Adversaries are using AdaptixC2 C2 infrastructure to establish covert command and control over compromised systems. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate potential compromise from advanced persistent threats.
IOC Summary
Malware Family: AdaptixC2 Total IOCs: 5 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 202[.]1[.]31[.]83:4321 | botnet_cc | 2026-05-20 | 75% |
| ip:port | 178[.]212[.]13[.]29:4321 | botnet_cc | 2026-05-20 | 75% |
| ip:port | 171[.]22[.]79[.]135:3821 | botnet_cc | 2026-05-20 | 75% |
| ip:port | 91[.]202[.]233[.]214:44123 | botnet_cc | 2026-05-19 | 75% |
| ip:port | 49[.]232[.]128[.]239:6099 | botnet_cc | 2026-05-19 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - AdaptixC2
let malicious_ips = dynamic(["91.202.233.214", "49.232.128.239", "178.212.13.29", "171.22.79.135", "202.1.31.83"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["91.202.233.214", "49.232.128.239", "178.212.13.29", "171.22.79.135", "202.1.31.83"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using hunting package
Description: A system administrator schedules a daily job using the hunting package to gather system metrics.
Filter/Exclusion: process.name != "hunting"
Scenario: Admin task using adaptix tool for log analysis
Description: A security analyst uses the adaptix tool (a legitimate log analysis utility) to review system logs.
Filter/Exclusion: process.name != "adaptix"
Scenario: Automated report generation using hunting CLI
Description: A script runs the hunting CLI tool to generate a weekly security report.
Filter/Exclusion: process.name != "hunting" OR process.args NOT LIKE "%report%"
Scenario: System update using adaptix package
Description: A package manager updates the adaptix tool as part of a system update.
Filter/Exclusion: process.name != "apt" OR process.name != "yum" OR process.name != "choco"
Scenario: Legitimate use of hunting for incident response
Description: A SOC team uses the hunting tool to investigate a potential security incident.
Filter/Exclusion: process.name != "hunting" OR user.name IN ("soc_team", "security_admin")