Open-source pentesting tool AdaptixC2 increasingly used in cyberattacks

The open-source penetration testing tool AdaptixC2 is being increasingly used in real-world attacks for post-exploitation activity, Palo Alto Networks Unit 42 revealed in an analysis Wednesday.

AdaptixC2 is designed for legitimate adversary emulation for penetration testers, red teams and security researchers, but has been adopted by cybercriminals to assist in attacks in recent months, according to Unit 42.

The open-source framework enables a wide range of post-exploitation command-and-control (C2) functions, including beaconing, command execution, file management and data exfiltration.

It has a modular architecture with the ability to add “extenders” (i.e. plugins) to support additional capabilities such as credential harvesting, lateral movement and use of custom payloads.

AdaptixC2 enables stealth with fileless in-memory execution, encrypted configuration files, operational scheduling to avoid anomalous off-hours activity and support for Beacon Object Files (BOFs), which can run directly within the agent’s process.

Three different beacon types for web-based, pipe-based and TCP-based communications provide attackers with a flexible, reliable remote connection to the infected machine.

The framework uses a relatively simple RC4-based encryption scheme to obfuscate its beacon configuration files, enabling Palo Alto to create a configuration extractor tool for defenders to use to analyze adversarial AdaptixC2 activity.  

Teams phishing, AI-assisted code used in real-world attacks

Unit 42 researchers say AdaptixC2 use by cybercriminals is becoming more common, and noted multiple real-world attacks observed by the researchers in early May 2025.

In one of the attacks, the threat actor managed to gain initial access via social engineering, contacting the victim via Microsoft Teams and identifying themselves as help desk staff.

The attacker then initiated a remote session using Quick Assist, allowing them to deploy a PowerShell loader that installed shellcode from a Google Drive and executed it in memory via dynamic invocation, leading to deployment of the AdaptixC2 beacon.

In another attack, the PowerShell script used to deploy the AdaptixC2 beacon was suspected to be AI-generated due to hallmarks including “verbose, numbered comments” and check mark icons in output messages.

This suspected AI-assisted code downloaded and decoded Base64-encoded shellcode from a remote server, allocated memory and changed memory protection, executed the shellcode via dynamic invocation and achieved persistence via DLL hijacking and a registry run key.

AdaptixC2 has previously been reported to have been used alongside Akira ransomware and Fog ransomware, demonstrating its versatility in enabling a range of malware and ransomware attacks.

“The framework’s modularity, combined with the potential for AI-assisted code generation, could allow threat actors to rapidly evolve their tactics. Security teams must remain aware of AdaptixC2’s capabilities and proactively adapt their defenses to counter this threat,” the Unit 42 researchers concluded.