A new wave of cyber threats is emerging as criminals increasingly weaponize AdaptixC2, a free and open-source Command and Control framework originally designed for legitimate penetration testing and red team operations.

Security researchers have uncovered a disturbing trend where advanced threat actors deploy this extensible post-exploitation tool across global ransomware campaigns, transforming a utility meant for ethical hacking into a dangerous weapon for criminal enterprises.

The framework, written in Golang for its server component with a C++ and QT-based GUI client supporting Linux, Windows, and macOS, provides attackers with flexibility and multi-platform compatibility that makes it particularly attractive for coordinated operations.

The abuse of AdaptixC2 was first discovered during extensive research into CountLoader, a sophisticated malware loader that served malicious AdaptixC2 payloads from attacker-controlled infrastructure.

Silent Push analysts identified and tracked these malicious deployments, subsequently creating dedicated detection signatures to identify both threats.

Following the implementation of these protective measures, multiple public reports highlighted a surge in AdaptixC2 usage among ransomware affiliates, particularly those connected to operations like Akira.

This has compromised over 250 organizations since March 2023 and allegedly claimed $42 million in ransom proceeds.

Silent Push researchers noted that the escalating abuse of AdaptixC2 reveals sophisticated threat actors leveraging legitimate development tools to mask their malicious intentions.

The framework enables post-exploitation capabilities that allow attackers to establish persistent command channels, execute arbitrary commands across compromised systems, and maintain lateral movement within target networks.

The technical architecture supports multiple listener types including mTLS, HTTP, SMB, and BTCP protocols, providing operators with diverse communication channels that complicate detection and network-based monitoring.

Russian Underground Ties and Developer Attribution

Investigation into the framework’s origins revealed significant connections to the Russian criminal underworld.

An individual operating under the handle “RalfHacker” appears to be the primary developer behind AdaptixC2, managing the project through active GitHub commits and maintaining a Russian-language Telegram sales channel for the framework.

OSINT research uncovered email addresses associated with RalfHacker’s accounts, including references in leaked databases belonging to established hacking forums such as RaidForums, establishing credible ties to organized cybercriminal communities.

The developer’s Telegram channel predominantly communicates in Russian, advertising framework updates with hashtags referencing Active Directory, APT tactics, and ATM-related materials, further solidifying connections to Russian threat actor networks actively exploiting the platform for ransomware operations.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Threat Actors Actively Using Open-Source C2 Framework to Deliver Malicious Payloads appeared first on Cyber Security News.

Chinese-affiliated threat actor UNC6384 has been actively leveraging a critical Windows shortcut vulnerability to target European diplomatic entities across Hungary, Belgium, Serbia, Italy, and the Netherlands.

Arctic Wolf researchers identified this sophisticated cyber espionage campaign operating throughout September and October 2025, representing a significant evolution in the group’s operational capabilities and geographic reach.

The attack begins with carefully crafted spearphishing emails containing URLs that deliver malicious LNK files disguised as legitimate diplomatic conference agendas.

These files reference authentic European Commission meetings, NATO defense procurement workshops, and multilateral coordination events.

When users click these seemingly innocent shortcuts, a critical flaw in Windows shortcut handling enables silent command execution that most detection systems fail to catch.

UNC6384 rapidly adopted the ZDI-CAN-25373 vulnerability within just six months of its March 2025 public disclosure, demonstrating exceptional operational agility and vulnerability tracking capabilities.

Arctic Wolf analysts detected the malware after the second paragraph of research, noting the sophisticated infection mechanism that builds a complex multi-stage attack chain designed to evade traditional security defenses.

Technical Infection Mechanism and Payload Delivery

The exploitation mechanism cleverly abuses whitespace padding within the LNK file’s COMMAND_LINE_ARGUMENTS structure to hide malicious commands from user visibility.

Upon execution, the compromised shortcut silently invokes PowerShell to extract and decompress a tar archive containing three critical components: a legitimate, digitally signed Canon printer utility, a malicious DLL loader, and an encrypted PlugX remote access trojan payload.

The attack chain employs DLL side-loading, exploiting standard Windows library search order processes. When the Canon executable launches, it instinctively searches for supporting libraries in its local directory before checking system folders.

The malicious DLL positioned there transparently loads, then decrypts the PlugX payload using a hardcoded RC4 key and injects it directly into the legitimate process’s memory space, creating a nearly undetectable persistent backdoor.

The PlugX malware establishes encrypted HTTPS command and control connections using randomized parameters across multiple redundant domains including racineupci[.]org and dorareco[.]net.

The malware creates hidden persistence directories with spoofed names like “SamsungDriver” and modifies Windows registry Run keys, ensuring continued access across system restarts.

This campaign demonstrates nation-state level sophistication, combining zero-day exploitation knowledge with meticulous social engineering targeting specific diplomatic personnel and events, representing a substantial intelligence collection threat to European government operations.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Hackers Weaponizing Windows LNK File UI Misrepresentation Remote Code Execution Vulnerability appeared first on Cyber Security News.

Threat actors operating under the control of North Korea’s regime have demonstrated continued technical sophistication by introducing advanced malware toolsets designed to establish persistent backdoor access and remote control over compromised systems.

Recent findings have revealed that Kimsuky, known for orchestrating espionage campaigns, deployed HttpTroy, while the Lazarus APT group introduced an enhanced variant of BLINDINGCAN.

These developments underscore the ongoing evolution of state-sponsored cyber operations targeting organizations across multiple nations.

The attack campaigns reveal a carefully orchestrated approach, beginning with deceptive delivery mechanisms and progressing through multiple infection stages.

Each component within these malware chains serves a distinct purpose, from initial system compromise to establishing stealthy command-and-control communications.

The infrastructure supporting these operations utilizes sophisticated obfuscation techniques and layered encryption protocols, demonstrating a comprehensive understanding of modern defensive measures and detection systems.

Gendigital analysts identified the Kimsuky attack targeted a single victim in South Korea, initiated through a ZIP archive masquerading as a VPN invoice from a legitimate Korean security company.

The deception proved effective, as the innocuous-looking filename encouraged execution of a malicious screensaver file contained within.

The Lazarus operation, conversely, targeted two Canadian entities, incorporating newer techniques for concealing payload delivery and establishing service-based persistence mechanisms that evade traditional endpoint detection approaches.

The sophistication evident in these campaigns reflects distinct operational patterns attributed to each group.

Kimsuky’s attack leveraged Korean language-based social engineering and scheduled task naming conventions consistent with local antivirus software, creating plausible-sounding system activities.

Lazarus employed more complex service enumeration and dynamic registry manipulation, suggesting targeting of enterprise infrastructure where legitimate system services provide effective camouflage for malicious operations.

HttpTroy Infection Mechanism and Persistence Strategy

The Kimsuky campaign employed a three-stage infection chain beginning with a lightweight GO-based dropper containing three embedded files encrypted using XOR operations.

Upon execution, the dropper displays a deceptive PDF invoice while simultaneously establishing the backdoor infrastructure through COM server registration via regsvr32.exe.

The second stage, identified as Memload_V3, creates scheduled tasks mimicking AhnLab antivirus updates, repeating every minute to maintain persistence.

Gendigital researchers noted that HttpTroy represents the final payload, providing attackers with comprehensive control capabilities including file manipulation, screenshot capture, command execution with elevated privileges, and reverse shell deployment.

The backdoor communicates exclusively through HTTP POST requests, implementing two-layer obfuscation consisting of XOR encryption using key 0x56 followed by Base64 encoding.

This communication protocol allows attackers to receive commands formatted as simple “command parameter” structures while reporting execution status through specific identifiers, with successful operations confirmed through “ok” responses and failed attempts indicated through “fail” messages.

The malware’s architecture incorporates dynamic API hashing and runtime string reconstruction techniques, preventing static analysis while complicating detection mechanisms deployed by security organizations monitoring for known malware signatures and behavioral indicators.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Kimsuky and Lazarus Hacker Groups Unveil New Tools That Enable Backdoor and Remote Access appeared first on Cyber Security News.