Silent Push publishes AdaptixC2 abuse findings and CountLoader-linked detection indicators
Technical Analysis
Summary
Hide ▲
Show ▼
New detection-focused findings on AdaptixC2 abuse now give defenders better visibility into active ransomware operations and related command-and-control activity. The analysis ties malicious deployments to CountLoader and provides concrete signals for hunting suspicious cross-platform tooling. The result is stronger detection coverage for a legitimate red-team framework that is being repurposed at scale.
Related Happenings
Akira group rapid double-extortion ransomware activity
Malware Activity
First: 02.04.2026 16:00
Last: 02.04.2026 16:00
Sources 1
How related:
A DFIR investigation found an Akira affiliate using the tool.
About this happening:
**Akira** ransomware activity now includes **AdaptixC2** abuse in active intrusions, alongside the group’s **under-one-hour** to **under-four-hours** attack cadence. A **Silent Pu...
Akira group rapid double-extortion ransomware activity
Malware ActivityHow related: A DFIR investigation found an Akira affiliate using the tool.
About this happening: **Akira** ransomware activity now includes **AdaptixC2** abuse in active intrusions, alongside the group’s **under-one-hour** to **under-four-hours** attack cadence. A **Silent Pu...
AdaptixC2 threat-actor adoption for post-exploitation
Malware Activity
First: 30.10.2025 18:40
Last: 30.10.2025 18:40
Sources 1
About this happening:
The **AdaptixC2** C2 framework is now being used by **multiple threat actors**, expanding its role in **post-exploitation attacks** and raising the risk that legitimate red-team t...
AdaptixC2 threat-actor adoption for post-exploitation
Malware ActivityAbout this happening: The **AdaptixC2** C2 framework is now being used by **multiple threat actors**, expanding its role in **post-exploitation attacks** and raising the risk that legitimate red-team t...
CountLoader malware loader used by Russian ransomware gangs for payload delivery
Malware Activity
First: 18.09.2025 15:56
Last: 18.09.2025 15:56
Sources 1
How related:
analysts observed the tool being delivered by CountLoader, indicating coordinated use by criminal actors.
About this happening:
**CountLoader** is being used in **active ransomware operations** to deliver **AdaptixC2** worldwide, with analysts linking the loader to the malware’s deployment and a **DFIR** c...
CountLoader malware loader used by Russian ransomware gangs for payload delivery
Malware ActivityHow related: analysts observed the tool being delivered by CountLoader, indicating coordinated use by criminal actors.
About this happening: **CountLoader** is being used in **active ransomware operations** to deliver **AdaptixC2** worldwide, with analysts linking the loader to the malware’s deployment and a **DFIR** c...
Latest development: 19.12.2025 17:34
A new CountLoader campaign abuses cracked software distribution sites and MediaFire ZIP archives to deliver CountLoader 3.2, using Setup.exe, mshta.exe, scheduled-task persistence, removable USB spread, and in-memory execution to install ACR Stealer on infected Windows hosts.
Timeline
-
30.10.2025 18:00 2 articles · 6mo ago
Silent Push releases AdaptixC2 abuse findings and detection indicators
Technical Analysis UpdateSilent Push releases detection guidance on AdaptixC2 abuse in active ransomware operations worldwide, linking recent deployments to CountLoader and describing a DFIR case involving an Akira affiliate. The advisory highlights watch items for defenders, including network traffic to AdaptixC2 server infrastructure, CountLoader activity that may precede AdaptixC2 deployment, unusual Golang-based command-and-control communications, and unknown C++ QT applications running on Windows, macOS, or Linux.
Show sources
- Threat Actors Utilize AdaptixC2 for Malicious Payload Delivery — www.infosecurity-magazine.com — 30.10.2025 18:00
- Threat Actors Utilize AdaptixC2 for Malicious Payload Delivery — www.infosecurity-magazine.com — 30.10.2025 18:00