Adversaries using AdaptixC2 are likely establishing command and control communication through suspicious network traffic patterns associated with the detected IOCs. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise from advanced persistent threats leveraging AdaptixC2.
IOC Summary
Malware Family: AdaptixC2 Total IOCs: 4 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 47[.]83[.]254[.]175:4321 | botnet_cc | 2026-06-20 | 75% |
| ip:port | 45[.]32[.]64[.]12:4321 | botnet_cc | 2026-06-20 | 75% |
| ip:port | 36[.]50[.]85[.]69:1235 | botnet_cc | 2026-06-20 | 75% |
| ip:port | 97[.]74[.]92[.]237:63334 | botnet_cc | 2026-06-19 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - AdaptixC2
let malicious_ips = dynamic(["45.32.64.12", "36.50.85.69", "97.74.92.237", "47.83.254.175"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["45.32.64.12", "36.50.85.69", "97.74.92.237", "47.83.254.175"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Job
Description: A legitimate scheduled job runs a script that matches the IOCs due to using a tool like psutil or subprocess for system monitoring.
Filter/Exclusion: Exclude processes associated with schtasks.exe or Task Scheduler and filter by command-line arguments containing --monitor or --system-check.
Scenario: Admin Task Using PowerShell for Log Analysis
Description: An admin uses PowerShell to analyze logs, and the script includes commands that resemble C2 activity (e.g., Invoke-WebRequest to fetch logs from a central server).
Filter/Exclusion: Exclude processes with powershell.exe and command-line arguments containing -File or -Command that reference known admin scripts or log analysis tools.
Scenario: Legitimate Use of curl or wget for Software Updates
Description: A system uses curl or wget to fetch updates from a trusted internal repository, which may contain strings matching the IOC pattern.
Filter/Exclusion: Exclude traffic to internal update servers (e.g., internal-update.example.com) and filter by HTTP status codes (e.g., 200 OK) or user-agent strings.
Scenario: Database Backup Job Using mysqldump or pg_dump
Description: A scheduled backup job uses mysqldump or pg_dump to export data, which may have command-line arguments that resemble C2 IOCs.
Filter/Exclusion: Exclude processes with mysqldump.exe or pg_dump and filter by command-line arguments containing --backup or --export.
Scenario: Use of netsh for Network Configuration
Description: An admin uses netsh to configure network settings,