SOC Prime Bias: High

15 Jun 2026 05:49 UTC

[Op Report] From SSA Phish to AdaptixC2: A Multi-RAT Intrusion

Author Photo
SOC Prime Team linkedin icon Follow
[Op Report] From SSA Phish to AdaptixC2: A Multi-RAT Intrusion
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query

Summary

A threat actor carried out a layered commodity intrusion beginning with a phishing email themed around the U.S. Social Security Administration. The operation relied on AdaptixC2 as the main command-and-control framework, used XWorm as a secondary access channel and for Telegram-based exfiltration, and deployed ScreenConnect to support hands-on-keyboard activity. The campaign also showed strong operational discipline through the use of RTLO filename deception and multiple persistence paths designed to survive partial remediation.

Investigation

The investigation took place in a Deception.Pro environment using a deception workstation. Because TLS inspection was enabled, researchers were able to recover cleartext beacon traffic, payload download URLs, and ScreenConnect relay handshakes. That visibility made it possible to attribute the intrusion to specific frameworks with high confidence rather than depending only on behavioral or fingerprint-based assumptions.

Mitigation

Organizations should reduce risk by enabling TLS inspection for encrypted command-and-control traffic and deploying EDR capable of detecting certutil-based staging and suspicious PowerShell execution. File extension visibility should be enforced to weaken RTLO-based filename tricks, and registry Run-key writes to public or user-writable locations should be monitored closely. Teams should also inventory and alert on unauthorized remote management tools such as ScreenConnect, especially when installed through msiexec.

Response

If this activity is detected, isolate the affected endpoints immediately to cut off command-and-control traffic and prevent further lateral movement through SAMR or LSAD enumeration. Perform a full forensic sweep for XWorm DLLs and AdaptixC2 artifacts in public folders and other common staging paths. Investigators should also review Telegram-related exfiltration patterns and audit registry persistence keys that mimic legitimate updater names.

Attack Flow

Detections

Possible Persistence Points [ASEPs – Software/NTUSER Hive] (via registry_event)

SOC Prime Team
12 Jun 2026

Using Certutil for Data Encoding and Cert Operations (via cmdline)

SOC Prime Team
12 Jun 2026

Suspicious Execution from Public User Profile (via process_creation)

SOC Prime Team
12 Jun 2026

Alternative Remote Access / Management Software (via process_creation)

SOC Prime Team
12 Jun 2026

An Archive Was Extracted To Suspicious Directory Using Powershell (via powershell)

SOC Prime Team
12 Jun 2026

Suspicious Files in Public User Profile (via file_event)

SOC Prime Team
12 Jun 2026

Possible IP Lookup Domain Communications Attempted (via dns)

SOC Prime Team
12 Jun 2026

Possible Dynamic DNS Service Was Contacted (via dns)

SOC Prime Team
12 Jun 2026

IOCs (HashSha256) to detect: [Op Report] From SSA Phish to AdaptixC2: A Multi-RAT Intrusion

SOC Prime AI Rules
12 Jun 2026

IOCs (HashMd5) to detect: [Op Report] From SSA Phish to AdaptixC2: A Multi-RAT Intrusion

SOC Prime AI Rules
12 Jun 2026

IOCs (SourceIP) to detect: [Op Report] From SSA Phish to AdaptixC2: A Multi-RAT Intrusion

SOC Prime AI Rules
12 Jun 2026

IOCs (DestinationIP) to detect: [Op Report] From SSA Phish to AdaptixC2: A Multi-RAT Intrusion

SOC Prime AI Rules
12 Jun 2026

AdaptixC2 Command-and-Control Communication Detection [Windows Network Connection]

SOC Prime AI Rules
12 Jun 2026

Detect AdaptixC2 and ScreenConnect Deployment via Certutil and Msiexec [Windows Process Creation]

SOC Prime AI Rules
12 Jun 2026

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre-flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.

  • Attack Narrative & Commands: The adversary has successfully established a foothold on the target machine via a spearphishing link. To maintain control and receive instructions, the AdaptixC2 agent attempts to “check in” with its command-and-control server. The agent is programmed to reach out to a hardcoded URI (98.81.111.167/updates/check.php) or a fallback IP (23.20.229.225) via port 443. By simulating these exact connection attempts, we validate if the firewall/network detection rule correctly identifies these known-malicious patterns.

  • Regression Test Script: This script uses PowerShell to simulate two distinct connection attempts: one targeting the specific URL and one targeting the specific IP address.

    # Simulation of AdaptixC2 C2 Communication
    Write-Host "[+] Starting AdaptixC2 Simulation..." -ForegroundColor Cyan
    
    # Scenario 1: Connection to the specific malicious URL pattern
    Write-Host "[+] Attempting connection to malicious URL: 98.81.111.167/updates/check.php" -ForegroundColor Yellow
    try {
        # We use -ErrorAction SilentlyContinue because the IP likely won't resolve or respond, 
        # but the connection attempt itself will generate the telemetry.
        Invoke-WebRequest -Uri "http://98.81.111.167/updates/check.php" -Method Get -ErrorAction SilentlyContinue
    } catch {
        Write-Host "[!] Connection failed (expected), but telemetry should be generated." -ForegroundColor Gray
    }
    
    # Scenario 2: Connection to the specific malicious IP on port 443
    Write-Host "[+] Attempting connection to malicious IP: 23.20.229.225 on port 443" -ForegroundColor Yellow
    try {
        $tcpClient = New-Object System.Net.Sockets.TcpClient
        $connection = $tcpClient.BeginConnect("23.20.229.225", 443, $null, $null)
        $success = $connection.AsyncWaitHandle.WaitOne(5000, $false)
        if ($success) {
            Write-Host "[+] Connection successful (unlikely in real test)." -ForegroundColor Green
        } else {
            Write-Host "[!] Connection timed out (expected), but telemetry should be generated." -ForegroundColor Gray
        }
        $tcpClient.Close()
    } catch {
        Write-Host "[!] Error during TCP connection attempt." -ForegroundColor Red
    }
    
    Write-Host "[+] Simulation Complete." -ForegroundColor Cyan
  • Cleanup Commands:

    # No persistent artifacts are created by this simulation as it only generates network traffic.
    Write-Host "[+] No cleanup required. Network connections were transient." -ForegroundColor Green