{ "name": "Using KATA and KEDR to detect the AdaptixC2 agent", "slug": "using-kata-and-kedr-to-detect-the-adaptixc2-agent", "description": "AdaptixC2 is an emerging open-source post-exploitation framework rapidly adopted by threat actors in APT attacks and ransomware campaigns. Written in Go and C++, it supports Windows, macOS, and Linux with extensive modularity through Beacon Object Files (BOFs). The framework enables diverse command-and-control channels including HTTP/S, TCP, mTLS, DNS, DoH, and SMB with RC4 encryption throughout. It implements sophisticated evasion techniques targeting both network detection systems and endpoint defenses. Despite advanced obfuscation capabilities, network-level detection remains viable through analysis of distinctive communication patterns, header structures, and behavioral indicators. The framework supports credential harvesting via LSASS dumping, LAPS exploitation, and Kerberos attacks, alongside defense evasion through process injection and lateral movement via WinRM and PsExec. Combined NDR and EDR solutions provide effective multi-layered detection coverage against AdaptixC2 operations across network ...", "published": "2026-04-17T16:56:13+00:00", "created_at": "2026-04-17T16:56:13+00:00", "modified_at": "2026-04-20T08:53:27+00:00", "created_at_opencti": "2026-04-17T16:56:13+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2026-04-17", "adaptixc2", "cloudatlas", "command and control", "coolclient", "credential harvesting", "edr", "lateral movement", "mgbot", "network detection", "post-exploitation framework", "powershower", "process injection", "toneshell", "vbcloud", "vbshower" ], "related_entities": { "malware": [ { "id": "316f008f-d739-4911-8eb6-ff5c3bfa7657", "name": "CoolClient", "slug": "coolclient" }, { "id": "6e24d6d5-190d-4425-a63d-51ec0f89528d", "name": "AdaptixC2", "slug": "adaptixc2" }, { "id": "8ac3f331-d034-4e5c-b1ad-2d8b9c48b9f4", "name": "VBShower - S0442", "slug": "vbshower-s0442" }, { "id": "legacy:malware:06a328a4f45e7998", "name": "PowerShower - S0441", "slug": "powershower-s0441" }, { "id": "legacy:malware:8ff257a2070a9311", "name": "VBCloud", "slug": "vbcloud" }, { "id": "legacy:malware:393a72ac57740c50", "name": "ToneShell", "slug": "toneshell" }, { "id": "legacy:malware:cfc85126b5c9f95a", "name": "MgBot", "slug": "mgbot" }, { "id": "legacy:malware:4b9749746ba83ce1", "name": "CloudAtlas", "slug": "cloudatlas" } ], "attack_patterns": [ { "id": "da9c28df-e5f4-4cb3-92c1-06f15d8bab39", "name": "T1071.002" }, { "id": "9e6c4b38-f4e1-4b1f-b90a-222f881acbab", "name": "T1087.002" }, { "id": "5d2af906-6187-4702-ab9f-590fbe5b1ca3", "name": "T1021.002" }, { "id": "4cb4ee3b-b78f-45cf-bcaa-45a2aa968e56", "name": "T1570" }, { "id": "c3af9fd7-d307-4df4-9220-cc627938fb85", "name": "T1055" }, { "id": "b7ba0db0-7d4f-436f-8d5f-c431d690b048", "name": "T1555.003" }, { "id": "adac40c7-ef36-4a03-af99-079bc834463a", "name": "T1003.002" }, { "id": "d048ac4b-dd28-4c66-b62b-fe25cefef481", "name": "T1548.002" }, { "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f", "name": "T1071.001" }, { "id": "9643a7e9-771b-4396-83a3-26fcec5200e4", "name": "T1021.006" }, { "id": "32b33067-6566-4b8d-be80-e96f765d84de", "name": "T1059.001" }, { "id": "ca53b2fa-42a8-45ec-9682-0cf54bf280f3", "name": "T1090" }, { "id": "fd6a3ae8-f3af-41a6-9292-09912a059105", "name": "T1558.003" }, { "id": "0c836307-129e-4ff7-a532-180c633cacba", "name": "T1027" }, { "id": "b4f6c9c9-2f8e-4931-b49d-1512794d341c", "name": "T1550.003" }, { "id": "e6c0ca23-78ee-4b0e-96fa-e80efab3665d", "name": "T1003.001" }, { "id": "6f00068c-812c-4e2b-9100-2cfa86b3aed9", "name": "T1132.001" }, { "id": "14660ccf-ca6b-42f6-8bca-e1b7a04650b3", "name": "T1573.001" }, { "id": "ce39cd5d-9e4c-4138-b546-abd68e57f8c2", "name": "T1071.004" }, { "id": "fa3b8b48-d97c-4242-83a6-07d435a5a79e", "name": "T1041" } ] }, "external_refs": [ "https://otx.alienvault.com/pulse/69e2824daddc65cc4bab207d", "https://securelist.com/tr/adaptixc2-network-and-host-detection/119424/" ] }