CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

AdaptixC2 Framework Weaponized by Russian Ransomware Groups

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

AdaptixC2, an open-source command-and-control (C2) framework, has been adopted by Russian ransomware groups for advanced attacks. The framework, initially released in August 2024, includes features such as encrypted communications, command execution, and credential managers. Threat actors associated with Fog and Akira ransomware, as well as an initial access broker, have leveraged AdaptixC2 in their operations. The framework's creator, RalfHacker, has ties to Russia's criminal underground, raising concerns about its misuse. AdaptixC2 has been used in fake help desk support call scams and through AI-generated PowerShell scripts.

Timeline

  1. 30.10.2025 18:40 1 articles · 11d ago

    AdaptixC2 Framework Adopted by Russian Ransomware Groups

    AdaptixC2, an open-source C2 framework, has been adopted by Russian ransomware groups for advanced attacks. The framework, initially released in August 2024, includes features such as encrypted communications, command execution, and credential managers. Threat actors associated with Fog and Akira ransomware, as well as an initial access broker, have leveraged AdaptixC2 in their operations. The framework's creator, RalfHacker, has ties to Russia's criminal underground, raising concerns about its misuse. AdaptixC2 has been used in fake help desk support call scams and through AI-generated PowerShell scripts.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

TigerJack Campaign Targets Developers with Malicious VSCode Extensions

The TigerJack campaign continues to target developers with malicious Visual Studio Code (VSCode) extensions, which have now been found to leak access tokens posing a critical software supply chain risk. The campaign has distributed at least 11 malicious VSCode extensions since the beginning of the year, with two extensions, C++ Playground and HTTP Format, removed from VSCode but remaining on OpenVSX. These extensions steal cryptocurrency, plant backdoors, and exfiltrate source code. The threat actor republishes the same malicious code under new names, making detection and removal challenging. Developers are advised to be cautious when downloading extensions from these platforms. Over 100 VSCode extensions were found to leak access tokens, allowing attackers to distribute malicious updates. The leaked tokens include AI provider secrets, cloud service provider secrets, and database secrets. Microsoft has revoked the leaked PATs and is adding secret scanning capabilities to enhance security. Organizations are recommended to develop an extension inventory and consider a centralized allowlist for extensions. A new malicious extension named susvsex with basic ransomware capabilities was published on Microsoft's official VS Code marketplace. The extension was published by 'suspublisher18' and its malicious functionality was openly advertised in its description. The extension's malicious functionality includes file theft to a remote server and encryption of all files with AES-256-CBC. The extension activates on any event, including on installation or when launching VS Code, initializing the 'extension.js' file that contains its hardcoded variables (IP, encryption keys, command-and-control address). The extension calls a function named zipUploadAndEncrypt which checks the presence of a marker text file, and starts the encryption routine. The extension creates a .ZIP archive of the files in the defined target directory and exfiltrates them to the hardcoded C2 address. All the files are then replaced with their encrypted versions. The extension polls a private GitHub repository for commands, periodically checking an 'index.html' file that uses a PAT token for authentication, and tries to execute any commands there. The owner of the repository is likely based in Azerbaijan. The extension is an overt threat and may be the result of an experiment to test Microsoft’s vetting process. Secure Annex labels susvsex an 'AI slop' with its malicious actions exposed in the README file, but notes that a few tweaks would make it far more dangerous. Microsoft ignored the report about the extension and did not remove it from the VS Code registry initially, but it was no longer available by the time the article was published.

Open in new tab