{
	"id": "b36190ba-eb85-4c45-b8fb-e2b9e2a5c553",
	"created_at": "2026-04-06T00:22:03.239751Z",
	"updated_at": "2026-04-10T03:24:24.693252Z",
	"deleted_at": null,
	"sha1_hash": "2d4da4cfa97db4d4e5afe12000a91a674694bf17",
	"title": "How to detect Brute Ratel activities",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 504461,
	"plain_text": "How to detect Brute Ratel activities\r\nBy Andrea Fortuna\r\nPublished: 2023-02-23 · Archived: 2026-04-05 14:44:35 UTC\r\nBrute Ratel (BRc4) is a Command and Control (C2) framework designed to help attackers evade defence systems\r\nand remain undetected while executing malicious commands. Used in simulations of real-world attacks, this tool\r\nhelps red team members deploy badgers on remote hosts. Badgers are similar to Cobalt Strike beacons and\r\nconnect attackers to a remote command and control server, providing them with remote code execution\r\ncapabilities.\r\nThe current version of Brute Ratel allows users to create command-and-control channels using legitimate tools\r\nsuch as Microsoft Teams, Slack and Discord. It also uses undocumented syscalls instead of standard Windows\r\nAPI calls to avoid detection, and injects shellcode into running processes. BRc4 includes a debugger capable of\r\ndetecting and bypassing EDR hooks and detections, as well as an easy-to-use visual interface to assist with LDAP\r\nqueries across domains.\r\nSimilar to what I did in a previous post focusing on the Sliver framework, I try to outline a multi-layered approach\r\nto detecting malicious activity related to this tool, focusing on use of endpoint detection and response (EDR) tools,\r\nnetwork traffic analysis, and file system monitoring.\r\nNetwork Traffic Analysis\r\nThe detection of Brute Ratel traffic patterns is not easy, because the framework allows attackers to hide malicious\r\ntraffic into communications with legitimate tools such as Microsoft Teams, Slack and Discord.\r\nHowever, in this article the security firm YOROI suggests using the following Yara rule:\r\nrule brute_ratel\r\n{\r\n meta:\r\n author = \"Yoroi Malware ZLab\"\r\n description = \"Rule for BruteRatel Badger\"\r\n last_updated = \"2023-02-15\"\r\n tlp = \"WHITE\"\r\n category = \"informational\"\r\nhttps://andreafortuna.org/2023/02/23/how-to-detect-brute-ratel-activities\r\nPage 1 of 9\n\nstrings:\r\n $1 = {8079ffcc74584585c075044883e920448a094180f9e9740a448a41034180f8e97507ffc24531c0ebd731c04180f94c752f\r\n $2 = {565389d34883ec2885db74644889cee8????????31c9ba????????4989c0e8????????448d430165488b14253000000048\r\n condition:\r\n (uint16(0) == 0x5A4D or uint16(0) == 0x00E8 or uint16(0) == 0x8348) and ($1 or $2)\r\n}\r\nFile System Monitoring\r\nAccording to article by Unit42 and Splunk, recent campaigns using Brutal Rater have exploited fake Microsoft\r\nOneDrive installers encapsulated in .iso files to minimise detection by antivirus software.\r\nhttps://andreafortuna.org/2023/02/23/how-to-detect-brute-ratel-activities\r\nPage 2 of 9\n\nThis information can be used to create a hash list of possible files associated with payload implantation attempts:\r\nSHA\r\n1FC7B0E1054D54CE8F1DE0CC95976081C7A85C7926C03172A3DDAA672690042C\r\n31ACF37D180AB9AFBCF6A4EC5D29C3E19C947641A2D9CE3CE56D71C1F576C069\r\nF58AE9193802E9BAF17E6B59E3FDBE3E9319C5D27726D60802E3E82D30D14D46\r\nhttps://andreafortuna.org/2023/02/23/how-to-detect-brute-ratel-activities\r\nPage 3 of 9\n\nSHA\r\n3ED21A4BFCF9838E06AD3058D13D5C28026C17DC996953A22A00F0609B0DF3B9\r\n3AD53495851BAFC48CAF6D2227A434CA2E0BEF9AB3BD40ABFE4EA8F318D37BBE\r\n973F573CAB683636D9A70B8891263F59E2F02201FFB4DD2E9D7ECBB1521DA03E\r\nDD8652E2DCFE3F1A72631B3A9585736FBE77FFABEE4098F6B3C48E1469BF27AA\r\nE1A9B35CF1378FDA12310F0920C5C53AD461858B3CB575697EA125DFEE829611\r\nEF9B60AA0E4179C16A9AC441E0A21DC3A1C3DC04B100EE487EABF5C5B1F571A6\r\nD71DC7BA8523947E08C6EEC43A726FE75AED248DFD3A7C4F6537224E9ED05F6F\r\n5887C4646E032E015AA186C5970E8F07D3ED1DE8DBFA298BA4522C89E547419B\r\nEA2876E9175410B6F6719F80EE44B9553960758C7D0F7BED73C0FE9A78D8E669\r\nB5D1D3C1AEC2F2EF06E7D0B7996BC45DF4744934BD66266A6EBB02D70E35236E\r\n55684a30a47476fce5b42cbd59add4b0fbc776a3\r\n66aab897e33b3e4d940c51eba8d07f5605d5b275\r\nb5378730c64f68d64aa1b15cb79088c9c6cb7373fcb7106812ffee4f8a7c1df7\r\ncab0da87966e3c0994f4e46f30fe73624528d69f8a1c3b8a1857962e231a082b\r\n392768ecec932cd22511a11cdbe04d181df749feccd4cb40b90a74a7fdf1e152\r\ne549d528fee40208df2dd911c2d96b29d02df7bef9b30c93285f4a2f3e1ad5b0\r\na8f50e28989e21695d76f0b9ac23e14e1f8ae875ed42d98eaa427b14a7f87cd6\r\n025ef5e92fecf3fa118bd96ad3aff3f88e2629594c6a7a274b703009619245b6\r\n086dc27a896e154adf94e8c04b538fc146623b224d62bf019224830e39f4d51d\r\n17decce71404a0ad4b402d030cb91c6fd5bca45271f8bf19e796757e85f70e48\r\n17e4989ff7585915ec4342cbaf2c8a06f5518d7ba0022fd1d97b971c511f9bde\r\n200955354545ef1309eb6d9ec65a917b08479f28362e7c42a718ebe8431bb15d\r\n221e81540e290017c45414a728783cb62f79d9f63f2547490ec2792381600232\r\n25e7a8da631f3a5dfeec99ca038b3b480658add98719ee853633422a3a40247d\r\n28a4e9f569fd5223bffe355e685ee137281e0e86cae3cc1e3267db4c7b2f3bcd\r\n2ddc77de26637a6d759e5b080864851b731fdb11075485980ece20d8f197104c\r\nhttps://andreafortuna.org/2023/02/23/how-to-detect-brute-ratel-activities\r\nPage 4 of 9\n\nSHA\r\n31fe821e4fac6380701428e01f5c39c6f316b6b58faff239d8432e821a79d151\r\n331952c93954bd263747243a0395441d0fae2b6d5b8ceb19f3ddb786b83f0731\r\n34c1d162bf17cdb41c2c5d220b66202a85f5338b15019e26dcab1a81f12fc451\r\n38b3b10f2ddeecda0db029dacc6363275c4cdf18cc62be3cc57b79647d517a44\r\n3a946cba2ba38a2c6158fa50beee20d2d75d595acc27ea51a39a37c121082596\r\n3baace2a575083a7031af7e9e13ff8ed46659f0b25ce54abe73db844acfad11a\r\n3f63fbc43fc44e6bf9c363e8c17164aeb05a515229e2111a2371d4321dcde787\r\n4766553ce5ff67a2e28b1ee1b5322e005b85b26e21230ffba9622e7c83ed0917\r\n4e5d89844135dca1d9899a8eedfbabc09bcb0fb5c5c14c29f7df5a58d7cf16d4\r\n4f88738e04447344100bb9532c239032b86e71d8037ccb121e2959f37fff53cf\r\n54e844b5ae4a056ca8df4ca7299249c4910374d64261c83ac55e5fdf1b59f01d\r\n56ced937d0b868a2005692850cea467375778a147288ac404748c2dea9c17277\r\n5f4782a34368bb661f413f33e2d1fb9f237b7f9637f2c0c21dc752316b02350c\r\n6021d5500fdea0664a91bdd85b98657817083ece6e2975362791c603d7a197c7\r\n62cb24967c6ce18d35d2a23ebed4217889d796cf7799d9075c1aa7752b8d3967\r\n62e88163b51387b160e9c7ea1d74f0f80c52fc32c997aa595d53cbc2c3b6caf4\r\n64a95de2783a97160bac6914ee07a42cdd154a0e33abc3b1b62c7bafdce24c0c\r\n6a85451644a2c6510d23a1ab5610c85a38107b3b3a00238f7b93e2ce6d1ba549\r\n6ade03a82d8bb884cae26c6db31cf539bec66861fc689cf1c752073fb79740c5\r\n6fdd81e31f2bec2bdda594974068a69e911219d811c8de4466d7a059dd3183a3\r\n74c00f303b87b23dffb59718187ff95c9d4d8497c61a64501166ac5dbed84b9f\r\n7757a76ca945f33f3220ad2b2aa897f3e63c47f08e1b7d62d502937ba90360a7\r\n7824197ad3b9c0981a1cdabf82940ac7733d232442bd31d195783a4e731845d2\r\n79e232b2a08a2960a493e74ab7cba3e82c8167acc030a5ca8d080d0027a587fe\r\n7fe1ff03e8f5678d280f7fd459a36444b6d816b2031e37867e4e36b689eccd33\r\n83b336deca35441fa745cd80a7df7448ce24c09dd2a36569332ae0e4771f36a6\r\nhttps://andreafortuna.org/2023/02/23/how-to-detect-brute-ratel-activities\r\nPage 5 of 9\n\nSHA\r\n88249de22cefaf15f7c45b155703980fb09eb8e06b852f9d4a7c82126776ee7e\r\n8b8f7e8030e2ba234a33bc8a2fa3ccb5912029d660e03ed40413d949142b98fe\r\n8d979a1627dea58e9b86f393338df6aabfd762937e25e39f1d325fce06cf5338\r\n8dd3faf0248890e8c3efb40b800f892989204ba3125986690669f0a914f26c5d\r\n9521f51e42b8e31d82b06de6e15dbf9a1fa1bbff62cf6bc68c0b9e8fd1f8b2c5\r\n97a00056c459a7ce38ad8029413bf8f1691d4ae81e90f0d346d54c91dd02a511\r\n991f883556357a3b961c31e2b72f6246b52b27a5c45b72914abc61c5b5960cc3\r\n9f06583bd4b8c4aefc470ef582ff685cd3d03b404e67ce8bf9dbbd5828c90c43\r\na0c3da2ebf94f6671537a80d26b3288f8fcdf845fe2780ef81fd9da48c0162bf\r\na8759ef55fed4a9410cc152df9ef330a95f776619901054715ed4721a414d15c\r\na8cc14bd56aa4a2da40717cb3f11ecb6aff4e0797a9cebcff51461db19eaf580\r\nae38ec0ddc58424bf6de8858c82c4c6902fc947604943d58d8cbca00991c7f7d\r\naeb82788aad8bdee4c905559c4636536fb54c40fdc77b27ba4308b6a0f24bedf\r\nbdd028922220ff92acb8530c894e2705743a968a8159fe955c1057736c7e1ebd\r\nc3cc43492d005b25fc2cc66f82a550420bb4c48b5aae0a77f1ccef0603a3e47c\r\nc4f40e2eb029ef11be4ac43ccc6895af6fb6dabd3a5bcc02f29afb9553da625c\r\nc6aa2c54eee52f99a911dadfbf155372bd9f43fb9f923500b0b374799204d7a3\r\nc6e2562a2ae399a851b0e5bfb92011e9f97ab45fa536a61eb89b3aee062461f7\r\nca2b9a0fe3992477d4c87a6e2a75faaac9ea0f3828d054cb44371b3068b76ba5\r\ncdc5e05843cf1904e145dad3ae6c058b92b1bc3cbffffc217884b7cc382172a1\r\ncee890a9e7ab521125372c13b71fc154ef5332d333fe43798303b198e9314dcd\r\nd90beab9a3986c26922e4107dccb0b725b8b0eea398f2aeb8848cbe25c3becee\r\ndb987749ef4a58c6a592a33221770d23adcb2efce4a5504aabc73d61cd356616\r\ndc9757c9aa3aff76d86f9f23a3d20a817e48ca3d7294307cc67477177af5c0d4\r\ndcb986e45f1cf38794acec5e7f576a8dff6fbec66e6a09e3cc92596c796ad0d3\r\ne400a196e7128a3cf40085629db8f26b73b6980be7df3da60928a4a062bc85cb\r\nhttps://andreafortuna.org/2023/02/23/how-to-detect-brute-ratel-activities\r\nPage 6 of 9\n\nSHA\r\ne491d06e3a556c79e922274af04c1786a957775ba2d5d0b02d13bdee91bf5ce4\r\nea6d9ff8f768fc0132f9f543d9546744d04f9f83e2241950f63f60b520b9ece0\r\nead189bb18ee839db3d221701e208c4d2845c232cec66764bb3ea6c688ca18e8\r\nee035537c3b8fc54ca2e1fa98c18e2fb0e203d863005c878bc8ceaa690a6689f\r\nee53521e7d8b2b05fef77877440738ee169f3b75228931f9aaf96621a2f64c25\r\neef36bc6f208abd46541bac1b1de18bb3a69057b1a54e67d71d259cc0f1bef5b\r\nf59fe0945f97df4e3d2efc9b31d00602fc5a16e05453e0d853e275cadb63a057\r\nf875e68899afe172394176fa9cabededeaa19ad6816a90746bb630c064c69e6a\r\nfdeb6a6aaee94fe204fb986f6d78e64a9086c5f64e315d8c5e90b590f0007af8\r\nEndpoint Detection and Response (EDR) Tools\r\nUsing EDR tools it is possible to detect Brute Ratel activity by monitoring for specific behaviors, such as the use\r\nof specific network connections.\r\nUsing information provided by Uni42, Yoroi and Splunk it is possible to create a list of network indicator useful\r\nto spot malicious activities performed with the framework:\r\nIP/Domain\r\n104.6.92[.]229\r\n137.184.199[.]17\r\n138.68.50[.]218\r\n138.68.58[.]43\r\n139.162.195[.]169\r\n139.180.187[.]179\r\n147.182.247[.]103\r\n149.154.100[.]151\r\n15.206.84[.]52\r\n159.223.49[.]16\r\n159.65.186[.]50\r\nhttps://andreafortuna.org/2023/02/23/how-to-detect-brute-ratel-activities\r\nPage 7 of 9\n\nIP/Domain\r\n162.216.240[.]61\r\n172.105.102[.]247\r\n172.81.62[.]82\r\n174.129.157[.]251\r\n178.79.143[.]149\r\n178.79.168[.]110\r\n178.79.172[.]35\r\n18.133.26[.]247\r\n18.130.233[.]249\r\n18.217.179[.]8\r\n18.236.92[.]31\r\n185.138.164[.]112\r\n194.29.186[.]67\r\n194.87.70[.]14\r\n213.168.249[.]232\r\n3.110.56[.]219\r\n3.133.7[.]69\r\n31.184.198[.]83\r\n34.195.122[.]225\r\n34.243.172[.]90\r\n35.170.243[.]216\r\n45.144.225[.]3\r\n45.76.155[.]71\r\n45.79.36[.]192\r\n52.48.51[.]67\r\n52.90.228[.]203\r\nhttps://andreafortuna.org/2023/02/23/how-to-detect-brute-ratel-activities\r\nPage 8 of 9\n\nIP/Domain\r\n54.229.102[.]30\r\n54.90.137[.]213\r\n89.100.107[.]65\r\n92.255.85[.]173\r\n92.255.85[.]44\r\n94.130.130[.]43\r\nds.windowsupdate.eu[.]org\r\nReferences\r\nhttps://yoroi.company/research/hunting-cyber-evil-ratels-from-the-targeted-attacks-to-the-widespread-usage-of-brute-ratel/\r\n[)\r\n[)\r\nSource: https://andreafortuna.org/2023/02/23/how-to-detect-brute-ratel-activities\r\nhttps://andreafortuna.org/2023/02/23/how-to-detect-brute-ratel-activities\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://andreafortuna.org/2023/02/23/how-to-detect-brute-ratel-activities"
	],
	"report_names": [
		"how-to-detect-brute-ratel-activities"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434923,
	"ts_updated_at": 1775791464,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2d4da4cfa97db4d4e5afe12000a91a674694bf17.pdf",
		"text": "https://archive.orkl.eu/2d4da4cfa97db4d4e5afe12000a91a674694bf17.txt",
		"img": "https://archive.orkl.eu/2d4da4cfa97db4d4e5afe12000a91a674694bf17.jpg"
	}
}