitimate tool, AdaptixC2 has attracted significant attention from cybercriminals, raising concerns about the potential misuse of this framework.

  • AdaptixC2, an open-source C2 framework, has been adopted by Russian ransomware gangs and other threat actors.
  • The framework was developed by RalfHacker, a self-described penetration tester and "MalDev" (malware developer).
  • RalfHacker's GitHub bio as a "MalDev" triggered an investigation that uncovered ties to Russia's criminal underground.
  • AdaptixC2 has raised red flags due to its use of Telegram for marketing and the uptick in utilization by Russian threat actors.
  • The framework is modular and versatile, capable of being used to control impacted machines.



    • AdaptixC2, an open-source command-and-control (C2) framework designed for penetration testing, has been taken up by a growing number of threat actors, including some affiliated with Russian ransomware gangs. This framework, which boasts an impressive array of features, including fully encrypted communications, command execution, credential and screenshot managers, and a remote terminal, has been the subject of considerable attention in recent months.

    Developed by RalfHacker (@HackerRalf on X), a self-described penetration tester, red team operator, and "MalDev" (short for malware developer), AdaptixC2 was first made publicly available in August 2024. Initially intended as an ethical tool for red teaming activities, the framework has since been adopted by various hacking groups, including those tied to the Fog and Akira ransomware operations.

    Despite its origins as a legitimate, open-source tool, AdaptixC2 has attracted significant attention from cybercriminals. In fact, cybersecurity company Silent Push discovered that RalfHacker's GitHub bio as a "MalDev" triggered an investigation, allowing them to uncover several email addresses linked to the account's owner and a Telegram channel called RalfHackerChannel, which boasts over 28,000 subscribers.

    The ties between RalfHacker and Russian threat actors are significant. Silent Push stated that their investigation revealed "ties to Russia's criminal underground" via the use of Telegram for marketing and the tool's subsequent uptick in utilization by Russian threat actors. This has raised significant red flags regarding the potential misuse of AdaptixC2.

    While it is currently unclear whether RalfHacker has any direct involvement in malicious activity tied to AdaptixC2 or CountLoader, Silent Push stated that "the use of Telegram for marketing and the tool's subsequent uptick in utilization by Russian threat actors all raise significant red flags." The fact that RalfHacker expressed an interest in starting a project about a "public C2" in August 2024 has only added fuel to the fire.

    Palo Alto Networks Unit 42 characterized AdaptixC2 as a modular and versatile framework capable of being used to comprehensively control impacted machines. The framework's versatility has been demonstrated through its use in fake help desk support call scams via Microsoft Teams and an artificial intelligence (AI)-generated PowerShell script.

    The implications of this situation are significant. As the threat landscape continues to evolve, it is essential for cybersecurity professionals to stay informed about emerging tools and techniques. AdaptixC2 serves as a prime example of how open-source frameworks can be repurposed for malicious intent.

    In conclusion, the use of AdaptixC2 by Russian ransomware gangs highlights the importance of vigilance in the cybersecurity community. As threat actors continue to adapt and evolve, it is crucial that we stay informed about emerging tools like this one. By doing so, we may be able to mitigate potential threats before they come to fruition.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/Russian-Ransomware-Gangs-Leverage-Open-Source-AdaptixC2-Framework-for-Highly-Advanced-Cyber-Attacks-ehn.shtml

  • https://thehackernews.com/2025/10/russian-ransomware-gangs-weaponize-open.html

  • https://unit42.paloaltonetworks.com/adaptixc2-post-exploitation-framework/

  • https://7orvs.github.io/threat+actor+profiling/Akira-APT-Group-Profiling/

  • https://dailysecurityreview.com/resources/threat-actors-resources/akira-ransomware-the-extortion-ghost-in-a-shell/

  • https://www.silentpush.com/blog/adaptix-c2/

  • https://github.com/RalfHacker

  • https://greydynamics.com/the-five-bears-russias-offensive-cyber-capabilities/

  • https://www.redhotcyber.com/en/post/russian-domestic-hackers-cozy-bear-apt29-analysis-of-the-main-attacks-and-their-ttps/


    • Published: Thu Oct 30 12:49:13 2025 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us