[Op Report] From SSA Phish to AdaptixC2: A Multi-RAT Intrusion
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
A threat actor carried out a layered commodity intrusion beginning with a phishing email themed around the U.S. Social Security Administration. The operation relied on AdaptixC2 as the main command-and-control framework, used XWorm as a secondary access channel and for Telegram-based exfiltration, and deployed ScreenConnect to support hands-on-keyboard activity. The campaign also showed strong operational discipline through the use of RTLO filename deception and multiple persistence paths designed to survive partial remediation.
Investigation
The investigation took place in a Deception.Pro environment using a deception workstation. Because TLS inspection was enabled, researchers were able to recover cleartext beacon traffic, payload download URLs, and ScreenConnect relay handshakes. That visibility made it possible to attribute the intrusion to specific frameworks with high confidence rather than depending only on behavioral or fingerprint-based assumptions.
Mitigation
Organizations should reduce risk by enabling TLS inspection for encrypted command-and-control traffic and deploying EDR capable of detecting certutil-based staging and suspicious PowerShell execution. File extension visibility should be enforced to weaken RTLO-based filename tricks, and registry Run-key writes to public or user-writable locations should be monitored closely. Teams should also inventory and alert on unauthorized remote management tools such as ScreenConnect, especially when installed through msiexec.
Response
If this activity is detected, isolate the affected endpoints immediately to cut off command-and-control traffic and prevent further lateral movement through SAMR or LSAD enumeration. Perform a full forensic sweep for XWorm DLLs and AdaptixC2 artifacts in public folders and other common staging paths. Investigators should also review Telegram-related exfiltration patterns and audit registry persistence keys that mimic legitimate updater names.
Attack Flow
Detections
Possible Persistence Points [ASEPs – Software/NTUSER Hive] (via registry_event)
View
Using Certutil for Data Encoding and Cert Operations (via cmdline)
View
Suspicious Execution from Public User Profile (via process_creation)
View
Alternative Remote Access / Management Software (via process_creation)
View
An Archive Was Extracted To Suspicious Directory Using Powershell (via powershell)
View
Suspicious Files in Public User Profile (via file_event)
View
Possible IP Lookup Domain Communications Attempted (via dns)
View
Possible Dynamic DNS Service Was Contacted (via dns)
View
IOCs (HashSha256) to detect: [Op Report] From SSA Phish to AdaptixC2: A Multi-RAT Intrusion
View
IOCs (HashMd5) to detect: [Op Report] From SSA Phish to AdaptixC2: A Multi-RAT Intrusion
View
IOCs (SourceIP) to detect: [Op Report] From SSA Phish to AdaptixC2: A Multi-RAT Intrusion
View
IOCs (DestinationIP) to detect: [Op Report] From SSA Phish to AdaptixC2: A Multi-RAT Intrusion
View
AdaptixC2 Command-and-Control Communication Detection [Windows Network Connection]
View
Detect AdaptixC2 and ScreenConnect Deployment via Certutil and Msiexec [Windows Process Creation]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre-flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.
-
Attack Narrative & Commands: The adversary has successfully established a foothold on the target machine via a spearphishing link. To maintain control and receive instructions, the AdaptixC2 agent attempts to “check in” with its command-and-control server. The agent is programmed to reach out to a hardcoded URI (
98.81.111.167/updates/check.php) or a fallback IP (23.20.229.225) via port 443. By simulating these exact connection attempts, we validate if the firewall/network detection rule correctly identifies these known-malicious patterns. -
Regression Test Script: This script uses PowerShell to simulate two distinct connection attempts: one targeting the specific URL and one targeting the specific IP address.
# Simulation of AdaptixC2 C2 Communication Write-Host "[+] Starting AdaptixC2 Simulation..." -ForegroundColor Cyan # Scenario 1: Connection to the specific malicious URL pattern Write-Host "[+] Attempting connection to malicious URL: 98.81.111.167/updates/check.php" -ForegroundColor Yellow try { # We use -ErrorAction SilentlyContinue because the IP likely won't resolve or respond, # but the connection attempt itself will generate the telemetry. Invoke-WebRequest -Uri "http://98.81.111.167/updates/check.php" -Method Get -ErrorAction SilentlyContinue } catch { Write-Host "[!] Connection failed (expected), but telemetry should be generated." -ForegroundColor Gray } # Scenario 2: Connection to the specific malicious IP on port 443 Write-Host "[+] Attempting connection to malicious IP: 23.20.229.225 on port 443" -ForegroundColor Yellow try { $tcpClient = New-Object System.Net.Sockets.TcpClient $connection = $tcpClient.BeginConnect("23.20.229.225", 443, $null, $null) $success = $connection.AsyncWaitHandle.WaitOne(5000, $false) if ($success) { Write-Host "[+] Connection successful (unlikely in real test)." -ForegroundColor Green } else { Write-Host "[!] Connection timed out (expected), but telemetry should be generated." -ForegroundColor Gray } $tcpClient.Close() } catch { Write-Host "[!] Error during TCP connection attempt." -ForegroundColor Red } Write-Host "[+] Simulation Complete." -ForegroundColor Cyan -
Cleanup Commands:
# No persistent artifacts are created by this simulation as it only generates network traffic. Write-Host "[+] No cleanup required. Network connections were transient." -ForegroundColor Green