Follow ![[Op Report] From SSA Phish to AdaptixC2: A Multi-RAT Intrusion](https://socprime.com/wp-content/uploads/Image_bg.png)
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
A threat actor carried out a layered commodity intrusion beginning with a phishing email themed around the U.S. Social Security Administration. The operation relied on AdaptixC2 as the main command-and-control framework, used XWorm as a secondary access channel and for Telegram-based exfiltration, and deployed ScreenConnect to support hands-on-keyboard activity. The campaign also showed strong operational discipline through the use of RTLO filename deception and multiple persistence paths designed to survive partial remediation.
Investigation
The investigation took place in a Deception.Pro environment using a deception workstation. Because TLS inspection was enabled, researchers were able to recover cleartext beacon traffic, payload download URLs, and ScreenConnect relay handshakes. That visibility made it possible to attribute the intrusion to specific frameworks with high confidence rather than depending only on behavioral or fingerprint-based assumptions.
Mitigation
Organizations should reduce risk by enabling TLS inspection for encrypted command-and-control traffic and deploying EDR capable of detecting certutil-based staging and suspicious PowerShell execution. File extension visibility should be enforced to weaken RTLO-based filename tricks, and registry Run-key writes to public or user-writable locations should be monitored closely. Teams should also inventory and alert on unauthorized remote management tools such as ScreenConnect, especially when installed through msiexec.
Response
If this activity is detected, isolate the affected endpoints immediately to cut off command-and-control traffic and prevent further lateral movement through SAMR or LSAD enumeration. Perform a full forensic sweep for XWorm DLLs and AdaptixC2 artifacts in public folders and other common staging paths. Investigators should also review Telegram-related exfiltration patterns and audit registry persistence keys that mimic legitimate updater names.
graph TB %% Class Definitions Section classDef action fill:#99ccff classDef tool fill:#cccccc classDef malware fill:#ff9999 classDef discovery fill:#ccffcc %% Node Definitions %% Initial Access and Execution action_phishing[“<b>Action</b> – <b>T1566.002 Phishing: Spearphishing Link</b><br/>Victim receives spoofed SSA email<br/>containing a link to a RAR archive.”] class action_phishing action action_masquerade[“<b>Action</b> – <b>T1036.008 Masquerading: Masquerade File Type</b><br/>Attacker uses RTLO trick to disguise<br/>PE32 executable as a PDF file (.fdp.exe).”] class action_masquerade action action_user_exec[“<b>Action</b> – <b>T1204.002 User Execution: Malicious File</b><br/>The user interacts with the<br/>disguised malicious file.”] class action_user_exec action %% Ingress and Persistence tool_certutil[“<b/>Tool – <b/>Name: certutil.exe<br/><b/>Description: Native Windows utility used to<br/>download the AdaptixC2 payload.”] class tool_certutil tool action_ingress[“<b/>Action – <b/>T1105 Ingress Tool Transfer</b><br/>Payload is downloaded from<br/>cloudpre-005[.]online.”] class action_ingress action action_persistence[“<b/>Action – <b/>T1547.001 Boot or Logon Autostart Execution:<br/>Registry Run Keys / Startup Folder</b><br/>Creates registry keys like PayloadService,<br/>JavaUpdater, and Updater in C:\Users\Public\.”] class action_persistence action %% C2 and Remote Access malware_adaptix[“<b/>Malware – <b/>Name: AdaptixC2<br/><b/>Description: Beaconing agent used for<br/>Command and Control operations.”] class malware_adaptix malware action_c2_web[“<b/>Action – <b/>T1071.001 Application Layer Protocol:<br/>Web Protocols</b><br/>AdaptixC2 communicates via beaconing<br/>to specific web URLs.”] class action_c2_web action tool_screenconnect[“<b/>Tool – <b/>Name: ScreenConnect<br/><b/>Description: Remote Access Tool deployed<br/>for interactive control.”] class tool_screenconnect tool action_remote_access[“<b/>Action – <b/>T1219 Remote Access Tools</b><br/>Deployment of two independent clients<br/>to maintain interactive access.”] class action_remote_access action %% Exfiltration and Discovery malware_xworm[“<b/>Malware – <b/>Name: XWorm<br/><b/>Description: Malware used to relay<br/>stolen data via Telegram.”] class malware_xworm malware action_exfil[“<b/>Action – <b/>T1567 Exfiltration Over Web Service</b><br/>Data is exfiltrated using the<br/>Telegram Bot API.”] class action_exfil action action_discovery[“<b/>Action – <b/>T1069.002 Permission Groups Discovery:<br/>Domain Groups</b><br/>Enumeration of domain environment via<br/>SAMR and LSAD RPC.”] class action_discovery discovery %% Connections action_phishing –>|leads_to| action_masquerade action_masquerade –>|leads_to| action_user_exec action_user_exec –>|triggers| tool_certutil tool_certutil –>|executes| action_ingress action_ingress –>|installs| malware_adaptix malware_adaptix –>|establishes| action_persistence malware_adaptix –>|uses| action_c2_web action_remote_access –>|utilizes| tool_screenconnect malware_adaptix –>|deploys| action_remote_access malware_adaptix –>|operates| malware_xworm malware_xworm –>|performs| action_exfil malware_adaptix –>|performs| action_discovery
Attack Flow
Detections
Possible Persistence Points [ASEPs – Software/NTUSER Hive] (via registry_event)
View
Using Certutil for Data Encoding and Cert Operations (via cmdline)
View
Suspicious Execution from Public User Profile (via process_creation)
View
Alternative Remote Access / Management Software (via process_creation)
View
An Archive Was Extracted To Suspicious Directory Using Powershell (via powershell)
View
Suspicious Files in Public User Profile (via file_event)
View
Possible IP Lookup Domain Communications Attempted (via dns)
View
Possible Dynamic DNS Service Was Contacted (via dns)
View
IOCs (HashSha256) to detect: [Op Report] From SSA Phish to AdaptixC2: A Multi-RAT Intrusion
View
IOCs (HashMd5) to detect: [Op Report] From SSA Phish to AdaptixC2: A Multi-RAT Intrusion
View
IOCs (SourceIP) to detect: [Op Report] From SSA Phish to AdaptixC2: A Multi-RAT Intrusion
View
IOCs (DestinationIP) to detect: [Op Report] From SSA Phish to AdaptixC2: A Multi-RAT Intrusion
View
AdaptixC2 Command-and-Control Communication Detection [Windows Network Connection]
View
Detect AdaptixC2 and ScreenConnect Deployment via Certutil and Msiexec [Windows Process Creation]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre-flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.
-
Attack Narrative & Commands: The adversary has successfully established a foothold on the target machine via a spearphishing link. To maintain control and receive instructions, the AdaptixC2 agent attempts to “check in” with its command-and-control server. The agent is programmed to reach out to a hardcoded URI (
98.81.111.167/updates/check.php) or a fallback IP (23.20.229.225) via port 443. By simulating these exact connection attempts, we validate if the firewall/network detection rule correctly identifies these known-malicious patterns. -
Regression Test Script: This script uses PowerShell to simulate two distinct connection attempts: one targeting the specific URL and one targeting the specific IP address.
# Simulation of AdaptixC2 C2 Communication Write-Host "[+] Starting AdaptixC2 Simulation..." -ForegroundColor Cyan # Scenario 1: Connection to the specific malicious URL pattern Write-Host "[+] Attempting connection to malicious URL: 98.81.111.167/updates/check.php" -ForegroundColor Yellow try { # We use -ErrorAction SilentlyContinue because the IP likely won't resolve or respond, # but the connection attempt itself will generate the telemetry. Invoke-WebRequest -Uri "http://98.81.111.167/updates/check.php" -Method Get -ErrorAction SilentlyContinue } catch { Write-Host "[!] Connection failed (expected), but telemetry should be generated." -ForegroundColor Gray } # Scenario 2: Connection to the specific malicious IP on port 443 Write-Host "[+] Attempting connection to malicious IP: 23.20.229.225 on port 443" -ForegroundColor Yellow try { $tcpClient = New-Object System.Net.Sockets.TcpClient $connection = $tcpClient.BeginConnect("23.20.229.225", 443, $null, $null) $success = $connection.AsyncWaitHandle.WaitOne(5000, $false) if ($success) { Write-Host "[+] Connection successful (unlikely in real test)." -ForegroundColor Green } else { Write-Host "[!] Connection timed out (expected), but telemetry should be generated." -ForegroundColor Gray } $tcpClient.Close() } catch { Write-Host "[!] Error during TCP connection attempt." -ForegroundColor Red } Write-Host "[+] Simulation Complete." -ForegroundColor Cyan -
Cleanup Commands:
# No persistent artifacts are created by this simulation as it only generates network traffic. Write-Host "[+] No cleanup required. Network connections were transient." -ForegroundColor Green