{
	"id": "6632e35e-a808-400d-a40c-f234a114fd3f",
	"created_at": "2026-04-06T00:11:01.047828Z",
	"updated_at": "2026-04-10T03:37:16.607874Z",
	"deleted_at": null,
	"sha1_hash": "ae775e890fd06faecff1dfb6861864e13e40bb27",
	"title": "Brute Ratel Utilized By Threat Actors In New Ransomware Operations",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 65737,
	"plain_text": "Brute Ratel Utilized By Threat Actors In New Ransomware\r\nOperations\r\nPublished: 2022-07-07 · Archived: 2026-04-05 19:24:37 UTC\r\nWhen Brute Ratel first appeared in the wild, almost no security solutions could detect it. To avoid being\r\ndiscovered by EDR and antivirus programs, hacking groups and ransomware operations are switching from Cobalt\r\nStrike to the more recent Brute Ratel post-exploitation toolkit. \r\nOne of the most popular toolkits in red team engagements is Cobalt Strike, which enables attackers to install\r\nbeacons on compromised devices to conduct remote network surveillance or send commands. \r\nHacker groups and ransomware attacks also use this tool to expand laterally through infected corporate networks. \r\nTo replace Cobalt Strike for red team penetration testing engagements, ex-red team member Chetan Nayak\r\npublished Brute Ratel Command and Control Center (BRc4) in 2020.\r\nAbout Brute Ratel \r\nBrute Ratel is the most advanced red team simulation software at the moment. It can provide a structured timeline\r\nand simulate the cyber kill chain. Cybersecurity teams can use it to validate cyberattacks and strengthen their\r\ndefenses. Despite being a post-exploitation tool, it does not assist in creating exploits. \r\nBrute Ratel enables the red team to deploy badgers on remote hosts. Badgers function similarly to Cobalt Strike\r\nbeacons and connect to the attacker’s C2 server for RCE. \r\nBrute Ratel’s features and more details can be found on the software’s official site. \r\nThreat Actors Were Able To Acquire Licenses \r\nDespite Cobalt Strike being a legal piece of software, threat actors have been spreading cracked versions of it\r\nonline, making it one of the most widely utilized tools by hackers and ransomware operations.\r\nBrute Ratel is currently only available to verified companies at a cost. Chetan Nayak, the developer of Brute\r\nRatel, stated that the license was leaked by a customer’s employee, explaining how the attackers could use it in\r\ntheir operations.\r\nAlthough Nayak could revoke the license afterward, former Conti ransomware members were discovered using\r\nfake company profiles to gain access to the software’s license. \r\n“In one case, they have gained access to the Brute Ratel kit used for post-exploitation in targeted attacks from\r\nBumbleBee loader. The ultimate goal of the Brute Ratel usage was the post-exploitation framework for lateral\r\nmovement and subsequent network encryption via ransomware payload.” AdvIntel’s CEO said. \r\nhttps://socradar.io/brute-ratel-utilized-by-threat-actors-in-new-ransomware-operations/\r\nPage 1 of 4\n\nThreat actors spread malicious ISOs that appear to include submitted resumes (CV) in attacks thought to be\r\nconnected to the Russian state-sponsored hacking organization APT29 (also known as CozyBear and Dukes).\r\nMalicious ISO file’s contents (Source: Bleeping Computer) \r\nHowever, as seen in the file’s properties below, the Roshan-Bandara_CV_Dialog resume file is a Windows\r\nshortcut that will start the included OneDriveUpdater[.]exe file.\r\nWindows shortcut disguised as CV to launch a program (Source: Bleeping Computer) \r\nUpon clicking Roshan-Bandara_CV_Dialog, cmd[.]exe is launched:\r\n/c start OneDriveUpdater[.]exe (Using the Windows start command, the executable is launched from the current\r\ndirectory) \r\nMicrosoft’s executable is used to sync data to Cloud servers. It is used in this instance to load the attacker’s DLL. \r\nversion.dll, a dependency of OneDriveUpdater[.]exe, is in the same directory. The actors modified this DLL to\r\nload an encrypted payload file (OneDrive.update). \r\nThe file is subsequently decrypted, and the modification’s first stage of the shellcode is loaded into memory. To\r\npreserve code capabilities, threat actors also use DLL proxying technique (vresion.dll for version.dll). \r\nThe in-memory code, Brute Ratel C4, starts to communicate with IP 174.129.157[.]251 on TCP port 443 as a\r\nWindows thread while running in the RuntimeBroker[.]exe process space. \r\nThe below image shows how ISOs would look if the show hidden files option were enabled.\r\nISOs appear when “Show hidden files” is enabled (Source: Unit42) \r\nOneDriveUpdater[.]exe is a legal Microsoft executable, but the version[.]dll it loads has been altered to serve as\r\na loader for a Brute Ratel badger that is loaded into the RuntimeBroker[.]exe process.\r\nThe threat actors can remotely access the infected device once the Brute Ratel has been loaded in order to run\r\ncommands and spread farther throughout the compromised network.\r\nBrute Ratel C4 ISO Samples:\r\n1FC7B0E1054D54CE8F1DE0CC95976081C7A85C7926C03172A3DDAA672690042C\r\nX64 Brute Ratel C4 Windows Kernel Module:\r\n31ACF37D180AB9AFBCF6A4EC5D29C3E19C947641A2D9CE3CE56D71C1F576C069\r\nAPT29 ISO Samples:\r\nF58AE9193802E9BAF17E6B59E3FDBE3E9319C5D27726D60802E3E82D30D14D46\r\nX64 Brute Ratel C4 Samples:\r\nhttps://socradar.io/brute-ratel-utilized-by-threat-actors-in-new-ransomware-operations/\r\nPage 2 of 4\n\n3ED21A4BFCF9838E06AD3058D13D5C28026C17DC996953A22A00F0609B0DF3B9\r\n3AD53495851BAFC48CAF6D2227A434CA2E0BEF9AB3BD40ABFE4EA8F318D37BBE\r\n973F573CAB683636D9A70B8891263F59E2F02201FFB4DD2E9D7ECBB1521DA03E\r\nDD8652E2DCFE3F1A72631B3A9585736FBE77FFABEE4098F6B3C48E1469BF27AA\r\nE1A9B35CF1378FDA12310F0920C5C53AD461858B3CB575697EA125DFEE829611\r\nEF9B60AA0E4179C16A9AC441E0A21DC3A1C3DC04B100EE487EABF5C5B1F571A6\r\nD71DC7BA8523947E08C6EEC43A726FE75AED248DFD3A7C4F6537224E9ED05F6F\r\n5887C4646E032E015AA186C5970E8F07D3ED1DE8DBFA298BA4522C89E547419B\r\nMalicious DLLs:\r\nEA2876E9175410B6F6719F80EE44B9553960758C7D0F7BED73C0FE9A78D8E669\r\nMalicious Encrypted Payloads:\r\nB5D1D3C1AEC2F2EF06E7D0B7996BC45DF4744934BD66266A6EBB02D70E35236E\r\nX.509 Cert SHA1s:\r\n55684a30a47476fce5b42cbd59add4b0fbc776a3\r\n66aab897e33b3e4d940c51eba8d07f5605d5b275\r\nInfrastructure linked to X.509 Certs or Samples:\r\n104.6.92[.]229\r\n137.184.199[.]17\r\n138.68.50[.]218\r\n138.68.58[.]43\r\n139.162.195[.]169\r\n139.180.187[.]179\r\n147.182.247[.]103\r\n149.154.100[.]151\r\n15.206.84[.]52\r\n159.223.49[.]16\r\n159.65.186[.]50\r\n162.216.240[.]61\r\n172.105.102[.]247\r\n172.81.62[.]82\r\n174.129.157[.]251\r\n178.79.143[.]149\r\n178.79.168[.]110\r\n178.79.172[.]35\r\n18.133.26[.]247\r\n18.130.233[.]249\r\n18.217.179[.]8\r\nhttps://socradar.io/brute-ratel-utilized-by-threat-actors-in-new-ransomware-operations/\r\nPage 3 of 4\n\n18.236.92[.]31\r\n185.138.164[.]112\r\n194.29.186[.]67\r\n194.87.70[.]14\r\n213.168.249[.]232\r\n3.110.56[.]219\r\n3.133.7[.]69\r\n31.184.198[.]83\r\n34.195.122[.]225\r\n34.243.172[.]90\r\n35.170.243[.]216\r\n45.144.225[.]3\r\n45.76.155[.]71\r\n45.79.36[.]192\r\n52.48.51[.]67\r\n52.90.228[.]203\r\n54.229.102[.]30\r\n54.90.137[.]213\r\n89.100.107[.]65\r\n92.255.85[.]173\r\n92.255.85[.]44\r\n94.130.130[.]43\r\nds.windowsupdate.eu[.]org\r\nSource: https://socradar.io/brute-ratel-utilized-by-threat-actors-in-new-ransomware-operations/\r\nhttps://socradar.io/brute-ratel-utilized-by-threat-actors-in-new-ransomware-operations/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://socradar.io/brute-ratel-utilized-by-threat-actors-in-new-ransomware-operations/"
	],
	"report_names": [
		"brute-ratel-utilized-by-threat-actors-in-new-ransomware-operations"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e",
			"created_at": "2024-06-04T02:03:07.956135Z",
			"updated_at": "2026-04-10T02:00:03.689959Z",
			"deleted_at": null,
			"main_name": "IRON HEMLOCK",
			"aliases": [
				"APT29 ",
				"ATK7 ",
				"Blue Kitsune ",
				"Cozy Bear ",
				"The Dukes",
				"UNC2452 ",
				"YTTRIUM "
			],
			"source_name": "Secureworks:IRON HEMLOCK",
			"tools": [
				"CosmicDuke",
				"CozyCar",
				"CozyDuke",
				"DiefenDuke",
				"FatDuke",
				"HAMMERTOSS",
				"LiteDuke",
				"MiniDuke",
				"OnionDuke",
				"PolyglotDuke",
				"RegDuke",
				"RegDuke Loader",
				"SeaDuke",
				"Sliver"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "a241a1ca-2bc9-450b-a07b-aae747ee2710",
			"created_at": "2024-06-19T02:03:08.150052Z",
			"updated_at": "2026-04-10T02:00:03.737173Z",
			"deleted_at": null,
			"main_name": "IRON RITUAL",
			"aliases": [
				"APT29",
				"Blue Dev 5 ",
				"BlueBravo ",
				"Cloaked Ursa ",
				"CozyLarch ",
				"Dark Halo ",
				"Midnight Blizzard ",
				"NOBELIUM ",
				"StellarParticle ",
				"UNC2452 "
			],
			"source_name": "Secureworks:IRON RITUAL",
			"tools": [
				"Brute Ratel C4",
				"Cobalt Strike",
				"EnvyScout",
				"GoldFinder",
				"GoldMax",
				"NativeZone",
				"RAINDROP",
				"SUNBURST",
				"Sibot",
				"TEARDROP",
				"VaporRage"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb",
			"created_at": "2023-01-06T13:46:38.393409Z",
			"updated_at": "2026-04-10T02:00:02.955738Z",
			"deleted_at": null,
			"main_name": "APT29",
			"aliases": [
				"Cloaked Ursa",
				"TA421",
				"Blue Kitsune",
				"BlueBravo",
				"IRON HEMLOCK",
				"G0016",
				"Nobelium",
				"Group 100",
				"YTTRIUM",
				"Grizzly Steppe",
				"ATK7",
				"ITG11",
				"COZY BEAR",
				"The Dukes",
				"Minidionis",
				"UAC-0029",
				"SeaDuke"
			],
			"source_name": "MISPGALAXY:APT29",
			"tools": [
				"SNOWYAMBER",
				"HALFRIG",
				"QUARTERRIG"
			],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a",
			"created_at": "2022-10-25T15:50:23.548494Z",
			"updated_at": "2026-04-10T02:00:05.292748Z",
			"deleted_at": null,
			"main_name": "APT29",
			"aliases": [
				"APT29",
				"IRON RITUAL",
				"IRON HEMLOCK",
				"NobleBaron",
				"Dark Halo",
				"NOBELIUM",
				"UNC2452",
				"YTTRIUM",
				"The Dukes",
				"Cozy Bear",
				"CozyDuke",
				"SolarStorm",
				"Blue Kitsune",
				"UNC3524",
				"Midnight Blizzard"
			],
			"source_name": "MITRE:APT29",
			"tools": [
				"PinchDuke",
				"ROADTools",
				"WellMail",
				"CozyCar",
				"Mimikatz",
				"Tasklist",
				"OnionDuke",
				"FatDuke",
				"POSHSPY",
				"EnvyScout",
				"SoreFang",
				"GeminiDuke",
				"reGeorg",
				"GoldMax",
				"FoggyWeb",
				"SDelete",
				"PolyglotDuke",
				"AADInternals",
				"MiniDuke",
				"SeaDuke",
				"Sibot",
				"RegDuke",
				"CloudDuke",
				"GoldFinder",
				"AdFind",
				"PsExec",
				"NativeZone",
				"Systeminfo",
				"ipconfig",
				"Impacket",
				"Cobalt Strike",
				"PowerDuke",
				"QUIETEXIT",
				"HAMMERTOSS",
				"BoomBox",
				"CosmicDuke",
				"WellMess",
				"VaporRage",
				"LiteDuke"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434261,
	"ts_updated_at": 1775792236,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ae775e890fd06faecff1dfb6861864e13e40bb27.pdf",
		"text": "https://archive.orkl.eu/ae775e890fd06faecff1dfb6861864e13e40bb27.txt",
		"img": "https://archive.orkl.eu/ae775e890fd06faecff1dfb6861864e13e40bb27.jpg"
	}
}