Adversaries using AdaptixC2 are likely establishing command and control communication through suspicious network traffic and file artifacts. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate potential compromise from advanced persistent threats.
IOC Summary
Malware Family: AdaptixC2 Total IOCs: 5 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 5[.]252[.]153[.]0:4321 | botnet_cc | 2026-05-08 | 75% |
| ip:port | 178[.]104[.]186[.]90:4321 | botnet_cc | 2026-05-08 | 75% |
| ip:port | 106[.]55[.]186[.]190:4321 | botnet_cc | 2026-05-08 | 75% |
| ip:port | 107[.]161[.]50[.]202:4321 | botnet_cc | 2026-05-08 | 75% |
| ip:port | 107[.]172[.]235[.]68:4321 | botnet_cc | 2026-05-08 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - AdaptixC2
let malicious_ips = dynamic(["107.161.50.202", "178.104.186.90", "107.172.235.68", "106.55.186.190", "5.252.153.0"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["107.161.50.202", "178.104.186.90", "107.172.235.68", "106.55.186.190", "5.252.153.0"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using hunting package
Description: A system administrator schedules a daily job using the hunting package to analyze logs for security anomalies.
Filter/Exclusion: process.name != "hunting"
Scenario: Admin task using hunting for log analysis
Description: A security analyst manually runs the hunting tool to investigate potential threats in the environment.
Filter/Exclusion: process.name != "hunting" or user.name != "security_analyst"
Scenario: Legitimate use of adaptix in a development environment
Description: A developer uses a tool named adaptix (not related to C2) for configuration management in a test environment.
Filter/Exclusion: process.name != "adaptix" or host.hostname contains "dev"
Scenario: Scheduled PowerShell script using hunting for compliance checks
Description: A compliance script runs a PowerShell script named hunting.ps1 to audit system configurations.
Filter/Exclusion: process.name != "powershell" or script.name != "hunting.ps1"
Scenario: Legitimate use of adaptix in a CI/CD pipeline
Description: A CI/CD pipeline uses a tool named adaptix for automated deployment and configuration tasks.
Filter/Exclusion: process.name != "adaptix" or host.hostname contains "ci"