An open source tool built for ethical hacking, AdaptixC2, is being hijacked by Russian ransomware groups.
The open source command-and-control (C2) framework AdaptixC2 has become the latest ethical hacking tool to be weaponised by cybercriminals, with researchers confirming its use by Russian ransomware gangs and other threat actors.
Originally designed for red teaming and penetration testing, AdaptixC2 is now being exploited in post-exploitation and adversarial attacks, raising concerns over the growing misuse of open source security frameworks.
Developed by GitHub user “RalfHacker” (@HackerRalf on X) and released publicly in August 2024, AdaptixC2 features a Golang-based server and a C++ QT graphical client for cross-platform compatibility. The tool includes encrypted communications, remote terminal control, credential and screenshot managers, and an extensible modular structure intended for security research.
According to Palo Alto Networks Unit 42, AdaptixC2 is “a modular and versatile framework that can be used to comprehensively control impacted machines,” noting that it has already appeared in fake help desk scams via Microsoft Teams and AI-generated PowerShell-based attacks.
Investigations by Silent Push linked RalfHacker to several GitHub accounts and a Telegram channel, RalfHackerChannel, with over 28,000 subscribers, used to promote the tool. A post from August 2024 revealed the developer’s ambition to create a “public C2, which is very trendy right now… like Empire.”
Silent Push further warned that “ties to Russia’s criminal underground… all raise significant red flags.” While RalfHacker’s direct role in malicious activity remains unproven, the incident underscores the duality of open source innovation—its potential for progress matched equally by the risk of criminal repurposing.
