Russia-linked cybercriminals are reportedly abusing a popular penetration-testing tool in ransomware campaigns around the world, researchers have found.

In research published Thursday, cybersecurity firm Silent Push said that the open-source command-and-control framework AdaptixC2 — originally designed for penetration testers — has been used to deliver malicious payloads in multiple recent attacks.

Researchers traced the tool’s development and promotion to a figure using the handle “RalfHacker,” who appears to maintain the project and operate a Russian-language Telegram channel. The individual describes themselves as a penetration tester, red team operator and “malware developer.”

“RalfHacker’s ties to Russia’s criminal underground — via the use of Telegram for marketing and the tool’s subsequent uptick in utilization by Russian threat actors — all raise significant red flags for our team,” the researchers said, adding that there is not yet conclusive proof of RalfHacker’s direct involvement in criminal operations.

Silent Push first observed abuse of AdaptixC2 in August 2025, when it was used to deliver the CountLoader malware — a loader strongly associated with Russian ransomware gangs. In one campaign, attackers distributed malicious PDFs impersonating Ukraine’s national police, the company said.

Palo Alto Networks’ Unit 42 research team observed similar activity with AdaptixC2 earlier this year but did not connect it to a specific threat actor.

AdaptixC2, available for free on GitHub, is marketed as a “post-exploitation and adversarial emulation framework” for security professionals. But its growing abuse highlights how open-source tools can easily cross into the cybercrime ecosystem, researchers said.

“Threat actors often mask their cyber criminal activities under the guise of “red teaming,” or ethical hacking, when communicating publicly with other threat actors,” the Silent Push team said, adding that RalfHacker’s online activity aligns with this practice.

AdaptixC2’s developer did not immediately respond to requests for comment. Developers of open-source red-teaming tools usually understand the tradeoffs that go with making their code available to the public.

Silent Push’s findings come as Russia’s cybercriminal scene undergoes major upheaval, according to a recent report by Recorded Future’s Insikt Group. The country’s hacking underworld is fracturing under pressure from law enforcement and internal mistrust, forcing groups to decentralize operations to avoid detection.

“The ecosystem is unlikely to contract; it will continue to reconfigure,” the report concluded. The Record is an editorially independent unit of Recorded Future.