Adversaries are using AdaptixC2 C2 infrastructure to exfiltrate data and maintain persistent access within the network. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats before they cause significant damage.
IOC Summary
Malware Family: AdaptixC2 Total IOCs: 13 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 91[.]132[.]161[.]21:4321 | botnet_cc | 2026-06-16 | 75% |
| ip:port | 45[.]198[.]224[.]214:4321 | botnet_cc | 2026-06-16 | 75% |
| ip:port | 45[.]198[.]224[.]215:4321 | botnet_cc | 2026-06-16 | 75% |
| ip:port | 2[.]26[.]229[.]254:4321 | botnet_cc | 2026-06-16 | 75% |
| ip:port | 172[.]234[.]16[.]151:4321 | botnet_cc | 2026-06-16 | 75% |
| ip:port | 118[.]107[.]5[.]209:4321 | botnet_cc | 2026-06-16 | 75% |
| ip:port | 118[.]107[.]5[.]209:8080 | botnet_cc | 2026-06-16 | 100% |
| ip:port | 118[.]107[.]5[.]209:80 | botnet_cc | 2026-06-16 | 100% |
| ip:port | 131[.]143[.]251[.]246:80 | botnet_cc | 2026-06-16 | 100% |
| ip:port | 131[.]143[.]251[.]246:8080 | botnet_cc | 2026-06-16 | 100% |
| ip:port | 118[.]107[.]5[.]209:443 | botnet_cc | 2026-06-16 | 100% |
| ip:port | 131[.]143[.]251[.]246:443 | botnet_cc | 2026-06-16 | 100% |
| ip:port | 154[.]44[.]20[.]174:4321 | botnet_cc | 2026-06-15 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - AdaptixC2
let malicious_ips = dynamic(["91.132.161.21", "131.143.251.246", "154.44.20.174", "45.198.224.215", "2.26.229.254", "118.107.5.209", "45.198.224.214", "172.234.16.151"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["91.132.161.21", "131.143.251.246", "154.44.20.174", "45.198.224.215", "2.26.229.254", "118.107.5.209", "45.198.224.214", "172.234.16.151"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using crontab to run a system cleanup tool like logrotate
Filter/Exclusion: Exclude processes where the command line includes logrotate or cron and the user is a system admin (e.g., root or systemd)
Scenario: Admin using ps or top to monitor system processes for performance tuning
Filter/Exclusion: Exclude processes where the command line includes ps, top, or htop and the user is a known admin (e.g., root, admin, or sudo)
Scenario: Use of tcpdump or Wireshark for network monitoring and packet analysis
Filter/Exclusion: Exclude processes where the command line includes tcpdump, Wireshark, or tshark and the user is part of the network monitoring team (e.g., network_ops or netadmin)
Scenario: Running a legitimate security tool like ClamAV or Sophos for malware scanning
Filter/Exclusion: Exclude processes where the command line includes clamscan, sophos-antivirus, or similar tool names and the user is part of the security team (e.g., security_ops or securityadmin)
Scenario: System update or patching task using yum, apt, or dnf
Filter/Exclusion: Exclude processes where the command line includes yum, apt, dnf, or apt-get and the user is a system administrator (e.g., root, sysadmin, or sudo)