Adversaries are using AdaptixC2 C2 infrastructure to establish persistent command and control over compromised systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats leveraging these known malicious IOCs.
IOC Summary
Malware Family: AdaptixC2 Total IOCs: 12 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 206[.]81[.]21[.]156:4321 | botnet_cc | 2026-06-11 | 75% |
| ip:port | 45[.]38[.]20[.]122:8080 | botnet_cc | 2026-06-11 | 100% |
| ip:port | 45[.]38[.]20[.]122:80 | botnet_cc | 2026-06-11 | 100% |
| ip:port | 45[.]38[.]20[.]122:443 | botnet_cc | 2026-06-11 | 100% |
| ip:port | 98[.]91[.]254[.]110:443 | botnet_cc | 2026-06-10 | 100% |
| ip:port | 98[.]91[.]254[.]110:8080 | botnet_cc | 2026-06-10 | 100% |
| ip:port | 98[.]91[.]254[.]110:80 | botnet_cc | 2026-06-10 | 100% |
| ip:port | 45[.]157[.]116[.]119:29476 | botnet_cc | 2026-06-10 | 75% |
| ip:port | 45[.]38[.]41[.]27:4321 | botnet_cc | 2026-06-10 | 75% |
| ip:port | 45[.]140[.]14[.]29:1488 | botnet_cc | 2026-06-10 | 75% |
| ip:port | 193[.]135[.]137[.]240:4321 | botnet_cc | 2026-06-10 | 75% |
| ip:port | 153[.]75[.]249[.]13:4321 | botnet_cc | 2026-06-10 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - AdaptixC2
let malicious_ips = dynamic(["45.38.41.27", "45.157.116.119", "98.91.254.110", "45.38.20.122", "153.75.249.13", "193.135.137.240", "45.140.14.29", "206.81.21.156"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["45.38.41.27", "45.157.116.119", "98.91.254.110", "45.38.20.122", "153.75.249.13", "193.135.137.240", "45.140.14.29", "206.81.21.156"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate use of hunting tool for threat intelligence analysis
Filter/Exclusion: Exclude processes where the parent process is threatfox.exe or python.exe running from a known threat intelligence analysis directory.
Scenario: Scheduled job for log rotation or system cleanup using hunting command
Filter/Exclusion: Exclude processes with command lines containing logrotate, clean, or rotate and originating from a system service account.
Scenario: Admin task to query threat intelligence database using hunting
Filter/Exclusion: Exclude processes initiated by a known admin user (e.g., admin, root, or domainadmin) and where the command line includes query, lookup, or search.
Scenario: Use of hunting to analyze network traffic for security monitoring
Filter/Exclusion: Exclude processes where the command line includes network, traffic, or sniff and the parent process is a known monitoring tool like Wireshark or tcpdump.
Scenario: Automated IOC validation using a security tool like Mandiant or CrowdStrike
Filter/Exclusion: Exclude processes where the command line includes validate, check, or verify and the parent process is a known security tool or SIEM system.