AdaptixC2 A New Open-Source Framework Leveraged in Real-Worl...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://unit42.paloaltonetworks.com/adaptixc2-post-exploitation-framework/
• Blog Title: AdaptixC2: A New Open-Source Framework Leveraged in Real-World Attacks
• Suggested Section: Basic Forensic Methodology -> Malware Analysis (add a page for AdaptixC2 config extraction and TTPs; cross-link to Windows persistence and in-memory execution)

🎯 Content Summary

What this post covers (published Sep 10, 2025; activity observed early May 2025)
Unit 42 details AdaptixC2, a modular open‑source post‑exploitation/C2 framework seen in real intrusions. The post explains agent types, configuration packing/crypto, concrete beacon configs, and two step‑by‑step infection chains featuring fileless PowerShell shellcode execution, persistence, and operational use.

Framework overview
• Agents: Windows x86/x64 beacons generated as EXE...

🔧 Technical Details

Fileless PowerShell shellcode via .NET dynamic invocation: Fetch an encoded (e.g., Base64/XOR) payload, decode/decrypt in memory, allocate RWX, copy shellcode, then execute with Marshal.GetDelegateForFunctionPointer and delegate.Invoke() to avoid writing binaries to disk and run the beacon in-process.

RC4-packed config extraction from PE .rdata: Read [uint32 size][ciphertext][16-byte RC4 key], decrypt the N-byte blob with the embedded key, then parse fields (servers/ports, HTTP method/URI/headers/UA/parameter, timing/opsec, listener type, chunk size). This enables automated clustering and IOC generation for AdaptixC2 samples.

DLL search-order hijacking for persistence: Place a malicious msimg32.dll (beacon) in a user-writable directory likely to be searched (e.g., %APPDATA%\Microsoft\Windows\Templates). When a susceptible process loads the DLL by name, the beacon runs under...

🤖 Agent Actions

I analyzed the Unit 42 post and the HackTricks repo, then added a new malware analysis page dedicated to AdaptixC2 with configuration extraction details and observed TTPs. I also cross-linked it from the main Malware Analysis page and referenced the Windows persistence and in-memory execution pages.

What I added/modified:

1. New page (full technical content with code):

• File: src/generic-methodologies-and-resources/basic-forensic-methodology/adaptixc2-config-extraction-and-ttps.md
• Content highlights:
  • Beacon types (HTTP/SMB/TCP), fields, opsec parameters (KillDate/WorkingTime), chunked transfers.
  • Exact configuration packing format: [uint32 size][RC4 ciphertext][16-byte RC4 key], with the loader’s logic snippet.
  • A practical, minimal Python PoC for RC4 decryption and HTTP profile parsing (length-prefixed strings, integers).
  • Default and in-the-wild HTTP profile examples from the blog.
  • Network hunting notes (URIs, params, user-agents, polling cadence) and SMB/TCP notes.
  • Loader TTPs: dynamic invocation via Marshal.GetDelegateForFunctionPointer, VirtualProtect to PAGE_EXECUTE_READWRITE; cross-linked to in-memory execution/AMSI/ETW guidance:
    • {{#ref}}../../windows-hardening/av-bypass.md{{#endref}}
  • Persistence TTPs: Startup .lnk, Run keys (“Updater”), DLL hijack (msimg32.dll under %APPDATA%\Microsoft\Windows\Templates); cross-linked to:
    • {{#ref}}../../windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md{{#endref}}
    • {{#ref}}../../windows-hardening/windows-local-privilege-escalation/dll-hijacking/README.md{{#endref}}
  • References section with the blog URL, AdaptixC2 GitHub/docs, Microsoft API docs, and MITRE T1547.001.

2. Cross-link from Malware Analysis page and updated references:

• File modified: src/generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.md
• Changes:
  • Added a short section “AdaptixC2: Configuration Extraction and TTPs” pointing to the new page using:
    • {{#ref}}adaptixc2-config-extraction-and-ttps.md{{#endref}}
  • Appended the blog URL to the References section.

Why this placement:

• This is defender-focused malware analysis content (config extraction, hunting, and TTPs), so it belongs under Basic Forensic Methodology → Malware Analysis.
• Cross-links to Windows persistence (Startup, Run keys, DLL hijacking) and in-memory execution (AMSI/ETW, VirtualProtect, dynamic invocation) help readers pivot to detailed technique pages.

No duplicate content was found in HackTricks about AdaptixC2; Cobalt Strike/Mythic pages are offensive/operator-focused, while this addition targets forensic/config extraction and detection content for AdaptixC2.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

📚 Repository Maintenance

• MD files processed: 877
• MD files fixed: 1

All .md files have been checked for proper formatting (headers, includes, etc.).

🗑️ File Cleanup

• searchindex.js removed: This auto-generated file has been removed to prevent conflicts.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://unit42.paloaltonetworks.com/adaptixc2-post-exploitation-framework/

Content Categories: Based on the analysis, this content was categorized under "Basic Forensic Methodology -> Malware Analysis (add a page for AdaptixC2 config extraction and TTPs; cross-link to Windows persistence and in-memory execution)".

Repository Maintenance:

• MD Files Formatting: 877 files processed (1 files fixed)

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0