‘RalfHacker’ identified as AdaptixC2 developer with ties to Russia

New information on AdaptixC2 continued on Oct. 30 as researchers at Silent Push identified a potential threat actor with ties to Russia who appears to be one of the developers of AdaptixC2.

In the blog post, the researchers said the threat actor goes by “RalfHacker” and also manages a Russian-language sales Telegram channel for the AdaptixC2 framework.

SC Media described AdaptixC2 on Oct. 21 as an open-source post-exploitation framework that’s growing in popularity among malicious actors. Kaspersky researchers reported on Oct. 17 that they found AdaptixC2 hidden in an npm package posing as an HTTPS proxy utility.

This was a little more than one month after Palo Alto Networks Unit 42 researchers first reported that threat actors had been observed spreading AdaptixC2 through social engineering on Microsoft Teams, where attackers posed as help desk staff and convinced victims to initiate a remote session via Quick Assist. Unit 42 also reported that AdaptixC2 has been seen in attacks involving Akira and Fog ransomware.

“The number of reports reflects both risk and incentives,” explained Jason Soroko, senior fellow at Sectigo. “Vendors want to warn customers and ship detections, and they also race to lead the narrative with fresh indicators, infrastructure mapping, and attribution clues.

Soroko pointed out that Palo Alto surfaced the technical core and early use, Kaspersky broadened the lens with threat activity context, and Silent Push recently tied the public developer persona and community channels to a growing distribution pipeline.

“Tie that to thousands of subscribers and the chance of rapid weaponization rises, so multiple firms pile on to keep visibility high and to shape how defenders prioritize controls,” said Soroko.

Louis Eichenbaum, Federal CTO at ColorTokens, added that AdaptixC2 has gained significant attention because of its rapid adoption by threat actors and its growing role in real-world intrusions. Originally designed as an open-source post-exploitation and red-team framework, Eichenbaum said it’s now being actively weaponized, like previous transitions seen with Cobalt Strike and Sliver.

“Its modular architecture, cross-platform agent support, encrypted communications, and flexible command-and-control channels  sucha s HTTP/S, SMB and TCP make it effective for stealthy persistence and lateral movement,” said Eichenbaum.

Eichenbaum said security researchers recently observed campaigns leveraging PowerShell loaders, in-memory shellcode execution, DLL hijacking, and registry-based persistence, all pointing to AdaptixC2 infrastructure. Features like beacon scheduling, kill dates, and support for custom plugins further increase its evasion capability and operational flexibility for adversaries, noted Eichenbaum.

Mayuresh Dani, security research manager at the Qualys Threat Research Unit, added that another reason threat actors have flocked to AdaptixC2 is cost:

AdaptixC2 is open-source, fully-featured, and actively maintained. The framework offers capabilities that rival commercial tools like Cobalt Strike. But unlike Cobalt Strike's $3,500 annual license, Dani said AdaptixC2 is free.

“The technical features are extensive, allowing encryption for communications, command execution, credential harvesting, and support for 'beacon object files' for memory-resident execution,” said Dani. “In short, these are enterprise-grade post-exploitation capabilities available to anyone with an internet connection.”