Date: 09/11/2025
Severity: High
Summary
AdaptixC2 is an open-source post-exploitation framework recently spotted in real-world threat campaigns. It enables command execution, file transfers, and data exfiltration on compromised systems. Its low profile and high customizability make it a flexible and dangerous tool for attackers.
Our research explores its capabilities to help defenders detect and mitigate its use.
Indicators of Compromise (IOC) List
Domains\URLs : | tech-system.online protoflint.com novelumbsasa.art picasosoftai.shop dtt.alux.cc moldostonesupplies.pro x6iye.site buenohuy.live firetrue.live lokipoki.live veryspec.live mautau.live muatay.live nicepliced.live nissi.bg express1solutions.com iorestore.com doamin.cc regonalone.com |
Hash : | bdb1b9e37f6467b5f98d151a43f280f319bacf18198b22f55722292a832933ab
83AC38FB389A56A6BD5EB39ABF2AD81FAB84A7382DA296A855F62F3CDD9D629D
19c174f74b9de744502cdf47512ff10bba58248aa79a872ad64c23398e19580b
750b29ca6d52a55d0ba8f13e297244ee8d1b96066a9944f4aac88598ae000f41
b81aa37867f0ec772951ac30a5616db4d23ea49f7fd1a07bb1f1f45e304fc625
df0d4ba2e0799f337daac2b0ad7a64d80b7bcd68b7b57d2a26e47b2f520cc260
AD96A3DAB7F201DD7C9938DCF70D6921849F92C1A20A84A28B28D11F40F0FB06
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Domains\URLs : | domainname like "tech-system.online" or url like "tech-system.online" or siteurl like "tech-system.online" or domainname like "muatay.live" or url like "muatay.live" or siteurl like "muatay.live" or domainname like "doamin.cc" or url like "doamin.cc" or siteurl like "doamin.cc" or domainname like "regonalone.com" or url like "regonalone.com" or siteurl like "regonalone.com" or domainname like "dtt.alux.cc" or url like "dtt.alux.cc" or siteurl like "dtt.alux.cc" or domainname like "protoflint.com" or url like "protoflint.com" or siteurl like "protoflint.com" or domainname like "moldostonesupplies.pro" or url like "moldostonesupplies.pro" or siteurl like "moldostonesupplies.pro" or domainname like "lokipoki.live" or url like "lokipoki.live" or siteurl like "lokipoki.live" or domainname like "mautau.live" or url like "mautau.live" or siteurl like "mautau.live" or domainname like "iorestore.com" or url like "iorestore.com" or siteurl like "iorestore.com" or domainname like "buenohuy.live" or url like "buenohuy.live" or siteurl like "buenohuy.live" or domainname like "veryspec.live" or url like "veryspec.live" or siteurl like "veryspec.live" or domainname like "express1solutions.com" or url like "express1solutions.com" or siteurl like "express1solutions.com" or domainname like "x6iye.site" or url like "x6iye.site" or siteurl like "x6iye.site" or domainname like "novelumbsasa.art" or url like "novelumbsasa.art" or siteurl like "novelumbsasa.art" or domainname like "picasosoftai.shop" or url like "picasosoftai.shop" or siteurl like "picasosoftai.shop" or domainname like "firetrue.live" or url like "firetrue.live" or siteurl like "firetrue.live" or domainname like "nicepliced.live" or url like "nicepliced.live" or siteurl like "nicepliced.live" or domainname like "nissi.bg" or url like "nissi.bg" or siteurl like "nissi.bg" |
Hash | sha256hash IN ("df0d4ba2e0799f337daac2b0ad7a64d80b7bcd68b7b57d2a26e47b2f520cc260","bdb1b9e37f6467b5f98d151a43f280f319bacf18198b22f55722292a832933ab","83AC38FB389A56A6BD5EB39ABF2AD81FAB84A7382DA296A855F62F3CDD9D629D","19c174f74b9de744502cdf47512ff10bba58248aa79a872ad64c23398e19580b","750b29ca6d52a55d0ba8f13e297244ee8d1b96066a9944f4aac88598ae000f41","b81aa37867f0ec772951ac30a5616db4d23ea49f7fd1a07bb1f1f45e304fc625","AD96A3DAB7F201DD7C9938DCF70D6921849F92C1A20A84A28B28D11F40F0FB06")
|
Reference:
https://unit42.paloaltonetworks.com/adaptixc2-post-exploitation-framework/