AdaptixC2
AdaptixC2 is an open-source command-and-control and red-team framework, including references to it as an open-source Go C2 toolkit, that has been observed in multiple real-world intrusions as post-compromise malware rather than only as legitimate tooling. Reporting in the provided content shows it used for remote command and control, remote shell access, process management, screenshot capture, SSH backdoor establishment, reverse SSH tunneling, and broader post-exploitation operations. In one campaign, Seqrite described an AdaptixC2 agent named AZUREVEIL delivered in Operation Dragon Weave, a cyber-espionage campaign targeting officials and citizens in the Czech Republic and Taiwan across government, research, academic, technology, and financial sectors. That intrusion chain used spear-phishing ZIP attachments, malicious LNK or Rust-based dropper execution, DLL sideloading via UnityPlayer.dll, and a Rust loader called RUSTCLOAK, which decrypted and launched the AdaptixC2 payload. AZUREVEIL used Microsoft Azure Blob Storage as a dead-drop C2 channel and reportedly supported 36 commands including file operations, uploads/downloads, shell execution, process enumeration and termination, port forwarding, SOCKS proxy control, C2 management, and in-memory execution of Beacon Object Files.
The content also places AdaptixC2 in financially motivated and opportunistic intrusion sets. CTU and Sophos reporting tied its use to GOLD ENCOUNTER / PayoutsKing ransomware activity, where operators established SSH backdoors via AdaptixC2 or OpenSSH and, in QEMU-based hidden virtual machine deployments, used AdaptixC2 or OpenSSH on boot to create reverse SSH tunnels that bypassed standard endpoint detections. Those Alpine Linux VMs contained attacker tooling such as AdaptixC2, Chisel, BusyBox, Rclone, and wg-obfuscator. Sophos also documented AI-themed malware delivery via the fake Claude site claude-pro[.]com, where related March 2026 samples used DLL sideloading and AdaptixC2-related shellcode; additional reporting on the TeamPCP-linked Telnyx package compromise states that a trojanized Windows package deployed DonutLoader and an AdaptixC2 beacon.
AdaptixC2 was further observed in exploitation of internet-facing infrastructure. Cisco Talos reported multiple post-exploitation clusters exploiting Cisco Catalyst SD-WAN vulnerabilities in 2026 that deployed AdaptixC2 alongside Godzilla, Behinder, XenShell, Sliver, XMRig, KScan/QScan, Nim-based implants, gsocket, and credential stealers targeting admin hashes, JWT key chunks/tokens, and AWS credentials. One Talos cluster deployed an AdaptixC2-derived agent named systemd-resolved with C2 at 194.163.175[.]135:4445; Talos also noted the same server hosted another AdaptixC2 service on port 31337 and SSH on port 22. Separate reporting on cPanel/WHM CVE-2026-41940 exploitation and an Indonesian defense-sector portal compromise identified an ELF AdaptixC2 payload named "1" configured to beacon to delicate-dew.serveftp[.]com:4455, with corroborating infrastructure at 95.111.250[.]175. The same broader operation also used a PowerShell reverse shell, OpenVPN, Ligolo, and systemd persistence while targeting government and military entities in Southeast Asia.
Across the provided content, AdaptixC2 is associated with both espionage and cybercriminal activity, including China-aligned operations, ransomware-linked intrusions, supply-chain compromises, and exploitation of edge/network infrastructure. High-confidence indicators directly mentioned include delicate-dew.serveftp[.]com:4455, 95.111.250[.]175, 194.163.175[.]135:4445, and 194.163.175[.]135:31337, as well as Talos-observed JARM/TLS characteristics consistent with the framework.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
6 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
An AdaptixC2 malware payload was also identified, indicating active command-and-control operations. Analysis of exposed payloads shows the attacker used AdaptixC2 for command and control, along with a PowerShell reverse shell.
On Windows systems, the hack of the Telnyx Python SDK resulted in the deployment of an executable named "msbuild.exe" that employs several obfuscation techniques to evade detection and extracts DonutLoader, a shellcode loader, from a PNG image present within the binary to load a full-featured trojan and a beacon associated with AdaptixC2, an open-source command-and-control (C2) framework.
The tools deployed by these clusters range from webshells (Godzilla, Behinder, XenShell) and red team frameworks (AdaptixC2, Sliver) to cryptocurrency miners (XMRig) and credential stealers targeting admin hashes, JWT tokens and AWS credentials.
The tools deployed by these clusters range from webshells (Godzilla, Behinder, XenShell) and red team frameworks (AdaptixC2, Sliver) to cryptocurrency miners (XMRig) and credential stealers targeting admin hashes, JWT tokens and AWS credentials.
The tools deployed by these clusters range from webshells (Godzilla, Behinder, XenShell) and red team frameworks (AdaptixC2, Sliver) to cryptocurrency miners (XMRig) and credential stealers targeting admin hashes, JWT tokens and AWS credentials.
CVE-2026-20182 carries a CVSSv3.1 score of 10.0 (Critical) and is classified under CWE-287: Improper Authentication. The flaw affects the Cisco Catalyst SD-WAN Controller (formerly vSmart)... The peering authentication mechanism is not functioning correctly, allowing an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on the affected system.
Groups observed using it
5 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
A new cyber espionage campaign codenamed Operation Dragon Weave has been observed targeting officials and citizens in the Czech Republic and Taiwan to deliver an AdaptixC2 agent... The loader then decrypts and runs the main payload, an AdaptixC2 agent codenamed AZUREVEIL owing to the use of Microsoft Azure Blob Storage for command-and-control (C2).
The group has also used a DLL sideloading technique to launch the Havoc C2 post-exploitation framework, and establishes an SSH backdoor via AdaptixC2 or OpenSSH.
83.142.209[.]11 is shown below, confirming ASN membership, TeamPCP attribution, and the AdaptixC2 malware classification.
The March sample is markedly different... the decryption of a .log file culminating in the execution of AdaptixC2-related shellcode. (AdaptixC2 is an open-source red-teaming framework that we’ve seen used in ransomware attacks...)
Techniques & procedures
27 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
2 techniquesBoth C&C nodes, 83.142.209.11 (checkmarx[.]zone) and 46.151.182.203 (LiteLLM[.]cloud), were hosted on AS205759... JARM TLS fingerprinting revealed identical server configurations across both nodes...
VPS at 95.111.250[.]175 used to host OpenVPN, payload staging, reverse shell infrastructure, and pivot tooling
Initial Access
4 techniquesThese clusters have been exploiting the CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122 chain since early March 2026, following the publication of proof-of-concept code by ZeroZenX Labs.
What emerged was not a single-package compromise but a coordinated, multi-ecosystem supply chain campaign we track as TeamPCP.
The activity entails distributing spear-phishing emails containing ZIP attachments to trigger an infection chain that uses a Rust loader to drop the final payload for data exfiltration and remote control.
Execution
6 techniquesBoth supply chain tracks installed a persistence daemon that polled the C&C server every 50 minutes.
Inside the VM, persistence and a command and control channel were established through the root crontab that launched two scripts at boot
and establishes an SSH backdoor via AdaptixC2 or OpenSSH.
Analysis of exposed payloads shows the attacker used AdaptixC2 for command and control, along with a PowerShell reverse shell.
Inside the VM, persistence and a command and control channel were established through the root crontab that launched two scripts at boot... @reboot /bin/sh /sbin/syslogda.sh>/dev/null 2>&1 @reboot /bin/sh /sbin/syslogdb.sh>/dev/null 2>&1
One infection sequence begins when the recipient of the ZIP archive opens a malicious Windows Shortcut (LNK) file that masquerades as a PDF document.
Persistence
3 techniquesBoth supply chain tracks installed a persistence daemon that polled the C&C server every 50 minutes.
Inside the VM, persistence and a command and control channel were established through the root crontab that launched two scripts at boot
Privilege Escalation
2 techniquesStealth
4 techniquesOn Windows systems, the hack of the Telnyx Python SDK resulted in the deployment of an executable named "msbuild.exe" that employs several obfuscation techniques to evade detection...
...extracts DonutLoader, a shellcode loader, from a PNG image present within the binary to load a full-featured trojan and a beacon associated with AdaptixC2...
On Windows systems, the hack of the Telnyx Python SDK resulted in the deployment of an executable named "msbuild.exe" that employs several obfuscation techniques to evade detection and extracts DonutLoader, a shellcode loader, from a PNG image present within the binary.
adversaries leveraging QEMU, an open-source machine emulator and virtualizer typically used for development and testing, to deploy virtual machines that contained and executed malicious payloads. This approach enabled them to maintain covert access and bypass host-based detection from AV and EDR solutions.
Defense Impairment
1 techniqueThe starting point of the attack is a ZIP archive containing military-themed document lures to launch the rogue version of SumatraPDF, which is then used to display a decoy PDF document, while simultaneously retrieving encrypted shellcode from a staging server to launch AdaptixC2 Beacon.
Discovery
1 techniqueadversaries leveraging QEMU, an open-source machine emulator and virtualizer typically used for development and testing, to deploy virtual machines that contained and executed malicious payloads. This approach enabled them to maintain covert access and bypass host-based detection from AV and EDR solutions.
Lateral Movement
3 techniquesThe script syslogdb.sh maintained an SSH connection to the C2 server over TCP 443 and forwarded local port 33443 to the C2 server through this tunnel.
Talos is also aware of the widespread in-the-wild active exploitation of three vulnerabilities in unpatched Cisco Catalyst SD-WAN Manager infrastructure (CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122) that, when chained together, can allow a remote unauthenticated attacker to gain access to the device.
The pod's startup command writes the persistent backdoor directly to the host through a chroot, then enables the systemd service.
Command and Control
7 techniquesAs a result, the beacon’s local traffic was carried over the encrypted SSH channel to remote infrastructure, enabling command-and-control communication while blending into normal outbound traffic.
The worm used an Internet Computer Protocol (ICP) canister as its command-and-control dead-drop — the first documented use of ICP for C&C... Both supply chain tracks installed a persistence daemon that polled the C&C server every 50 minutes.
the beacon’s local traffic was carried over the encrypted SSH channel to remote infrastructure, enabling command-and-control communication while blending into normal outbound traffic.
The worm used an Internet Computer Protocol (ICP) canister as its command-and-control dead-drop... Both supply chain tracks installed a persistence daemon that polled the C&C server every 50 minutes.
the adversaries proceeded to establish a command and control channel for persistence by deploying and launching a QEMU virtual machine from a Linux disk image named vault.db
Multiple post-exploitation tooling clusters have been identified, including deployments of ... AdaptixC2, Sliver C2
The payload used a new C&C domain ( checkmarx[.]zone) but contained the same RSA-4096 public key and tpcp.tar.gz exfiltration naming as the Trivy payload, confirming shared infrastructure.
IOCs tracked for this family
38 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
34 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A post-compromise espionage implant that uses Azure Blob Storage as a dead-drop C2 channel. It supports 36 commands for file operations, uploads/downloads, shell execution, process control, port forwarding, SOCKS proxy control, C2 management, and in-memory BOF execution, giving attackers broad remote control and data exfiltration capability.
A red team command-and-control framework deployed by threat clusters exploiting Cisco SD-WAN devices.
Command-and-control tooling observed in post-exploitation activity against Cisco Catalyst SD-WAN environments.
A malware/C2 designation associated in the report with TeamPCP infrastructure, specifically observed on 83.142.209[.]11 on a non-standard port.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.