The open-source command-and-control (C2) framework AdaptixC2 has become a tool for an increasing number of threat actors, including those associated with Russian ransomware operations. This development highlights how publicly available penetration testing tools can be repurposed for malicious campaigns, posing an evolving challenge for cybersecurity defenses.
AdaptixC2, publicly released in August 2024 by GitHub user ‘RalfHacker’, is an extensible post-exploitation and adversarial emulation framework designed for penetration testing according to its official documentation. Its server component is written in Golang, while its GUI client utilizes C++ QT for cross-platform compatibility as documented on GitBook. The framework’s adoption by hacking groups linked to Fog and Akira ransomware operations, along with an initial access broker deploying it via CountLoader, underscores its growing presence in the threat landscape The Hacker News reported.
The framework offers a suite of functionalities critical for post-exploitation activities, including fully encrypted communications, command execution capabilities, and dedicated credential and screenshot managers The Hacker News stated. Palo Alto Networks Unit 42 described AdaptixC2 as a modular and versatile framework capable of providing “comprehensively control impacted machines” in a September 2025 analysis. These features enable threat actors to maintain persistent access and escalate privileges within compromised networks.
AdaptixC2 has been observed in various attack vectors, including fake help desk support call scams conducted through Microsoft Teams and deployments facilitated by artificial intelligence (AI)-generated PowerShell scripts Palo Alto Networks Unit 42 detailed. These diverse methods of delivery indicate a flexible and adaptable tool being integrated into sophisticated attack chains. The ability to gain extensive control over compromised systems represents a significant impact for targeted organizations.
The developer, RalfHacker, identifies as a penetration tester, red team operator, and ‘MalDev’ on their GitHub profile. Cybersecurity company Silent Push initiated an investigation into RalfHacker, citing the “MalDev” designation as a trigger in an October 2025 blog post. This investigation uncovered linked email addresses and identified RalfHacker’s Telegram channel, ‘RalfHackerChannel’, which boasts over 28,000 subscribers and re-shares messages from a dedicated AdaptixC2 channel Silent Push reported.
In August 2024, RalfHacker expressed interest in developing a “public C2” project akin to ‘Empire’, another well-known post-exploitation framework via the AdaptixFramework Telegram channel. Silent Push noted that RalfHacker’s “ties to Russia’s criminal underground, via the use of Telegram for marketing and the tool’s subsequent uptick in utilization by Russian threat actors, all raise significant red flags” in their analysis. The increasing adoption of AdaptixC2 by threat actors underscores the ongoing challenge of open-source tools being leveraged for malicious purposes.