Adversaries using AdaptixC2 are likely establishing command and control communication through suspicious network traffic and file execution, indicating potential compromise of internal systems. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced persistent threats before they cause significant damage.
IOC Summary
Malware Family: AdaptixC2 Total IOCs: 4 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 8[.]210[.]84[.]56:8000 | botnet_cc | 2026-06-15 | 75% |
| ip:port | 213[.]193[.]20[.]192:9281 | botnet_cc | 2026-06-15 | 75% |
| ip:port | 131[.]143[.]251[.]246:53921 | botnet_cc | 2026-06-15 | 75% |
| ip:port | 43[.]133[.]164[.]200:4321 | botnet_cc | 2026-06-14 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - AdaptixC2
let malicious_ips = dynamic(["131.143.251.246", "213.193.20.192", "8.210.84.56", "43.133.164.200"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["131.143.251.246", "213.193.20.192", "8.210.84.56", "43.133.164.200"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job running hunts.exe for threat intelligence updates
Filter/Exclusion: process.name != "hunts.exe" or process.parent.name == "task scheduler"
Scenario: System administrator using the hunts.exe tool to query ThreatFox for known malicious indicators
Filter/Exclusion: process.user == "admin_user" or process.command_line contains "query"
Scenario: Regular use of the hunts.exe tool by the security team for IOC validation during incident response
Filter/Exclusion: process.user contains "security_team" or process.command_line contains "validate"
Scenario: Legitimate system update that includes the hunts.exe tool as part of a security patch
Filter/Exclusion: process.parent.name == "setup.exe" or process.command_line contains "install"
Scenario: Use of hunts.exe by a third-party security tool for automated IOC checking
Filter/Exclusion: process.parent.name == "third_party_security_tool.exe" or process.command_line contains "check_iocs"