A surge in cybercriminal abuse of AdaptixC2, a free adversarial emulation framework created initially for penetration testers, has been detected in active ransomware operations.
The tool, widely used for ethical security testing, is now appearing in malicious campaigns worldwide.
Its deployment accelerated shortly after new detection signatures were released, linking it to CountLoader, a malware loader first highlighted in August 2025. This development was detailed in a new analysis published today by Silent Push researchers.
Ransomware Groups Turn to Legitimate Tools
AdaptixC2 operates as an extensible post-exploitation platform, with a Golang-based server and a GUI built in C++ and QT for cross-platform use.
Security teams employ it to simulate intrusions and test defenses. However, analysts observed the tool being delivered by CountLoader, indicating coordinated use by criminal actors.
Soon after detection rules were introduced, public incident reports documented an uptick in AdaptixC2 deployments across ransomware intrusions.
A DFIR investigation found an Akira affiliate using the tool. Akira has breached more than 250 organizations and generated about $42m since 2023, targeting businesses and critical infrastructure in Europe, North America and Australia.
This pattern mirrors a broader trend in which threat actors co-opt open-source offensive frameworks.
Developer Links Draw Scrutiny
Silent Push identified the alias “RalfHacker” as the most active developer contributing to AdaptixC2. The individual’s GitHub profile describes them as a penetration tester, red team operator and “MalDev.”
Analysts linked the alias to Russian-language Telegram channels that advertised the framework, as well as to email addresses found in leaked hacking-forum data. Although researchers have not confirmed direct involvement in attacks, the behavior prompted continued monitoring.
Read more on ransomware-tool abuse trends: Remote Access Abuse Biggest Pre-Ransomware Indicator
Attribution remains difficult because criminal actors often frame their activity as legitimate research.
Russian-language promotion, Telegram activity and the framework’s sudden adoption among Russian-aligned operators raised concerns within the research team, which assessed with moderate confidence that the developer’s ties to criminal activity are meaningful.
Key Indicators to Watch
In their latest advisory, Silent Push shared a series of key indicators to watch to protect against this threat:
-
Network traffic contacting infrastructure associated with AdaptixC2 servers
-
Signs of CountLoader activity, which may precede AdaptixC2 deployment
-
Unusual Golang-based command-and-control communications
-
Unknown C++ QT applications executing within Windows, macOS or Linux environments
“Given that AdaptixC2, which RalfHacker regularly develops and maintains, remains in active use by cyber-criminals, our team assesses with moderate confidence that ties between the two are non-trivial and worthy of inclusion and continued observation,” Silent Push concluded.
