Adversaries are using AdaptixC2 C2 infrastructure to establish covert command and control over compromised systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats leveraging known malicious IOCs.
IOC Summary
Malware Family: AdaptixC2 Total IOCs: 10 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 195[.]63[.]137[.]242:4321 | botnet_cc | 2026-05-21 | 75% |
| ip:port | 144[.]172[.]93[.]140:443 | botnet_cc | 2026-05-21 | 100% |
| ip:port | 144[.]172[.]93[.]140:80 | botnet_cc | 2026-05-21 | 100% |
| ip:port | 144[.]172[.]93[.]140:8080 | botnet_cc | 2026-05-21 | 100% |
| ip:port | 130[.]94[.]23[.]39:443 | botnet_cc | 2026-05-21 | 100% |
| ip:port | 130[.]94[.]23[.]39:80 | botnet_cc | 2026-05-21 | 100% |
| ip:port | 41[.]216[.]189[.]163:43210 | botnet_cc | 2026-05-20 | 75% |
| ip:port | 209[.]126[.]80[.]129:8844 | botnet_cc | 2026-05-20 | 75% |
| ip:port | 167[.]17[.]47[.]118:4321 | botnet_cc | 2026-05-20 | 75% |
| ip:port | 144[.]172[.]93[.]140:4321 | botnet_cc | 2026-05-20 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - AdaptixC2
let malicious_ips = dynamic(["41.216.189.163", "130.94.23.39", "209.126.80.129", "195.63.137.242", "144.172.93.140", "167.17.47.118"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["41.216.189.163", "130.94.23.39", "209.126.80.129", "195.63.137.242", "144.172.93.140", "167.17.47.118"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using hunting package
Description: A system administrator schedules a daily job using the hunting package to analyze logs for security anomalies.
Filter/Exclusion: process.name != "hunting"
Scenario: Admin task using adaptix for log analysis
Description: A security analyst uses the adaptix tool to perform a manual investigation of log files for potential threats.
Filter/Exclusion: process.name != "adaptix"
Scenario: Automated log parsing with logparser tool
Description: A log parsing tool named logparser is used to extract and analyze log entries as part of routine security monitoring.
Filter/Exclusion: process.name != "logparser"
Scenario: System update using apt or yum with package name adaptix
Description: A package named adaptix is being installed as part of a system update or dependency resolution.
Filter/Exclusion: process.name != "apt" && process.name != "yum"
Scenario: Custom script using adaptix for threat intelligence lookup
Description: A custom script named adaptix_lookup.sh is used to query a threat intelligence database for known malicious IPs or domains.
Filter/Exclusion: process.name != "adaptix_lookup.sh"