{ "id": "c339b9ca-4cca-4ce5-86a9-e6a27f8b7364", "created_at": "2026-04-06T00:14:15.986119Z", "updated_at": "2026-04-10T13:12:43.253122Z", "deleted_at": null, "sha1_hash": "1f985ff0b416e9fdc1c7de3b9296f6f775a6e72b", "title": "Hunting Cyber Evil Ratels: From the targeted attacks to the widespread usage of Brute Ratel - Yoroi", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 783744, "plain_text": "Hunting Cyber Evil Ratels: From the targeted attacks to the widespread\r\nusage of Brute Ratel - Yoroi\r\nPublished: 2023-02-15 · Archived: 2026-04-05 15:30:26 UTC\r\n02/15/2023\r\nIntroduction\r\nRed team operations are fundamental for achieving an adequate cybersecurity maturity level. So, many different C2\r\ncommercial frameworks were born to provide help in managing security tests. However, these technologies can be used at\r\nthe same time even by attackers to make cyber intrusions.\r\nOne of the most emblematic examples of this phenomenon is “Brute Ratel”, a commercial Red Team Operations framework\r\ndeveloped by Chetan Nayak, an expert red teamer, formerly both in Mandiant and Crowdstrike, which, starting from the past\r\nyear, has been used by attackers both in cybercrime and APT operations.\r\nThis Red Team framework is designed to be capable of being highly evasive and undetectable by security products, as\r\ndemonstrated also by many shellcodes we intercepted through hunting activities with zero detection rate on VirusTotal\r\nplatform.\r\nFor these reasons, the reconstruction of the abuse of that tool is a necessary step in order to provide technical insights for the\r\ncybersecurity community.\r\nReconstructing the abuse of Brute Ratel\r\nThe first time when the Cybersecurity Community started to face-off the abuse of Brute Ratel was between May and June\r\n2022. The observed attack involved a ISO file, used to compress the files and reduce the detection rate, because this type of\r\nfile isn’t easily detected by security protections. The content of the archive is a LNK file used to perform DLL sideloading\r\nof the malicious “version.dll” library, a necessary dependency of the legit Microsoft’s executable “OneDriveUpdtater.exe”.\r\nFigure 1: Content of the ISO image\r\nThis campaign has been deeply analyzed by Unit42 of PaloAlto, and attributing the threat to Nobellium, AKA APT29.\r\nHowever, this campaign was important because it was the first documented one maliciously leveraging Brute Ratel\r\nFramework.\r\nOn 13 September an archive containing a leaked version of Bruteratel 1.2.2 named\r\n“BruteRatel_1.2.2.Scandinavian_Defense.tar.gz” was uploaded on VirusTotal and in the next days shared among the\r\ncyber criminals on underground forums and popular Telegram channels. This was a very good starting point to take a closer\r\nlook, but the leak didn’t have a valid license, making the application not working.\r\nFigure 2: Testing the Brute Ratel Leak\r\nNevertheless, this hasn’t stopped the criminals, who we believe reversed the license related routines to develop a crack\r\naimed at bypassing the usage restrictions of the product. In fact, the following days a manumitted version of the framework\r\nappeared, with the addition of a license file named “.brauth”, which made the tool work.\r\nhttps://web.archive.org/web/20230216110153/https://yoroi.company/research/hunting-cyber-evil-ratels-from-the-targeted-attacks-to-the-widespread-usage-of-brute-ratel/\r\nPage 1 of 7\n\nFigure 3: Evidence of the cracked version of brute ratel\r\nThus, we decided to test even this version, and it worked.\r\nFigure 4: Cracked Version of Brute Ratel Working\r\nAfter that, this cracked version started to be spread on many different forums and private hacking groups. So, threat actors\r\nstarted to adopt this framework during their human operated cyber intrusions, replacing or alongside CobaltStrike, which\r\nnowadays remains the landmark for this type of malicious operations.\r\nTechnical Insights\r\nThe malicious code is contained inside the exported function main, the sample iterates the PEB to find ntdll.dll and\r\ndynamically resolve the APIs. The API Hashing is one of the most trending techniques adopted by malware writers: in this\r\nway, they can obfuscate the calling of the most critical API calls to perform, making the analyses harder. In this case\r\n(4766553ce5ff67a2e28b1ee1b5322e005b85b26e21230ffba9622e7c83ed0917), the algorithm used to perform the hashing\r\noperation is ROR13.\r\nFigure 5: Resolving the hashed APIs\r\nAfter resolving the functions, the badger starts an anti-analysis phase, where it tries to evade when an analyst reverses the\r\npayload.\r\nThe first technique is an anti-debug trick to evade when the analyst tries to insert some breakpoints on the API function to be\r\nresolved. In this case, the control is performed by retrieving the address of the API call to resolve, and check whether it is\r\noverwritten with the 0xCC opcode, which is the code of the software breakpoint in assembly language.\r\nA second technique is an anti-hooking trick aimed at checking if the call is long 20bytes and the last 3 bytes are 0x0F, 0x05\r\nand 0xC3, which are the machine code for the operations “syscall” and “ret”. In this way, the control allows the malware to\r\nidentify any tampering inside the API calls to be used: in fact, many EDRs and security appliance adopt hooking techniques\r\nto intercept the code and identify malicious behaviour.\r\nhttps://web.archive.org/web/20230216110153/https://yoroi.company/research/hunting-cyber-evil-ratels-from-the-targeted-attacks-to-the-widespread-usage-of-brute-ratel/\r\nPage 2 of 7\n\nFigure 6: Anti-Analysis and Anti-hooking techniques\r\nA detail of the called syscall not tampered by any security control is the following:\r\nFigure 7: Evidence of a not tampered syscall\r\nAfter those controls, the badger can extract its shellcode contained inside the “.data” section in a new memory section and it\r\nis executed with a syscall to NtCreateThreadEx.\r\nFigure 8: Shellcode execution through syscall\r\nAt this point, the shellcode is able to allocate in memory a PE file, but with the header missing, which is the final payload.\r\nhttps://web.archive.org/web/20230216110153/https://yoroi.company/research/hunting-cyber-evil-ratels-from-the-targeted-attacks-to-the-widespread-usage-of-brute-ratel/\r\nPage 3 of 7\n\nFigure 9: Loaded badger shellcode without MZ header\r\nA view of the badger strings inside the just loaded code is the following:\r\nFigure 10: Strings of the badger\r\nThe last decoding routine of the payload is to retrieve the configuration of the badger. It uses the RC4 algorithm to encrypt\r\nthis information and it decodes that at runtime; in this case the key is the hardcoded string “mnan#:\u003c(“\r\nhttps://web.archive.org/web/20230216110153/https://yoroi.company/research/hunting-cyber-evil-ratels-from-the-targeted-attacks-to-the-widespread-usage-of-brute-ratel/\r\nPage 4 of 7\n\nFigure 11: RC4 algorithm for the configuration decryption\r\nAn example of the configuration of the decrypted configuration of a badger of Brute Ratel is the following:\r\n0|1|40|||||||0|1|[IP (Redacted)]|443|Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36\r\n(KHTML, like Gecko) Chrome/90.0.4430.93\r\nSafari/537.36|VNIGBM11JPMHF40J|DQMVLBS4H9FCUAMO|/content.php,/admin.php,/login.php||6df589ac0c3c884c54f419a437406ac8bf3ab4\r\nThreat Hunting\r\nUpon the release of the leaked version, we decided to track the malicious campaigns leveraging this pentesting framework in\r\norder to identify how many actors are using it to do malicious cyber-attacks. It was surprising to observe that some of these\r\nsamples we are able to track with the Yara rule provided at the end of the blogpost are fully undetected by the antimalware\r\nand VirusTotal give dame also zero detection rate. So, it indicates that the effort to make this tool as optimal to simulate an\r\nadversary.\r\nFigure 12: Detection rate of a file uploaded on VT which is a Brute Ratel\r\nSo, it was interesting to notice that, at time of writing, there are three low detection rate sample we found through our\r\nsignatures.\r\n0 detection:\r\n17decce71404a0ad4b402d030cb91c6fd5bca45271f8bf19e796757e85f70e48\r\nFdeb6a6aaee94fe204fb986f6d78e64a9086c5f64e315d8c5e90b590f0007af8\r\n3 detections:\r\n5f4782a34368bb661f413f33e2d1fb9f237b7f9637f2c0c21dc752316b02350c\r\nConclusion\r\nThreat hunting is a proactive approach to identifying and tracking security threats. It involves actively searching for and\r\nanalyzing potential security breaches or anomalies in an organization's systems and networks. The job of proactively hunting\r\nfor threats helps organizations to minimize the risk of cyber intrusion and minimize the damage caused by such an attack. In\r\naddition, threat hunting enables organizations to continuously monitor and improve their security posture, helping to stay\r\nahead of the evolving threat landscape.\r\nThe example of the abuse of Brute Ratel framework is emblematic to understand that the continuous improvement of Threat\r\nIntelligence and Hunting capabilities are fundamental for the growth of the cyber security measures of the company,\r\nguaranteeing a best practice to the early detection of the cyber threats.\r\nIndicators of Compromise\r\nhttps://web.archive.org/web/20230216110153/https://yoroi.company/research/hunting-cyber-evil-ratels-from-the-targeted-attacks-to-the-widespread-usage-of-brute-ratel/\r\nPage 5 of 7\n\nHashes retrieved from threat hunting operations:\r\n025ef5e92fecf3fa118bd96ad3aff3f88e2629594c6a7a274b703009619245b6\r\n086dc27a896e154adf94e8c04b538fc146623b224d62bf019224830e39f4d51d\r\n17decce71404a0ad4b402d030cb91c6fd5bca45271f8bf19e796757e85f70e48\r\n17e4989ff7585915ec4342cbaf2c8a06f5518d7ba0022fd1d97b971c511f9bde\r\n200955354545ef1309eb6d9ec65a917b08479f28362e7c42a718ebe8431bb15d\r\n221e81540e290017c45414a728783cb62f79d9f63f2547490ec2792381600232\r\n25e7a8da631f3a5dfeec99ca038b3b480658add98719ee853633422a3a40247d\r\n28a4e9f569fd5223bffe355e685ee137281e0e86cae3cc1e3267db4c7b2f3bcd\r\n2ddc77de26637a6d759e5b080864851b731fdb11075485980ece20d8f197104c\r\n31fe821e4fac6380701428e01f5c39c6f316b6b58faff239d8432e821a79d151\r\n331952c93954bd263747243a0395441d0fae2b6d5b8ceb19f3ddb786b83f0731\r\n34c1d162bf17cdb41c2c5d220b66202a85f5338b15019e26dcab1a81f12fc451\r\n38b3b10f2ddeecda0db029dacc6363275c4cdf18cc62be3cc57b79647d517a44\r\n3a946cba2ba38a2c6158fa50beee20d2d75d595acc27ea51a39a37c121082596\r\n3baace2a575083a7031af7e9e13ff8ed46659f0b25ce54abe73db844acfad11a\r\n3f63fbc43fc44e6bf9c363e8c17164aeb05a515229e2111a2371d4321dcde787\r\n4766553ce5ff67a2e28b1ee1b5322e005b85b26e21230ffba9622e7c83ed0917\r\n4e5d89844135dca1d9899a8eedfbabc09bcb0fb5c5c14c29f7df5a58d7cf16d4\r\n4f88738e04447344100bb9532c239032b86e71d8037ccb121e2959f37fff53cf\r\n54e844b5ae4a056ca8df4ca7299249c4910374d64261c83ac55e5fdf1b59f01d\r\n56ced937d0b868a2005692850cea467375778a147288ac404748c2dea9c17277\r\n5f4782a34368bb661f413f33e2d1fb9f237b7f9637f2c0c21dc752316b02350c\r\n6021d5500fdea0664a91bdd85b98657817083ece6e2975362791c603d7a197c7\r\n62cb24967c6ce18d35d2a23ebed4217889d796cf7799d9075c1aa7752b8d3967\r\n62e88163b51387b160e9c7ea1d74f0f80c52fc32c997aa595d53cbc2c3b6caf4\r\n64a95de2783a97160bac6914ee07a42cdd154a0e33abc3b1b62c7bafdce24c0c\r\n6a85451644a2c6510d23a1ab5610c85a38107b3b3a00238f7b93e2ce6d1ba549\r\n6ade03a82d8bb884cae26c6db31cf539bec66861fc689cf1c752073fb79740c5\r\n6fdd81e31f2bec2bdda594974068a69e911219d811c8de4466d7a059dd3183a3\r\n74c00f303b87b23dffb59718187ff95c9d4d8497c61a64501166ac5dbed84b9f\r\n7757a76ca945f33f3220ad2b2aa897f3e63c47f08e1b7d62d502937ba90360a7\r\n7824197ad3b9c0981a1cdabf82940ac7733d232442bd31d195783a4e731845d2\r\n79e232b2a08a2960a493e74ab7cba3e82c8167acc030a5ca8d080d0027a587fe\r\n7fe1ff03e8f5678d280f7fd459a36444b6d816b2031e37867e4e36b689eccd33\r\n83b336deca35441fa745cd80a7df7448ce24c09dd2a36569332ae0e4771f36a6\r\n88249de22cefaf15f7c45b155703980fb09eb8e06b852f9d4a7c82126776ee7e\r\n8b8f7e8030e2ba234a33bc8a2fa3ccb5912029d660e03ed40413d949142b98fe\r\n8d979a1627dea58e9b86f393338df6aabfd762937e25e39f1d325fce06cf5338\r\n8dd3faf0248890e8c3efb40b800f892989204ba3125986690669f0a914f26c5d\r\n9521f51e42b8e31d82b06de6e15dbf9a1fa1bbff62cf6bc68c0b9e8fd1f8b2c5\r\n97a00056c459a7ce38ad8029413bf8f1691d4ae81e90f0d346d54c91dd02a511\r\n991f883556357a3b961c31e2b72f6246b52b27a5c45b72914abc61c5b5960cc3\r\n9f06583bd4b8c4aefc470ef582ff685cd3d03b404e67ce8bf9dbbd5828c90c43\r\na0c3da2ebf94f6671537a80d26b3288f8fcdf845fe2780ef81fd9da48c0162bf\r\na8759ef55fed4a9410cc152df9ef330a95f776619901054715ed4721a414d15c\r\na8cc14bd56aa4a2da40717cb3f11ecb6aff4e0797a9cebcff51461db19eaf580\r\nae38ec0ddc58424bf6de8858c82c4c6902fc947604943d58d8cbca00991c7f7d\r\naeb82788aad8bdee4c905559c4636536fb54c40fdc77b27ba4308b6a0f24bedf\r\nbdd028922220ff92acb8530c894e2705743a968a8159fe955c1057736c7e1ebd\r\nc3cc43492d005b25fc2cc66f82a550420bb4c48b5aae0a77f1ccef0603a3e47c\r\nc4f40e2eb029ef11be4ac43ccc6895af6fb6dabd3a5bcc02f29afb9553da625c\r\nc6aa2c54eee52f99a911dadfbf155372bd9f43fb9f923500b0b374799204d7a3\r\nc6e2562a2ae399a851b0e5bfb92011e9f97ab45fa536a61eb89b3aee062461f7\r\nca2b9a0fe3992477d4c87a6e2a75faaac9ea0f3828d054cb44371b3068b76ba5\r\ncdc5e05843cf1904e145dad3ae6c058b92b1bc3cbffffc217884b7cc382172a1\r\ncee890a9e7ab521125372c13b71fc154ef5332d333fe43798303b198e9314dcd\r\nd90beab9a3986c26922e4107dccb0b725b8b0eea398f2aeb8848cbe25c3becee\r\ndb987749ef4a58c6a592a33221770d23adcb2efce4a5504aabc73d61cd356616\r\ndc9757c9aa3aff76d86f9f23a3d20a817e48ca3d7294307cc67477177af5c0d4\r\ndcb986e45f1cf38794acec5e7f576a8dff6fbec66e6a09e3cc92596c796ad0d3\r\ne400a196e7128a3cf40085629db8f26b73b6980be7df3da60928a4a062bc85cb\r\ne491d06e3a556c79e922274af04c1786a957775ba2d5d0b02d13bdee91bf5ce4\r\nea6d9ff8f768fc0132f9f543d9546744d04f9f83e2241950f63f60b520b9ece0\r\nhttps://web.archive.org/web/20230216110153/https://yoroi.company/research/hunting-cyber-evil-ratels-from-the-targeted-attacks-to-the-widespread-usage-of-brute-ratel/\r\nPage 6 of 7\n\nead189bb18ee839db3d221701e208c4d2845c232cec66764bb3ea6c688ca18e8\r\nee035537c3b8fc54ca2e1fa98c18e2fb0e203d863005c878bc8ceaa690a6689f\r\nee53521e7d8b2b05fef77877440738ee169f3b75228931f9aaf96621a2f64c25\r\neef36bc6f208abd46541bac1b1de18bb3a69057b1a54e67d71d259cc0f1bef5b\r\nf59fe0945f97df4e3d2efc9b31d00602fc5a16e05453e0d853e275cadb63a057\r\nf875e68899afe172394176fa9cabededeaa19ad6816a90746bb630c064c69e6a\r\nfdeb6a6aaee94fe204fb986f6d78e64a9086c5f64e315d8c5e90b590f0007af8\r\nYara Rules\r\nrule brute_ratel\r\n{\r\n meta:\r\n author = \"Yoroi Malware ZLab\"\r\n description = \"Rule for BruteRatel Badger\"\r\n last_updated = \"2023-02-15\"\r\n tlp = \"WHITE\"\r\n category = \"informational\"\r\n strings:\r\n $1 = {8079ffcc74584585c075044883e920448a094180f9e9740a448a41034180f8e97507ffc24531c0ebd731c04180f94c752f8079018b75\r\n $2 = {565389d34883ec2885db74644889cee8????????31c9ba????????4989c0e8????????448d430165488b142530000000488b5260488b\r\n condition:\r\n (uint16(0) == 0x5A4D or uint16(0) == 0x00E8 or uint16(0) == 0x8348) and ($1 or $2)\r\n}\r\nThis blog post was authored by Luigi Martire, Carmelo Ragusa of Yoroi Malware ZLAB\r\nSource: https://web.archive.org/web/20230216110153/https://yoroi.company/research/hunting-cyber-evil-ratels-from-the-targeted-attacks-to-the-widesprea\r\nd-usage-of-brute-ratel/\r\nhttps://web.archive.org/web/20230216110153/https://yoroi.company/research/hunting-cyber-evil-ratels-from-the-targeted-attacks-to-the-widespread-usage-of-brute-ratel/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://web.archive.org/web/20230216110153/https://yoroi.company/research/hunting-cyber-evil-ratels-from-the-targeted-attacks-to-the-widespread-usage-of-brute-ratel/" ], "report_names": [ "hunting-cyber-evil-ratels-from-the-targeted-attacks-to-the-widespread-usage-of-brute-ratel" ], "threat_actors": [ { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434455, "ts_updated_at": 1775826763, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1f985ff0b416e9fdc1c7de3b9296f6f775a6e72b.pdf", "text": "https://archive.orkl.eu/1f985ff0b416e9fdc1c7de3b9296f6f775a6e72b.txt", "img": "https://archive.orkl.eu/1f985ff0b416e9fdc1c7de3b9296f6f775a6e72b.jpg" } }