Excerpt
Active AdaptixC2 and Gh0st RAT distribution observed alongside phishing trends. Urgent detection guidance and IOCs provided.
Threat Summary
Recent OTX pulses highlight a diverse threat landscape involving the rapid adoption of the AdaptixC2 post-exploitation framework, the distribution of Gh0st RAT via adware bundles, and a resurgence of AgentTesla and RemcosRAT through sophisticated phishing campaigns.
The collective intelligence indicates a shift towards modular, open-source frameworks (AdaptixC2) capable of multi-platform support (Windows, macOS, Linux) and diverse C2 channels (DNS, SMB, mTLS). Simultaneously, threat actors are leveraging "annoying" adware vectors (CloverPlus) to cloak Gh0st RAT deployments, while credential stealers like AgentTesla are increasingly relying on script-based HTML/JS attachments rather than traditional Office macros. The primary objectives across these campaigns are persistent remote access, credential harvesting, and lateral movement within enterprise environments.
Threat Actor / Malware Profile
AdaptixC2 (MgBot / CoolClient / CloudAtlas)
- Type: Open-source Post-Exploitation Framework
- Language: Go / C++
- Capabilities: Supports Beacon Object Files (BOFs), process injection, and modular payload execution. It utilizes RC4 encryption and supports numerous C2 channels including HTTP/S, TCP, mTLS, DNS, DoH, and SMB.
- Target: Cross-platform (Windows, macOS, Linux).
Gh0st RAT (CloverPlus Loader)
- Type: Remote Access Trojan
- Distribution: Delivered via obfuscated loaders bundled with CloverPlus adware.
- Execution: Drops encrypted payloads executed via
rundll32.exe. - Persistence: Establishes persistence via Registry Run keys and Windows services.
- Capabilities: DNS hijacking, keylogging, remote control.
AgentTesla / RemcosRAT
- Type: Information Stealer / RAT
- Distribution: Phishing emails containing fake invoices.
- Vector: Script-based attacks (HTML, JavaScript) and compressed archives (ZIP, RAR, 7Z) have surged, replacing macro-based documents.
- Objective: Credential theft and system monitoring.
IOC Analysis
The provided IOCs include file hashes for distinct malware families:
- AdaptixC2:
f212fd00d9ffc0f3d868845f7f4215cb(MD5) - Gh0st RAT / CloverPlus:
04c3c443f6ad7582b6e61d0480594d83(MD5),ebba8f4342b65faccdd2a48be9f2654d3fa523360f17ff68d5498a453f76c205(SHA256) - Phishing Payloads: Multiple MD5 hashes (e.g.,
06dc18771404694814d6a430bb65d1a3) linked to AgentTesla/RemcosRAT.
Network IOCs indicate active C2 infrastructure:
- Hostnames:
controller.airdns.org,ccp11nl.hyperhost.ua(Likely C2 or Dead Drop Resolvers).
Operational Guidance: SOC teams should block the listed hostnames at the perimeter and ingress proxy. File hashes should be uploaded to EDR solutions for immediate scanning. The presence of CVE-2023-27350 in the Gh0st RAT pulse suggests a potential exploitation vector requiring patch validation.
Detection Engineering
title: AdaptixC2 Malware File Creation
id: 9f8e7d6c-5b4a-3a2b-1c0d-9e8f7a6b5c4d
description: Detects the creation of known AdaptixC2 agent files based on OTX Pulse indicators.
status: stable
author: Security Arsenal
date: 2026/04/22
references:
- https://otx.alienvault.com/
tags:
- attack.execution
- attack.t1059.005
logsource:
product: windows
file_creation:
detection:
selection:
TargetFilename|contains: '\\'
Hashes|contains: 'MD5=f212fd00d9ffc0f3d868845f7f4215cb'
condition: selection
falsepositives:
- Unknown
level: critical
---
title: Gh0st RAT Registry Persistence via Rundll32
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
description: Detects persistence mechanisms used by Gh0st RAT delivered via CloverPlus, specifically utilizing rundll32.exe to modify registry run keys.
status: stable
author: Security Arsenal
date: 2026/04/22
references:
- https://otx.alienvault.com/
tags:
- attack.persistence
- attack.t1547.001
logsource:
product: windows
registry_d:
detection:
selection:
TargetObject|contains: 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run'
Image|endswith: '\\rundll32.exe'
Details|contains: '.dll'
condition: selection
falsepositives:
- Legitimate software updates
level: high
---
title: Suspicious Script Execution from Phishing
id: 2b3c4d5e-6f7a-8b9c-0d1e-2f3a4b5c6d7e
description: Detects execution of HTML or JavaScript scripts, a trend observed in recent AgentTesla and RemcosRAT campaigns utilizing script-based attacks.
status: stable
author: Security Arsenal
date: 2026/04/22
references:
- https://otx.alienvault.com/
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
process_creation:
detection:
selection:
Image|endswith:
- '\\wscript.exe'
- '\\mshta.exe'
- '\\cscript.exe'
CommandLine|contains:
- '.html'
- '.js'
- '.jse'
condition: selection
falsepositives:
- Admin scripts
level: medium
kql
// Hunt for Gh0st RAT C2 Domains and suspicious rundll32 activity
DeviceNetworkEvents
| where RemoteUrl in ("controller.airdns.org", "ccp11nl.hyperhost.ua")
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP
| union (
DeviceProcessEvents
| where ProcessCommandLine contains "rundll32.exe"
| where ProcessCommandLine contains ".dll"
| where FolderPath endswith ".dll" // Heuristic for DLL execution
| project Timestamp, DeviceName, FileName, ProcessCommandLine, SHA256
)
| order by Timestamp desc
powershell
# IOC Hunt Script for AdaptixC2 and Gh0st RAT Indicators
# Requires Admin Privileges
$TargetHashes = @(
"f212fd00d9ffc0f3d868845f7f4215cb",
"04c3c443f6ad7582b6e61d0480594d83",
"ebba8f4342b65faccdd2a48be9f2654d3fa523360f17ff68d5498a453f76c205"
)
$RunPaths = @(
"HKLM:\Software\Microsoft\Windows\CurrentVersion\Run",
"HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce",
"HKCU:\Software\Microsoft\Windows\CurrentVersion\Run",
"HKCU:\Software\Microsoft\Windows\CurrentVersion\RunOnce"
)
Write-Host "Checking Registry Run Keys for suspicious rundll32 entries..."
foreach ($Path in $RunPaths) {
if (Test-Path $Path) {
Get-Item $Path | ForEach-Object {
$_.Property | ForEach-Object {
$Value = (Get-ItemProperty -Path "$Path" -Name $_).$_
if ($Value -match "rundll32.exe" -and $Value -match ".dll") {
Write-Host "[SUSPICIOUS] Path: $Path | Name: $_ | Value: $Value" -ForegroundColor Yellow
}
}
}
}
}
Write-Host "Scanning fixed drives for known malicious hashes (this may take time)..."
Get-PSDrive -PSProvider FileSystem | ForEach-Object {
$Drive = $_.Root
Write-Host "Scanning $Drive..."
Get-ChildItem -Path $Drive -Recurse -ErrorAction SilentlyContinue |
ForEach-Object {
$Hash = (Get-FileHash -Path $_.FullName -Algorithm MD5 -ErrorAction SilentlyContinue).Hash
if ($TargetHashes -contains $Hash) {
Write-Host "[MALICIOUS FILE FOUND] Path: $($_.FullName) | MD5: $Hash" -ForegroundColor Red
}
}
}
Response Priorities
- Immediate: Block IOCs including the hostnames
controller.airdns.organdccp11nl.hyperhost.uaat the firewall and proxy. Initiate hunts for the listed file hashes on endpoints. - 24h: Conduct credential resets for accounts potentially accessed on systems where AgentTesla or Gh0st RAT execution is suspected, due to the high risk of credential theft.
- 1 week: Review email gateway configurations to specifically filter HTML, JavaScript, and compressed archive attachments (ZIP, RAR, 7Z) given the reported trend in script-based malware delivery. Ensure
CVE-2023-27350is patched across the enterprise.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.