Originally built for red teams, the AdaptixC2 framework has shifted from helping defenders to empowering attackers (The Hacker News, 2025).
In cyberdefense circles, frameworks that simulate adversaries are increasingly common. But AdaptixC2 now plays a pivotal role in ransomware operations tied to Russian-speaking cybercriminals. The transformation poses existential questions for defenders about tool ownership, oversight, and emerging threat ecosystems.
AdaptixC2 was released publicly in August 2024 and marketed to penetration testers and adversarial emulation teams. Its architecture is deliberately cross-platform: the server component in Golang, a C++/QT GUI client that runs on Windows, Linux, and macOS. S
The first public signs of abuse were flagged by Silent Push during its investigation into another malware loader, CountLoader (Silent Push, 2025). They discovered that AdaptixC2 payloads were being delivered via CountLoader infrastructure in campaigns impersonating the Ukrainian police. That made it highly versatile and useful for threat actors. Because it supports multiple listener types (mTLS, HTTP/S, SMB, TCP) and can deliver modular payloads, reconnaissance, credential collection, and remote execution, it offers features that rival commercial attack-frameworks, without the price tag.
Defenders celebrated its flexibility. Adversaries exploited that flexibility instead. AdaptixC2 supports a rich set of functions that attackers are leveraging:
Much of the story leads back to a figure operating under the alias “RalfHacker.” The developer maintains the project’s GitHub repository and runs a Russian-language Telegram channel with over 28,000 followers. OSINT researchers found linked email addresses (such as “hackerralf8@gmail.com”), appearances in leaked hacking forum databases, and a Russian-language Telegram channel called “RalfHackerChannel” with 28,000+ subscribers, where updates about AdaptixC2 were posted (The Record Media, 2025). While it’s unclear whether RalfHacker is directly tied to the malware campaigns, the promotional efforts on hacking forums and the absence of ethical-use barriers make Adaptix an easy pick for attackers seeking legitimacy as a cloak.
Unlike earlier frameworks like Empire or Brute Ratel, which became popular after cracked versions leaked, AdaptixC2 was developed in an era where open-source tooling is already part of both offense and defense. That dual-use tension creates a minefield for security teams.
For defenders, the challenge is threefold:
The security community has long prized openness, collaboration, and the free exchange of tools and ideas. But the case of AdaptixC2 reveals the growing cost of that openness. When threat actors gain access to the same advanced toolkits as defenders, the arms race becomes asymmetric, not in capability, but in intent.