Russian Hackers Exploit Adaptix Pentesting Tool in Ransomware Attacks

Silent Push researchers have identified Russian-linked ransomware groups abusing Adaptix, a legitimate penetration testing tool now used to deliver malware targeting infrastructure worldwide.

The investigation began when Silent Push researchers were tracking a new malware loader called CountLoader. During that work, they noticed Adaptix being deployed to drop malicious payloads, leading the team to dig deeper. Once detection methods were updated, new activity started appearing across multiple campaigns, suggesting that cybercriminals had already adopted Adaptix as part of their toolkit.

It is worth noting that last month, researchers identified the CountLoader malware after it was spotted twice in campaigns posing as emails from the Ukrainian police. In the first case, Silent Push analysts observed attackers using a fake PDF notice to trick recipients into downloading and running CountLoader.

The second incident, reported by FortiGuard Labs, involved similar fake police notices that delivered additional malware, including Amatera Stealer, which targets data, and PureMiner, a cryptojacker that infects Windows systems.

****Linux, Windows, and macOS****

Further analysis by Silent Push points to a figure known online as “RalfHacker,” believed to be the developer behind Adaptix. According to the company’s report, this individual runs a Russian language Telegram channel used to promote and sell the tool, connecting it directly to Russian cybercrime networks.

Although AdaptixC2 was originally built as a post-exploitation and adversary emulation framework for penetration testers, its features make it powerful, which also makes it appealing to attackers. The server side is written in Golang, while the graphical client is built in C++ with a QT interface, allowing it to run smoothly on Linux, Windows, and macOS.

In legitimate security testing, this cross-platform support is quite valuable, but in the wrong hands, it means the same tool can be used to target almost any device. Silent Push’s findings suggest that this flexibility has made Adaptix an easy choice for threat actors looking to deliver or control malware across different systems.

AdaptixC2 Framework interface

While Adaptix itself remains an open source resource often used for legitimate penetration testing, its misuse by threat actors highlights how freely available tools can be repurposed for malicious gain.

Silent Push’s research shows how quickly cybercriminals can turn legitimate security tools for malicious purposes. After Cobalt Strike, Adaptix has become the new favourite among hackers for spreading malware and running ransomware operations.

The research also points out the importance of monitoring open source utilities. Silent Push’s full analysis, including indicators of compromise and technical insights, is available on their official blog.