Ddos 
Silent Push Threat Analysts have uncovered growing evidence that AdaptixC2, a legitimate open-source post-exploitation framework designed for penetration testers, is being repurposed by cybercriminals — particularly by threat actors linked to Russia.
Originally marketed as a post-exploitation and adversarial emulation tool, AdaptixC2 was created for legitimate red team operations. Written in Golang with a C++/Qt graphical interface, the framework was designed for cross-platform use on Linux, Windows, and macOS.
However, as Silent Push explains, this legitimate testing framework has increasingly become a weapon of choice among cybercriminals.
“Our threat team first observed AdaptixC2 being abused during our research into the CountLoader threat,” the analysts wrote. “We found malicious AdaptixC2 payloads being served from attacker infrastructure utilizing the CountLoader malware, indicating a preference for both tools.”
This discovery followed Silent Push’s August 2025 TLP:Amber report on CountLoader, a stealthy malware loader that distributes second-stage payloads. Within weeks, the team identified a growing pattern of AdaptixC2 servers being deployed in global ransomware campaigns, including operations associated with Akira ransomware.
The Akira ransomware group, which has targeted over 250 organizations worldwide, generating an estimated $42 million USD in illicit revenue, has also adopted AdaptixC2 as part of its toolkit. Silent Push cited a corroborating DFIR Report, which found AdaptixC2 used by an Akira affiliate to maintain access and exfiltrate data before encryption.
The analysts noted: “Beyond its use as an ethical pen-test tool, AdaptixC2 is being used by cyber criminals.”
Through extensive open-source intelligence (OSINT) research, Silent Push identified a key individual linked to AdaptixC2 development: a GitHub user and Telegram channel operator known as “RalfHacker.”
The report states, “The individual making the most commits (changes) to the AdaptixC2 Framework repository is an individual who goes by the handle ‘RalfHacker.’”
According to the analysts, this user describes themselves as a “penetration tester, red team operator, and ‘MalDev’ — a malware developer.” Silent Push traced two email addresses associated with the account — cybersecurityaaron@protonmail[.]com and hackerralf8@gmail[.]com — both of which appeared in a leaked RaidForums database.
The investigation also revealed that RalfHacker runs a Russian-language Telegram channel advertising updates to AdaptixC2, including version “v0.6.” Posts are tagged with references to Active Directory and “APT materials,” and are primarily written in Russian — further linking the developer to the Russian cybercriminal ecosystem.
Silent Push commented: “It is interesting to note that RalfHacker makes its announcements primarily in Russian. This aligns with the strong ties to Russia our team discovered during the course of our CountLoader research.”
Silent Push emphasizes that AdaptixC2 represents a growing challenge in cybersecurity — the misuse of legitimate red-team frameworks by threat actors.
Similar tools, such as Evilginx2, have faced comparable issues where adversaries exploit open-source pen-testing software for illegal activity.
“Threat actors often mask their cyber criminal activities under the guise of ‘red teaming,’” the analysts wrote. “RalfHacker’s own page aligns with this practice, featuring the brazen ‘maldev’ advertisement.”
While Silent Push could not conclusively determine whether RalfHacker is directly involved in ransomware operations, their assessment concluded with “moderate confidence” that there are non-trivial ties between the developer and Russian cybercrime networks.
“RalfHacker’s ties to Russia’s criminal underground, via the use of Telegram for marketing and the tool’s subsequent uptick in utilization by Russian threat actors, all raise significant red flags for our team,” the report states.
Related Posts:
- Beyond Cobalt Strike: A New Open-Source Hacking Tool Is on the Rise
- Akira Ransomware: The New Threat Targeting Windows & Linux
- Akira Ransomware Now Uses APT-Style Tactics to Breach Corporate Networks
- Akira Ransomware Adapts to Target Linux and VMware ESXi Servers
- Akira Ransomware Exploits SonicWall VPN Accounts With Lightning-Fast Intrusions
Donate