Adversaries using AdaptixC2 may leverage specific IOCs to establish command and control, indicating potential compromise of internal systems. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced persistent threats before they escalate.
IOC Summary
Malware Family: AdaptixC2 Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 62[.]192[.]173[.]249:9000 | botnet_cc | 2026-06-03 | 50% |
| ip:port | 64[.]227[.]4[.]176:4321 | botnet_cc | 2026-06-03 | 50% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - AdaptixC2
let malicious_ips = dynamic(["62.192.173.249", "64.227.4.176"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["62.192.173.249", "64.227.4.176"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using hunting tool
Description: A system administrator schedules a daily job using the hunting tool to gather system metrics, which coincidentally matches the IOC pattern.
Filter/Exclusion: Exclude processes initiated by the hunting tool or any process with a command line containing /opt/hunting/ or --scheduled.
Scenario: Admin task using adaptix CLI for configuration backup
Description: A system admin uses the adaptix CLI tool to perform a routine configuration backup, which includes the IOC string in its output.
Filter/Exclusion: Exclude processes where the command line contains --backup or --config and executed by a user with admin privileges.
Scenario: Legitimate use of adaptix in a security toolchain
Description: A security toolchain (e.g., Splunk, ELK) uses the adaptix tool for data ingestion, and the IOC is part of the tool’s metadata.
Filter/Exclusion: Exclude processes where the parent process is a known SIEM or log aggregation tool (e.g., splunkd, logstash) or where the command line includes --ingest.
Scenario: False positive from a third-party software update
Description: A third-party application (e.g., adaptix-updater) includes a string matching the IOC during a software update, causing a false positive.
Filter/Exclusion: Exclude processes with the command line containing --update or --patch and associated with known software vendors.
Scenario: Legitimate use of adaptix in a DevOps pipeline
Description: A CI/CD pipeline uses the adaptix tool for infrastructure provisioning, and the IOC appears in the tool’s output or logs