Adversaries using AdaptixC2 are likely establishing command and control communication through suspicious network traffic patterns associated with the detected IOCs. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise from advanced persistent threats leveraging AdaptixC2.
IOC Summary
Malware Family: AdaptixC2 Total IOCs: 3 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 91[.]202[.]233[.]214:44123 | botnet_cc | 2026-05-19 | 75% |
| ip:port | 49[.]232[.]128[.]239:6099 | botnet_cc | 2026-05-19 | 75% |
| ip:port | 98[.]81[.]111[.]167:443 | botnet_cc | 2026-05-19 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - AdaptixC2
let malicious_ips = dynamic(["98.81.111.167", "91.202.233.214", "49.232.128.239"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["98.81.111.167", "91.202.233.214", "49.232.128.239"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using hunting tool
Description: A system administrator schedules a daily job using the hunting tool to analyze network traffic for security anomalies.
Filter/Exclusion: process.name != "hunting"
Scenario: Admin task using adaptix CLI for configuration backup
Description: An admin uses the adaptix command-line interface to perform a routine configuration backup, which includes querying internal systems.
Filter/Exclusion: process.name != "adaptix"
Scenario: Legitimate use of adaptix in a security toolchain
Description: A security toolchain component (e.g., a SIEM or SOAR platform) uses the adaptix tool to normalize and correlate threat intelligence data.
Filter/Exclusion: process.parent.name contains "siem" or "soar"
Scenario: False positive from a third-party asset discovery tool
Description: A third-party asset discovery tool (e.g., nmap, assetfinder) is used to scan internal networks and generates IOCs that match the AdaptixC2 pattern.
Filter/Exclusion: process.name contains "nmap" or "assetfinder"
Scenario: Legitimate use of adaptix in a development environment
Description: A developer uses the adaptix tool in a sandboxed development environment to test network protocols or simulate traffic.
Filter/Exclusion: process.cwd contains "dev_env" or "sandbox"