Adversaries using AdaptixC2 are likely establishing command and control communication through suspicious network traffic patterns associated with the identified IOCs. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate potential compromise of critical systems.
IOC Summary
Malware Family: AdaptixC2 Total IOCs: 7 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 89[.]125[.]255[.]5:4321 | botnet_cc | 2026-06-07 | 75% |
| ip:port | 80[.]66[.]72[.]174:8080 | botnet_cc | 2026-06-07 | 75% |
| ip:port | 45[.]13[.]212[.]232:4321 | botnet_cc | 2026-06-07 | 75% |
| ip:port | 209[.]99[.]188[.]193:4323 | botnet_cc | 2026-06-07 | 75% |
| ip:port | 154[.]94[.]232[.]165:4321 | botnet_cc | 2026-06-07 | 75% |
| ip:port | 91[.]221[.]191[.]167:4323 | botnet_cc | 2026-06-06 | 75% |
| ip:port | 156[.]225[.]22[.]201:1337 | botnet_cc | 2026-06-06 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - AdaptixC2
let malicious_ips = dynamic(["45.13.212.232", "91.221.191.167", "154.94.232.165", "209.99.188.193", "89.125.255.5", "80.66.72.174", "156.225.22.201"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["45.13.212.232", "91.221.191.167", "154.94.232.165", "209.99.188.193", "89.125.255.5", "80.66.72.174", "156.225.22.201"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using hunting tool
Description: A system administrator schedules a daily job using the hunting tool to analyze network traffic for security purposes.
Filter/Exclusion: Exclude processes where the command line includes --schedule or --cron and the user is a system admin (e.g., sudo or root).
Scenario: Admin task using adaptix for log analysis
Description: A security analyst uses the adaptix tool to parse and analyze system logs for anomalies.
Filter/Exclusion: Exclude processes where the user is a security admin and the command line includes --log-analysis or --parse-logs.
Scenario: Legitimate use of adaptix for threat intelligence enrichment
Description: A SOC team uses the adaptix tool to enrich IOC data with threat intelligence from internal databases.
Filter/Exclusion: Exclude processes where the command line includes --enrich or --ti and the user is part of the threat intel team.
Scenario: Automated system health check using hunting
Description: A system health check script runs hunting to scan for misconfigurations or outdated software.
Filter/Exclusion: Exclude processes where the command line includes --health-check or --audit and the user is a system admin.
Scenario: Legitimate use of adaptix for IOC normalization
Description: A SOC analyst uses adaptix to normalize and standardize IOC data from multiple sources.
Filter/Exclusion: Exclude processes where the command line includes --normalize or --standardize and the user is part of the IOC team.