Adversaries are using AdaptixC2 command and control infrastructure to exfiltrate data and maintain persistent access within the network. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate potential compromise from advanced persistent threats.
IOC Summary
Malware Family: AdaptixC2 Total IOCs: 13 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 91[.]230[.]94[.]235:4321 | botnet_cc | 2026-05-28 | 75% |
| ip:port | 91[.]215[.]85[.]212:45423 | botnet_cc | 2026-05-28 | 75% |
| ip:port | 85[.]209[.]90[.]132:4321 | botnet_cc | 2026-05-28 | 75% |
| ip:port | 83[.]171[.]227[.]230:4321 | botnet_cc | 2026-05-28 | 75% |
| ip:port | 81[.]71[.]20[.]107:8989 | botnet_cc | 2026-05-28 | 75% |
| ip:port | 206[.]119[.]171[.]212:4333 | botnet_cc | 2026-05-28 | 75% |
| ip:port | 202[.]95[.]8[.]97:4321 | botnet_cc | 2026-05-28 | 75% |
| ip:port | 202[.]95[.]8[.]98:4321 | botnet_cc | 2026-05-28 | 75% |
| ip:port | 165[.]154[.]205[.]4:53341 | botnet_cc | 2026-05-28 | 75% |
| ip:port | 146[.]103[.]106[.]59:4321 | botnet_cc | 2026-05-28 | 75% |
| ip:port | 91[.]200[.]84[.]198:8515 | botnet_cc | 2026-05-27 | 75% |
| ip:port | 45[.]32[.]236[.]190:2096 | botnet_cc | 2026-05-27 | 75% |
| ip:port | 104[.]225[.]149[.]151:54321 | botnet_cc | 2026-05-27 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - AdaptixC2
let malicious_ips = dynamic(["202.95.8.98", "81.71.20.107", "104.225.149.151", "83.171.227.230", "146.103.106.59", "165.154.205.4", "91.215.85.212", "91.230.94.235", "206.119.171.212", "85.209.90.132", "202.95.8.97", "91.200.84.198", "45.32.236.190"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["202.95.8.98", "81.71.20.107", "104.225.149.151", "83.171.227.230", "146.103.106.59", "165.154.205.4", "91.215.85.212", "91.230.94.235", "206.119.171.212", "85.209.90.132", "202.95.8.97", "91.200.84.198", "45.32.236.190"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using crontab to run system maintenance tasks
Filter/Exclusion: Check for presence of crontab entries in /etc/crontab or user-specific crontab files, and ensure the command matches known maintenance scripts (e.g., logrotate, systemd-tmpfiles-setup).
Scenario: Admin using ps or top to monitor running processes for troubleshooting
Filter/Exclusion: Filter out processes that are known administrative tools (ps, top, htop) or system monitoring utilities, and check for presence of ps in /bin/ or /usr/bin/.
Scenario: Use of wget or curl for legitimate software updates or configuration pulls
Filter/Exclusion: Exclude commands that use wget or curl with URLs pointing to known internal repositories or trusted external sources (e.g., https://repo.example.com/update.sh).
Scenario: System log rotation using logrotate with rsyslog or syslog-ng
Filter/Exclusion: Filter out logrotate configurations in /etc/logrotate.d/ and check for presence of logrotate in /usr/sbin/ or /usr/bin/.
Scenario: Use of tar or gzip for archiving logs or backups
Filter/Exclusion: Exclude commands involving tar or gzip that are part of standard backup procedures (e.g., /bin/tar -czf /backup/log_backup.tar.gz /var/log/).