Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

AdaptixC2 threat-actor adoption for post-exploitation

Malware Activity
First reported
Last updated
Happening score
H score 44
1 unique sources, 1 articles

Summary

Hide ▲

The AdaptixC2 C2 framework is now being used by multiple threat actors, expanding its role in post-exploitation attacks and raising the risk that legitimate red-team tooling is being repurposed for crime. Groups tied to Fog and Akira ransomware activity are among the adopters, and an initial access broker has also used CountLoader with the framework. The observed abuse includes fake help desk support call scams through Microsoft Teams and an AI-generated PowerShell script.

Related Happenings

MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy

Campaign
First: 06.05.2026 16:02 Last: 06.05.2026 16:02 Sources 1

About this happening: The **MuddyWater** campaign used **Microsoft Teams** social engineering and a **Chaos ransomware** decoy to gain access, steal credentials, and establish persistence. The operatio...

Open Happening

Akira group rapid double-extortion ransomware activity

Malware Activity
First: 02.04.2026 16:00 Last: 02.04.2026 16:00 Sources 1

About this happening: **Akira** ransomware activity now includes **AdaptixC2** abuse in active intrusions, alongside the group’s **under-one-hour** to **under-four-hours** attack cadence. A **Silent Pu...

Open Happening

SmarterMail initial-access ransomware campaign with delayed encryption

Campaign
First: 18.02.2026 18:27 Last: 18.02.2026 18:27 Sources 1

About this happening: A **SmarterMail** ransomware campaign is using newly disclosed email-server flaws for **initial access** and delaying encryption, raising the risk that exposed mail systems become...

Open Happening

DCRat delivered through PowerShell and MSBuild in PHALT#BLYX

Malware Activity
First: 06.01.2026 14:13 Last: 06.01.2026 14:13 Sources 1

About this happening: **SHADOW#REACTOR** is a **multi-stage Windows malware campaign** that uses **obfuscated VBS**, **PowerShell**, **wscript.exe**, **MSBuild.exe**, and in-memory loaders to stealthil...

Open Happening

Storm-0249 shifts from initial access brokering to stealth ransomware-enablement tactics

Threat Actor Meta
First: 09.12.2025 15:37 Last: 09.12.2025 15:37 Sources 1

About this happening: **Storm-0249** is moving from **initial access brokering** to **domain spoofing**, **DLL side-loading**, and **fileless PowerShell** to support **ransomware attacks**. The shift m...

Open Happening

Timeline

  1. 30.10.2025 18:40 2 articles · 6mo ago

    Initial report: AdaptixC2 threat-actor adoption for post-exploitation

    Initial Disclosure

    A public **August 2024** release established **AdaptixC2** as an open-source red-team framework. In recent months, it shifted into **malicious adoption** by groups tied to **Fog** and **Akira** and by an **initial access broker**.

    Show sources
    Open in new tab