Adversaries are using AdaptixC2 C2 infrastructure to establish covert command and control over compromised systems. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate potential advanced persistent threats before they cause significant damage.
IOC Summary
Malware Family: AdaptixC2 Total IOCs: 10 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 185[.]207[.]154[.]11:8080 | botnet_cc | 2026-06-13 | 100% |
| ip:port | 185[.]207[.]154[.]11:80 | botnet_cc | 2026-06-13 | 100% |
| ip:port | 185[.]207[.]154[.]11:443 | botnet_cc | 2026-06-13 | 100% |
| ip:port | 130[.]185[.]82[.]117:5641 | botnet_cc | 2026-06-13 | 75% |
| ip:port | 101[.]33[.]202[.]134:9989 | botnet_cc | 2026-06-13 | 75% |
| ip:port | 39[.]96[.]188[.]57:4321 | botnet_cc | 2026-06-12 | 75% |
| ip:port | 149[.]104[.]28[.]77:4321 | botnet_cc | 2026-06-12 | 75% |
| ip:port | 45[.]137[.]99[.]3:8080 | botnet_cc | 2026-06-12 | 100% |
| ip:port | 45[.]137[.]99[.]3:443 | botnet_cc | 2026-06-12 | 100% |
| ip:port | 45[.]137[.]99[.]3:80 | botnet_cc | 2026-06-12 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - AdaptixC2
let malicious_ips = dynamic(["130.185.82.117", "101.33.202.134", "45.137.99.3", "185.207.154.11", "39.96.188.57", "149.104.28.77"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["130.185.82.117", "101.33.202.134", "45.137.99.3", "185.207.154.11", "39.96.188.57", "149.104.28.77"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate use of hunting tool for threat intelligence analysis
Filter/Exclusion: Exclude processes initiated by the hunting tool or users with threat intelligence analysis privileges (e.g., user = threat_intel_team)
Scenario: Scheduled job running adaptix_c2_hunting_script.py for routine IOC validation
Filter/Exclusion: Exclude processes with command_line = "adaptix_c2_hunting_script.py" or process_name = "adaptix_c2_hunting_script.py"
Scenario: Admin task using adaptix_c2_tool for internal IOC testing
Filter/Exclusion: Exclude processes where process_name = "adaptix_c2_tool" and user = "admin" or user = "security_ops"
Scenario: Use of adaptix_c2_api by the SIEM team for real-time IOC correlation
Filter/Exclusion: Exclude processes with process_name = "adaptix_c2_api" and user = "siem_team" or user = "log_analysis"
Scenario: Legitimate system update using adaptix_c2_updater for patch management
Filter/Exclusion: Exclude processes with process_name = "adaptix_c2_updater" and user = "patch_management" or user = "sysadmin"