Adversaries using AdaptixC2 are likely establishing command and control communication through suspicious network traffic patterns associated with the identified IOCs. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate potential compromise of critical systems.
IOC Summary
Malware Family: AdaptixC2 Total IOCs: 9 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 85[.]158[.]57[.]247:4321 | botnet_cc | 2026-05-12 | 75% |
| ip:port | 62[.]84[.]114[.]70:4321 | botnet_cc | 2026-05-12 | 75% |
| ip:port | 51[.]77[.]54[.]76:6769 | botnet_cc | 2026-05-11 | 75% |
| ip:port | 46[.]253[.]143[.]52:4321 | botnet_cc | 2026-05-11 | 75% |
| ip:port | 45[.]77[.]89[.]29:4321 | botnet_cc | 2026-05-11 | 75% |
| ip:port | 185[.]190[.]142[.]66:4321 | botnet_cc | 2026-05-11 | 75% |
| ip:port | 139[.]180[.]153[.]57:4321 | botnet_cc | 2026-05-11 | 75% |
| ip:port | 13[.]60[.]193[.]80:4321 | botnet_cc | 2026-05-11 | 75% |
| ip:port | 109[.]73[.]193[.]242:10140 | botnet_cc | 2026-05-11 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - AdaptixC2
let malicious_ips = dynamic(["45.77.89.29", "185.190.142.66", "51.77.54.76", "139.180.153.57", "13.60.193.80", "62.84.114.70", "109.73.193.242", "85.158.57.247", "46.253.143.52"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["45.77.89.29", "185.190.142.66", "51.77.54.76", "139.180.153.57", "13.60.193.80", "62.84.114.70", "109.73.193.242", "85.158.57.247", "46.253.143.52"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using hunting tool
Description: A system administrator schedules a daily job using the hunting tool to gather threat intelligence from internal sources.
Filter/Exclusion: Exclude processes where the command line includes hunting and the user is a system admin with elevated privileges.
Scenario: Admin task using adaptix for network monitoring
Description: A network security team uses a tool named adaptix to monitor and analyze internal network traffic for anomalies.
Filter/Exclusion: Exclude processes where the executable is signed by a known internal or trusted vendor and the user is part of the network security team.
Scenario: False positive from a third-party SIEM integration
Description: A SIEM system integrates with a third-party threat intelligence feed that includes the adaptix tool as a false positive.
Filter/Exclusion: Exclude events where the IOC is sourced from a known SIEM integration feed and the process is associated with a legitimate SIEM tool.
Scenario: Legitimate use of adaptix in a development environment
Description: A developer uses a local tool named adaptix to test network protocols or simulate C2 communication during development.
Filter/Exclusion: Exclude processes where the process path is within a known development directory and the user is a developer with access to such tools.
Scenario: False positive from a legitimate cloud security tool
Description: A cloud security tool, such as AWS Security Hub or Azure Sentinel, generates alerts that include the term adaptix in its output.
Filter/Exclusion: Exclude events where the IOC is part of a known cloud security tool’s output and the process is associated with the cloud provider’s security service.