{ "id": "735a9444-247d-4f05-824c-353be4ae2cd2", "created_at": "2026-04-06T00:22:39.027624Z", "updated_at": "2026-04-10T13:12:38.812987Z", "deleted_at": null, "sha1_hash": "14ed9f4cb898b47864e36e066426fc1ec5b58e46", "title": "Cracked Brute Ratel C4 framework proliferates across the cybercriminal underground", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1070840, "plain_text": "Cracked Brute Ratel C4 framework proliferates across the\r\ncybercriminal underground\r\nBy Will Thomas\r\nPublished: 2022-10-05 · Archived: 2026-04-05 14:32:28 UTC\r\nSince mid-September, English-speaking and Russian-speaking cybercriminal underground forums having been\r\nbuzzing with activity following the leaking and cracking of the Brute Ratel C4 (BRC4) post-exploitation toolkit.\r\nThis significant event is exemplary of the type of underground forum activity that the SANS FOR589: Cybercrime\r\nIntelligence course will cover, and this blog highlights key aspects of how FOR589 will teach students to generate\r\nactionable intelligence via monitoring the cybercriminal underground. This includes:\r\nHow to identify what is actionable and what is noise within the cybercriminal underground\r\nHow to spot significant evolutions and changes within the underground ecosystem\r\nHow to act as an early warning system for defenders and responders about imminent threats to\r\norganizations\r\nPractitioners can sign up for the BETA of this course on the SANS website by selecting ‘FOR589: Cybercrime\r\nIntelligence’ and by registering with their information.\r\nEt tu Brute Ratel?\r\nFor those unacquainted with Brute Ratel, it was developed by Chetan Nayak, a former offensive security\r\nprofessional who previously worked for Mandiant and CrowdStrike. It is an emerging Red Teaming framework,\r\nsimilar to Sliver, Mythic, and Covenant, that all lag behind the most popular tool, which has been Cobalt Strike for\r\nseveral years. Much like Cobalt Strike, Brute Ratel enables operators to deploy agents, called badgers, while\r\ninside a target environment that enable arbitrary command execution to perform lateral movement, privilege\r\nescalation, and establish additional avenues of persistence.\r\nThe leak of a cracked version of Brute Ratel proves to be a significant event when we reflect on the precedent set\r\nby the leak of a cracked version of Cobalt Strike, back in November 2020, when the source code for Cobalt Strike\r\n4.0 was shared via GitHub. Consequently, that leak bolstered free access to Cobalt Strike for threat actors within\r\nthe cybercriminal underground; since then, Cobalt Strike has been widely adopted by threat actors, particularly\r\nransomware affiliates, as well as nation state advanced persistent threat (APT) groups.\r\nhttps://www.sans.org/blog/cracked-brute-ratel-c4-framework-proliferates-across-the-cybercriminal-underground/\r\nPage 1 of 6\n\nFigure 1: Cobalt Strike 4.0 source code offered on Exploit[.]in\r\nDue to this, security products have heavily focused on detecting the tool and it is no longer as proficient as it once\r\nwas for adversaries. As a result, it has been reported that some threat actors have gone as far as creating spurious\r\nUS-based firms to be able to bypass Brute Ratel’s licensing verification so they can leverage the new toolkit. The\r\ndeveloper of Brute Ratel, Chetan Nayak, could then revoke these licenses for any malicious customers using the\r\nframework for cybercrime.\r\nThe newly cracked version of Brute Ratel 1.2.2, however, now means that that anyone can use the framework and\r\nbypass the license verification system. Chetan Nayak found that the uncracked version was uploaded to VirusTotal\r\nand was subsequently cracked by a Russian-speaking group called “Molecules” who reverse engineered and\r\nbypassed the license check.\r\nA version of Brute Ratel was uploaded to VirusTotal at 19:59:20 UTC on 13 September 2022, via an archive file\r\ncalled \"bruteratel_1.2.2.Scandinavian_Defense.tar.gz\". Chetan Nayak confirmed this file contains a valid copy of\r\nBRC4 version 1.2.2/5. It was then cracked and was floating around private Telegram groups until it made its way\r\nto the mainstream cybercrime forums.\r\nhttps://www.sans.org/blog/cracked-brute-ratel-c4-framework-proliferates-across-the-cybercriminal-underground/\r\nPage 2 of 6\n\nFigure 2: A cracked version of Brute Ratel v1.2.2 shared on a Russian-speaking Telegram channel (Source:\r\nTwitter)\r\nFigure 3: Screenshot of Brute Ratel C4 – Scandinavian Defense (1.2)\r\nThis cracked version has since been distributed across the popular cybercrime forums where data brokers,\r\nmalware developers, initial access brokers, and ransomware affiliates all reside. This includes BreachForums,\r\nCryptBB, RAMP, Exploit[.]in, and XSS[.]is (aka DaMaGeLaB), as well as other communities on Discord and\r\nTelegram.\r\nhttps://www.sans.org/blog/cracked-brute-ratel-c4-framework-proliferates-across-the-cybercriminal-underground/\r\nPage 3 of 6\n\nFigure 4: Cracked version of Brute Ratel shared to BreachForums\r\nFigure 5: Cracked version of Brute Ratel shared to Exploit[.]in\r\nhttps://www.sans.org/blog/cracked-brute-ratel-c4-framework-proliferates-across-the-cybercriminal-underground/\r\nPage 4 of 6\n\nFigure 6: User of XSS[.]is testing the cracked version of Brute Ratel\r\nSo What?\r\nOne of the most concerning aspects of Brute Ratel for many security experts is its ability to generate shellcode\r\nthat is undetected by many endpoint detection and response (EDR) and antivirus (AV) products. This means that\r\nevery new attack creates unique indicators of compromise (IOCs). The developer of Brute Ratel has demonstrated\r\nthe tool’s proficiency at doing so; for example, on 29 September 2022, the developer shared a video on YouTube\r\ncalled “Evading Elastic EDR in Full Prevent Mode with Brute Ratel C4.”\r\nThis extended window of detection evasion can give threat actors enough time to establish initial access, begin\r\nlateral movement, and achieve persistence elsewhere. Brute Ratel’s capabilities closely align with the objectives of\r\nransomware groups that are already highly active and looking for new windows of opportunity. In July 2022,\r\nSophos incident responders confirmed they encountered Brute Ratel in the wild, alongside Cobalt Strike, at an\r\nALPHV (aka BlackCat) ransomware engagement. This compounds our assessment that cybercriminals, especially\r\nransomware affiliates, are going to be using this tool in the foreseeable future.\r\nFurther, to prevent Brute Ratel, defenders may try to gather and block related IOCs. However, due to Brute Ratel’s\r\nunique generation of evasive new payloads, it makes the practise of blocking of file hashes an inadequate\r\ncountermeasure. Therefore, It is recommended that defenders implement behavioral-based detection opportunities\r\nto thwart attempts, like those outlined in blogs by MdSec and Palo Alto Networks Unit 42.\r\nOverall, enterprises and public sector organizations should recognize the imminent threat of the proliferation of\r\nthis tool in the hands of organized cybercriminal groups.\r\nUncracked and cracked versions of Brute Ratel C4 shared on VirusTotal\r\nUncracked: “BruteRatel_1.2.2.Scandinavian_Defense.tar.gz” - available here\r\nCracked: “bruteratel 1.2.2-Cracked.zip” - available here\r\nhttps://www.sans.org/blog/cracked-brute-ratel-c4-framework-proliferates-across-the-cybercriminal-underground/\r\nPage 5 of 6\n\nSource: https://www.sans.org/blog/cracked-brute-ratel-c4-framework-proliferates-across-the-cybercriminal-underground/\r\nhttps://www.sans.org/blog/cracked-brute-ratel-c4-framework-proliferates-across-the-cybercriminal-underground/\r\nPage 6 of 6\n\n https://www.sans.org/blog/cracked-brute-ratel-c4-framework-proliferates-across-the-cybercriminal-underground/ \nFigure 4: Cracked version of Brute Ratel shared to BreachForums\nFigure 5: Cracked version of Brute Ratel shared to Exploit[.]in\n Page 4 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://www.sans.org/blog/cracked-brute-ratel-c4-framework-proliferates-across-the-cybercriminal-underground/" ], "report_names": [ "cracked-brute-ratel-c4-framework-proliferates-across-the-cybercriminal-underground" ], "threat_actors": [ { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434959, "ts_updated_at": 1775826758, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/14ed9f4cb898b47864e36e066426fc1ec5b58e46.pdf", "text": "https://archive.orkl.eu/14ed9f4cb898b47864e36e066426fc1ec5b58e46.txt", "img": "https://archive.orkl.eu/14ed9f4cb898b47864e36e066426fc1ec5b58e46.jpg" } }