Adversaries are using AdaptixC2 C2 infrastructure to exfiltrate data and maintain persistent access within the network. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise early.
IOC Summary
Malware Family: AdaptixC2 Total IOCs: 11 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 39[.]96[.]188[.]57:4321 | botnet_cc | 2026-06-12 | 75% |
| ip:port | 149[.]104[.]28[.]77:4321 | botnet_cc | 2026-06-12 | 75% |
| ip:port | 45[.]137[.]99[.]3:8080 | botnet_cc | 2026-06-12 | 100% |
| ip:port | 45[.]137[.]99[.]3:443 | botnet_cc | 2026-06-12 | 100% |
| ip:port | 45[.]137[.]99[.]3:80 | botnet_cc | 2026-06-12 | 100% |
| ip:port | 78[.]141[.]208[.]70:46337 | botnet_cc | 2026-06-12 | 75% |
| ip:port | 45[.]32[.]120[.]188:4321 | botnet_cc | 2026-06-12 | 75% |
| ip:port | 45[.]137[.]99[.]3:8989 | botnet_cc | 2026-06-12 | 75% |
| ip:port | 2[.]26[.]21[.]17:4323 | botnet_cc | 2026-06-12 | 75% |
| ip:port | 114[.]132[.]238[.]70:4321 | botnet_cc | 2026-06-12 | 75% |
| ip:port | 110[.]42[.]34[.]220:4321 | botnet_cc | 2026-06-12 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - AdaptixC2
let malicious_ips = dynamic(["39.96.188.57", "45.32.120.188", "78.141.208.70", "149.104.28.77", "45.137.99.3", "110.42.34.220", "2.26.21.17", "114.132.238.70"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["39.96.188.57", "45.32.120.188", "78.141.208.70", "149.104.28.77", "45.137.99.3", "110.42.34.220", "2.26.21.17", "114.132.238.70"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job running hunting.exe as part of a security tool’s IOC collection process
Filter/Exclusion: process.name != "hunting.exe" or check for process.parent.name == "security_tool.exe"
Scenario: System administrator using adaptix.exe as a custom script interpreter for internal automation tasks
Filter/Exclusion: process.name != "adaptix.exe" or check for process.parent.name == "powershell.exe" and process.args contains "internal-script"
Scenario: Regular use of adaptix_c2.exe by a legitimate internal tool for communication with a trusted internal C2 server
Filter/Exclusion: process.name != "adaptix_c2.exe" or check for destination.ip in trusted_internal_servers
Scenario: Use of adaptix_utils.exe by a system management tool for inventory and patching operations
Filter/Exclusion: process.name != "adaptix_utils.exe" or check for process.parent.name == "system_management_tool.exe"
Scenario: Legitimate use of adaptix_scheduler.exe for running periodic compliance checks and audit tasks
Filter/Exclusion: process.name != "adaptix_scheduler.exe" or check for process.args contains "compliance-check" and process.parent.name == "task_scheduler.exe"