{ "id": "93734107-027c-4019-992a-d0a74f22a192", "created_at": "2026-04-06T00:07:32.763423Z", "updated_at": "2026-04-10T03:37:17.408319Z", "deleted_at": null, "sha1_hash": "b302513aa883525d06be40d83594edaebbe59c60", "title": "When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2440960, "plain_text": "When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused\r\nby Malicious Actors\r\nBy Mike Harbison, Peter Renals\r\nPublished: 2022-07-05 · Archived: 2026-04-05 18:08:48 UTC\r\nExecutive Summary\r\nUnit 42 continuously hunts for new and unique malware samples that match known advanced persistent threat\r\n(APT) patterns and tactics. On May 19, one such sample was uploaded to VirusTotal, where it received a benign\r\nverdict from all 56 vendors that evaluated it. Beyond the obvious detection concerns, we believe this sample is\r\nalso significant in terms of its malicious payload, command and control (C2), and packaging.\r\nThe sample contained a malicious payload associated with Brute Ratel C4 (BRc4), the newest red-teaming and\r\nadversarial attack simulation tool to hit the market. While this capability has managed to stay out of the spotlight\r\nand remains less commonly known than its Cobalt Strike brethren, it is no less sophisticated. Instead, this tool is\r\nuniquely dangerous in that it was specifically designed to avoid detection by endpoint detection and response\r\n(EDR) and antivirus (AV) capabilities. Its effectiveness at doing so can clearly be witnessed by the\r\naforementioned lack of detection across vendors on VirusTotal.\r\nIn terms of C2, we found that the sample called home to an Amazon Web Services (AWS) IP address located in\r\nthe United States over port 443. Further, the X.509 certificate on the listening port was configured to impersonate\r\nMicrosoft with an organization name of “Microsoft” and organization unit of “Security.” Additionally, pivoting on\r\nthe certificate and other artifacts, we identified a total of 41 malicious IP addresses, nine BRc4 samples, and an\r\nadditional three organizations across North and South America who have been impacted by this tool so far.\r\nThis unique sample was packaged in a manner consistent with known APT29 techniques and their recent\r\ncampaigns, which leveraged well-known cloud storage and online collaboration applications. Specifically, this\r\nsample was packaged as a self-contained ISO. Included in the ISO was a Windows shortcut (LNK) file, a\r\nmalicious payload DLL and a legitimate copy of Microsoft OneDrive Updater. Attempts to execute the benign\r\napplication from the ISO-mounted folder resulted in the loading of the malicious payload as a dependency through\r\na technique known as DLL search order hijacking. However, while packaging techniques alone are not enough to\r\ndefinitively attribute this sample to APT29, these techniques demonstrate that users of the tool are now applying\r\nnation-state tradecraft to deploy BRc4.\r\nOverall, we believe this research is significant in that it identifies not only a new red team capability that is largely\r\nundetectable by most cybersecurity vendors, but more importantly, a capability with a growing user base that we\r\nassess is now leveraging nation-state deployment techniques. This blog provides an overview of BRc4, a detailed\r\nanalysis of the malicious sample, a comparison between the packaging of this sample and a recent APT29 sample,\r\nand a list of indicators of compromise (IoCs) that can be used to hunt for this activity.\r\nhttps://unit42.paloaltonetworks.com/brute-ratel-c4-tool/\r\nPage 1 of 20\n\nWe encourage all security vendors to create protections to detect activity from this tool and all organizations to be\r\non alert for activity from this tool.\r\nPalo Alto Networks customers receive protections from the threats described in this blog through Threat\r\nPrevention, Cortex XDR and WildFire malware analysis.\r\nFull visualization of the techniques observed, relevant courses of action and indicators of compromise (IoCs)\r\nrelated to this report can be found in the Unit 42 ATOM viewer.\r\nBrute Ratel C4 Overview\r\nBrute Ratel C4 made its initial debut as a penetration testing tool in December 2020. At the time, its development\r\nwas a part-time effort by a security engineer named Chetan Nayak (aka Paranoid Ninja) living in India. According\r\nto his website (Dark Vortex), Nayak amassed several years of experience working in senior red team roles across\r\nwestern cybersecurity vendors. Over the past 2.5 years, Nayak introduced incremental improvements to the\r\npentest tool in terms of features, capabilities, support and training.\r\nIn January 2022, Nayak left his day job in order to pursue full-time development and training workshops. That\r\nsame month, he released Brute Ratel v0.9.0 (Checkmate), which is described as the “biggest release for Brute\r\nRatel till date.”\r\nFigure 1. Checkmate release notes.\r\nHowever, of greater concern, the release description also specifically noted that “this release was built after\r\nreverse engineering several top tier EDR and Antivirus DLLs.”\r\nOur analysis highlights the ongoing and relevant debate within the cybersecurity industry surrounding the ethics\r\nrelating to the development and use of penetration testing tools that can be exploited for offensive purposes.\r\nBRc4 currently advertises itself as “A Customized Command and Control Center for Red Team and Adversary\r\nSimulation.” On May 16, Nayak announced that the tool had gained 480 users across 350 customers.\r\nhttps://unit42.paloaltonetworks.com/brute-ratel-c4-tool/\r\nPage 2 of 20\n\nFigure 2. BRC4 customer announcement. Source:\r\nhttps://twitter.com/NinjaParanoid/status/1526110403356282880\r\nThe latest version, Brute Ratel v1.0 (Sicilian Defense) was released a day later on May 17, and is currently offered\r\nfor sale at a price of $2,500 per user and $2,250 per renewal. With this price point and customer base, BRc4 is\r\npositioned to take in more than $1 million dollars in sales over the next year.\r\nhttps://unit42.paloaltonetworks.com/brute-ratel-c4-tool/\r\nPage 3 of 20\n\nFigure 3. BRc4 licensing and cost.\r\nIn terms of features, BRc4 advertises the following capabilities:\r\nSMB and TCP payloads provide functionality to write custom external C2 channels over legitimate\r\nwebsites such as Slack, Discord, Microsoft Teams and more.\r\nBuilt-in debugger To detect EDR userland hooks.\r\nAbility to keep memory artifacts hidden from EDRs and AV.\r\nDirect Windows SYS calls on the fly.\r\nEgress over HTTP, HTTPS, DNS Over HTTPS, SMB and TCP.\r\nLDAP Sentinel provides a rich GUI interface to query various LDAP queries to the domain or a forest.\r\nMultiple command and control channels – multiple pivot options such as SMB, TCP, WMI, WinRM and\r\nmanaging remote services over RPC.\r\nTake screenshots.\r\nx64 shellcode loader.\r\nReflective and object file loader.\r\nDecoding KRB5 ticket and converting it to hashcat.\r\nPatching Event Tracing for Windows (ETW).\r\nPatching Anti Malware Scan Interface (AMSI).\r\nCreate Windows system services.\r\nUpload and download files.\r\nCreate files via CreateFileTransacted.\r\nPort scan.\r\nFrom Click to Brute\r\nhttps://unit42.paloaltonetworks.com/brute-ratel-c4-tool/\r\nPage 4 of 20\n\nFigure 4. VirusTotal verdicts for sample as of June 27, 2022.\r\nThe file in VirusTotal named Roshan_CV.iso (SHA256:\r\n1FC7B0E1054D54CE8F1DE0CC95976081C7A85C7926C03172A3DDAA672690042C) appears to be a\r\ncurriculum vitae (similar to a resume) of an individual named Roshan. It was uploaded to VirusTotal on May 19,\r\n2022, from Sri Lanka. The ISO file extension refers to an optical disc image file, derived from the International\r\nOrganization for Standardization’s ISO 9960 file system, which is typically used to back up files for CD/DVD.\r\nThe ISO file is not malicious and requires a user to double-click, which mounts the ISO as a Windows drive.\r\nFinally, the archived files of the ISO are displayed to the user. In this case, when the ISO is double-clicked, a user\r\nis presented with the following:\r\nFigure 5. Viewing ISO image.\r\nAs depicted in Figure 5, the user would see a file named Roshan-Bandara_CV_Dialog, which has a fake icon\r\nimage of Microsoft Word, purporting to be an individual's CV, and written in Microsoft Word. From the window\r\ndialog box it can be ascertained that the ISO was assembled on May 17, 2022, which coincidentally is the same\r\nday the new BRc4 was released.\r\nIf the user were to double-click on the file, it would then install Brute Ratel C4 on the user's machine.\r\nBy default, on Windows operating systems, hidden files are not displayed to the user. In Figure 6, there are four\r\nhidden files concealed from view. If the display of hidden files is enabled, the user sees the following:\r\nhttps://unit42.paloaltonetworks.com/brute-ratel-c4-tool/\r\nPage 5 of 20\n\nFigure 6. Viewing ISO image with “show hidden files” enabled.\r\nThe lure file, the one visible to the user, is a Windows shortcut file (LNK) with the following properties:\r\nFigure 7. Roshan-Bandara_CV_Dialog properties.\r\nMicrosoft shortcut files, those with a .lnk file extension, contain enriched metadata that can be used to provide\r\nartifacts about the file. Some key artifacts of this file are:\r\nhttps://unit42.paloaltonetworks.com/brute-ratel-c4-tool/\r\nPage 6 of 20\n\nLink CLSID: 20D04FE0-3AEA-1069-A2D8-08002B30309D\r\nThe CLSID used here isn’t the normal CLSID for LNK files, as this CLSID is associated with the\r\nControl Panel (always Icons view).\r\nCommand line arguments: %windir%/system32/cmd.exe /c start OneDriveUpdater.exe\r\nIcon location: C:\\Program Files\\Microsoft Office\\root\\Office16\\WINWORD.EXE\r\nWhen Roshan-Bandara_CV_Dialog is double-clicked, the following actions occur:\r\n1. cmd.exe is launched with the parameters of:\r\n1. /c start OneDriveUpdater.exe. The /c parameter instructs cmd.exe to launch OneDriveUpdater.exe\r\nvia Windows start command from the current working directory and exit.\r\n2. OneDriveUpdater.exe is a digitally signed binary by Microsoft that is used to synchronize data from a local\r\nmachine to the cloud. It is not malicious and is being abused to load the actor’s DLL. Once\r\nOneDriveUpdater.exe is executed, the following actions occur:\r\n1. Since Version.dll is a dependency DLL of OneDriveUpdater.exe and exists in the same directory as\r\nOneDriveUpdater.exe, it will be loaded.\r\n2. Version.dll has been modified by the actors to load an encrypted payload file, OneDrive.update. The\r\nmodification decrypts the file and in-memory loads the first stage of shellcode. To maintain code\r\ncapabilities, the actors use DLL API proxying to forward requests to the legitimate version.dll\r\nnamed vresion.dll. Vresion.dll is a dependency file of the actor’s version.dll and will be loaded with\r\nthe actor’s version.dll.\r\n3. The in-memory code, that is Brute Ratel C4, executes as a Windows thread in the RuntimeBroker.exe\r\nprocess space and begins to communicate with IP 174.129.157[.]251 on TCP port 443.\r\nFigure 8 below gives an overview of how this process would look.\r\nhttps://unit42.paloaltonetworks.com/brute-ratel-c4-tool/\r\nPage 7 of 20\n\nFigure 8. Execution flow when double-clicking Roshan-Bandara_CV_Dialog\r\nPackaging of Roshan_CV.ISO\r\nThe composition of the ISO file, Roshan_CV.ISO, closely resembles that of other nation-state APT tradecraft. The\r\nfollowing table shows a side-by-side comparison of Roshan_CV.ISO and that of a previously identified APT29\r\nsample (Decret.ISO).\r\nhttps://unit42.paloaltonetworks.com/brute-ratel-c4-tool/\r\nPage 8 of 20\n\nTable 1. Package deployment comparison to known APT29 sample.\r\nThe following images show how Roshan_CV.ISO and Decret.ISO would look to a user when double-clicked.\r\nFigure 9 is a screenshot of the default Windows File Explorer; “show hidden files” is not checked. In both images,\r\nthe user is presented with a shortcut file (LNK file) that starts the malicious activity when double-clicked.\r\nFigure 9. Side-by-Side comparison of mounted ISO images. \"Show hidden files\" is not enabled.\r\nFigure 10 shows how the ISOs would appear when show hidden files” is enabled for viewing.\r\nFigure 10. Side-by-Side comparison of mounted ISO images. \"Show hidden files\" is enabled.\r\nThe flow of execution is the following:\r\nRoshan_CV.ISO→Roshan-Bandar_CV_Dialog.LNK→cmd.exe→OneDriveUpdater.exe→version.dll→OneDrive.Update\r\nDecret.ISO→Decret.LNK→cmd.exe→HPScan.exe→version.dll→HPScanApi.dll\r\nhttps://unit42.paloaltonetworks.com/brute-ratel-c4-tool/\r\nPage 9 of 20\n\nThe delivery of packaged ISO files is typically sent via spear phishing email campaigns or downloaded to the\r\nvictim by a second-stage downloader.\r\nWhile we lack insight into how this particular payload was delivered to a target environment, we observed\r\nconnection attempts to the C2 server originating from three Sri Lankan IP addresses between May 19-20.\r\nModification of Version.dll\r\nVersion.dll is a modified version of a legitimate Microsoft file written in C++. The implanted code is used to load\r\nand decrypt an encrypted payload file. The decrypted payload is that of shellcode (x64 assembly) that is further\r\nused to execute Brute Ratel C4 on the host.\r\nIn order for Version.dll to maintain its code capabilities for OneDriveUpdater.exe, the actors include the legitimate\r\ndigitally signed Microsoft version.dll and named it vresion.dll. Any time OneDriveUpdater.exe makes a call into\r\nthe actor’s Version.dll, the call is proxied to vresion.dll. Because of this, the actor’s version.dll will load\r\nvresion.dll as a dependency file.\r\nThe implanted code begins when the DLL is loaded via DLL_PROCESS_ATTACH and performs the following at\r\nthe DLLMain subroutine:\r\n1. Enumerate all processes and locate the process ID (PID) for Runtimebroker.exe.\r\n2. Read the payload file OneDrive.Update from the current working directory.\r\n3. Call the Windows API ntdll ZwOpenProcess using the process ID from step 1. The process is opened with\r\nfull control access.\r\n4. Decrypt the payload file using the XOR encryption algorithm with a 28-byte key of:\r\njikoewarfkmzsdlhfnuiwaejrpaw\r\n5. Call the Windows API NtCreateSection, which creates a block of memory that can be shared between\r\nprocesses. This API is used to share memory with Runtimebroker.exe and Version.dll.\r\n6. Two calls into the Windows API NtMapViewOfSection. The first call maps the contents of the decrypted\r\npayload into the current process memory space, and the second call maps the contents into the\r\nRuntimebroker.exe memory space.\r\n7. Calls the Windows API NtDelayExecution and sleeps (pauses execution) for ~4.27 seconds.\r\n8. Call the Windows API NtCreateThreadEx. This API starts a new thread with the start address of the\r\nmemory copied to Runtimebroker.exe.\r\n9. Calls the Windows API NtDelayExecution and sleeps (pauses execution) for ~4.27 seconds.\r\n10. Finished.\r\nThe technique outlined above uses process injection via undocumented Windows NTAPI calls. The decrypted\r\npayload is now running within the runtimebroker.exe memory space. The following is a snippet of code from\r\nversion.dll that starts the execution of the in-memory decrypted payload.\r\nhttps://unit42.paloaltonetworks.com/brute-ratel-c4-tool/\r\nPage 10 of 20\n\nFigure 11. Version.dll calling NtCreateThreadEx.\r\nX64 Shellcode – Decrypted OneDrive.Update\r\nThe decrypted payload file is x64 shellcode (assembly instructions) that involves a series of executions to unpack\r\nitself. The assembly instructions involve multiple push and mov instructions. The purpose of this is to copy the\r\nBrute Ratel C4 code (x64 assembly) onto the stack eight bytes at a time and eventually reassemble it into a\r\nmemory space for execution – a DLL with a stripped MZ header. Using a series of push and mov instructions\r\nevades in-memory scanning as the shellcode is assembled in blocks versus the entire code base being exposed for\r\nscanning. The entry point of the decrypted payload is the following:\r\nFigure 12. Version.dll entry point of decrypted payload.\r\nThe unpacking involves 25,772 push and 25,769 mov instructions. When finished, the code performs the\r\nfollowing.\r\nhttps://unit42.paloaltonetworks.com/brute-ratel-c4-tool/\r\nPage 11 of 20\n\n1. Using API hashing (ROR13 – rotate right 13) looks up the hash for NtAllocateVirtualMemory. All API\r\ncalls are made via API hash lookups.\r\n2. Resolves the system call index from the System Service Dispatch Table (SSDT) for\r\nNtAllocateVirtualMemory. All Windows API functions are made via syscalls, which is a feature of Brute\r\nRatel C4 (Syscall Everything).\r\n3. Calls the Windows API NtAllocateVirtualMemory, allocating 0x3000 bytes of memory.\r\n4. Makes a second Windows API call into NtAllocateVirtualMemory, which allocates memory for the\r\nconfiguration file used by Brute Ratel C4.\r\n5. Copies the shellcode that was pushed onto the stack in the previous steps to the newly allocated memory\r\nsegment.\r\n6. Changes the protection of the newly allocated memory block using Windows API call\r\nNtProtectVirtualMemory.\r\n7. Calls NtCreateThreadEx with the start address of the newly allocated memory and passes the configuration\r\ndata as a parameter.\r\n8. Finished.\r\nThe following is a snippet of the code that calls NtCreateThreadEx and starts the execution of the second-stage\r\nshellcode.\r\nFigure 13. Calling second layer of shellcode.\r\nThe configuration data is passed as a parameter to the start address of the new thread. This data includes the\r\nencrypted configuration settings for Brute Ratel C4. The encrypted contents are the following:\r\nhttps://unit42.paloaltonetworks.com/brute-ratel-c4-tool/\r\nPage 12 of 20\n\nFigure 14. BRc4 encrypted configuration.\r\nThe data is base64-encoded and RC4-encrypted. The 16-byte RC4 decryption key is: bYXJm/3#M?:XyMBF\r\nThe decrypted configuration file is:\r\nEach parameter is delineated with a pipe | character, and one of the values is the IP seen earlier of\r\n174.129.157[.]251 and port of 443.\r\nTarget Network Infrastructure\r\nThe IP 174.129.157[.]251 is hosted on Amazon AWS, and Palo Alto Networks Cortex Xpanse history shows the IP\r\nhad TCP port 443 open from April 29, 2022, until May 23, 2022, with a self-signed SSL certificate impersonating\r\nMicrosoft Security:\r\nsubjectFullName: C=US,ST=California,O=Microsoft,OU=Security,CN=localhost\r\nSerial Number: 476862511373535319627199034793753459614889484917\r\nsha256_fingerprint: d597d6572c5616573170275d0b5d5e3ab0c06d4a9104bbdbe952c4bcb52118c9\r\nOnce the SSL handshake to IP 174.129.157[.]251 is complete, the following data is sent via HTTP POST to the\r\nBrute Ratel C4 listener port.\r\nhttps://unit42.paloaltonetworks.com/brute-ratel-c4-tool/\r\nPage 13 of 20\n\nFigure 15. BRc4 HTTP POST.\r\nIdentifying OneDrive.Update\r\nTo identify the decrypted in-memory payload as being associated with Brute Ratel C4, we conducted hunting\r\nbased on the unique in-memory assembly instructions, push and mov. These instructions are used to build the\r\nsecond layer of shellcode. Searching across VirusTotal, we found a second sample with the same push and mov\r\ninstructions:\r\nFile name: badger_x64.exe\r\nSHA256: 3AD53495851BAFC48CAF6D2227A434CA2E0BEF9AB3BD40ABFE4EA8F318D37BBE\r\nFile Type: Windows Executable (x64)\r\nInitially, what stood out to us was the filename containing the word “badger.” According to the Brute Ratel C4\r\nwebsite, the word “badger” represents payloads used for remote access. When uploaded to VirusTotal, only two\r\nout of 66 vendors considered the sample malicious. Currently, 12 vendors identify the sample as malicious with\r\neight classifying this sample as “Brutel,” further supporting that our in-memory code is somehow associated with\r\nthat of Brute Ratel C4.\r\nSide-by-side comparison of the entry point of badger_x64.exe and our decrypted OneDrive.Update sample:\r\nhttps://unit42.paloaltonetworks.com/brute-ratel-c4-tool/\r\nPage 14 of 20\n\nFigure 16. Comparison of OneDrive.Update and badger_x64.exe\r\nWhen badger_x64.exe is finished with the push and mov instructions, it makes the same Windows API calls as\r\nOneDrive.Update using API hashing, but does not use direct syscall (a user configuration feature of Brute Ratel\r\nC4). Example of badger_x64.exe:\r\nhttps://unit42.paloaltonetworks.com/brute-ratel-c4-tool/\r\nPage 15 of 20\n\nFigure 17. badger_x64.exe calling shellcode.\r\nLike the OneDrive.Update sample, the parameter passed to the calling thread is the configuration data for Brute\r\nRatel C4. In this sample, the data is not base64-encoded or RC4-encrypted, and is passed in the clear. The\r\nfollowing is the configuration used for this sample:\r\nIn this case, the sample is configured to communicate with IP 159.65.186[.]50 on TCP port 443.\r\nBased on the following, we can conclude that OneDrive.Update is indeed associated with Brute Ratel C4.\r\nThe configuration file structure is the same and uses pipes to delineate fields.\r\nSame Windows calling pattern used to run the second-stage shellcode via\r\nNtCreateThreadEx/CreateThread.\r\nFunction instruction match for copying shellcode to memory allocation.\r\nBoth samples of second-stage shellcode have the following strings referencing the word “badger.” Note:\r\nThe OneDrive.Update sample RC4 encrypts these strings.\r\nimp_Badger\r\nBadgerDispatch\r\nBadgerDispatchW\r\nBadgerStrlen\r\nBadgerWcslen\r\nBadgerMemcpy\r\nBadgerMemset\r\nBadgerStrcmp\r\nBadgerWcscmp\r\nhttps://unit42.paloaltonetworks.com/brute-ratel-c4-tool/\r\nPage 16 of 20\n\nBadgerAtoi\r\nThe Badger* names match the export names listed on the BRc4 GitHub website.\r\nThe file badger_x64.exe is a standalone x64 executable that runs Brute Ratel C4 (badger payload) while the\r\ndecrypted OneDrive.Update file is the in-memory component of Brute Ratel C4 that is executed using the actor's\r\nmodified DLL, version.dll.\r\nBadger_x64.exe Employment\r\nAfter validating that badger_x64.exe and OneDrive.Update were both BRc4 payloads, we set to work analyzing\r\nthe employment of this second sample.\r\nVirusTotal records revealed that the sample was uploaded by a web user in Ukraine on May 20, 2022.\r\nCoincidentally, this happens to be one day after the Roshan_CV.ISO file was uploaded.\r\nAs noted above, the sample was configured to call home to 159.65.186[.]50 on port 443. Palo Alto Networks\r\nCortex Xpanse history shows that this port was open from May 21-June 18, 2022, with the same “Microsoft\r\nSecurity” self-signed SSL certificate seen above. Given this timeline, it's worth noting that the sample was\r\nactually uploaded to VirusTotal prior to the C2 infrastructure being configured to listen for the callbacks.\r\nEvaluating netflow connections for 159.65.186[.]50 during this time window revealed several connections to ports\r\n22, 443 and 8060 originating from a Ukrainian IP (213.200.56[.]105). We assess this Ukrainian address is likely a\r\nresidential user IP that was leveraged to administer the C2 infrastructure. A deeper look at connections in and out\r\nof 213.200.56[.]105 further revealed several flows over UDP port 33445. This port is commonly used by Tox, a\r\nsecure peer-to-peer chat and video application that offers end-to-end encryption.\r\nExamining additional connections to port 443 on 159.65.186[.]50, we identified several suspected victims\r\nincluding an Argentinian organization, an IP television provider providing North and South American content, and\r\na major textile manufacturer in Mexico. Coincidentally, recent attempts to browse the textile manufacturer’s\r\nwebsite result in a 500 internal server error message.\r\nGiven the geographic dispersion of these victims, the upstream connection to a Ukrainian IP and several other\r\nfactors, we believe it is highly unlikely that BRc4 was deployed in support of legitimate and sanctioned\r\npenetration testing activities.\r\nOther Samples and Infrastructure\r\nOver the past year, the fake Microsoft Security X.509 certificate has been linked to 41 IP addresses. These\r\naddresses follow a global geographic dispersion and are predominantly owned by large virtual private server\r\n(VPS) hosting providers. Expanding our research beyond the two samples discussed above, we have also\r\nidentified an additional seven samples of BRc4 dating back to February 2021.\r\nProtections and Mitigations\r\nFor Palo Alto Networks customers, our products and services provide the following coverage associated with this\r\ngroup:\r\nhttps://unit42.paloaltonetworks.com/brute-ratel-c4-tool/\r\nPage 17 of 20\n\nThreat Prevention provides protection against Brute Ratel C4. The \"Brute Ratel C4 Tool Command and Control\r\nTraffic Detections\" signature is threat ID 86647.\r\nCortex XDR detects and protects endpoints from the Brute Ratel C4 tool.\r\nWildFire cloud-based threat analysis service accurately identifies Brute Ratel C4 samples as malware.\r\nConclusion\r\nThe emergence of a new penetration testing and adversary emulation capability is significant. Yet more alarming\r\nis the effectiveness of BRc4 at defeating modern defensive EDR and AV detection capabilities.\r\nOver the past 2.5 years this tool has evolved from a part-time hobby to a full-time development project with a\r\ngrowing customer base. As this customer base has expanded into the hundreds, the tool has gained increased\r\nattention across the cybersecurity domain from both legitimate penetration testers as well as malicious cyber\r\nactors.\r\nThe analysis of the two samples described in this blog, as well as the advanced tradecraft used to package these\r\npayloads, make it clear that malicious cyber actors have begun to adopt this capability. We believe it is imperative\r\nthat all security vendors create protections to detect BRc4 and that all organizations take proactive measures to\r\ndefend against this tool.\r\nPalo Alto Networks has shared these findings, including file samples and indicators of compromise, with our\r\nfellow Cyber Threat Alliance members. CTA members use this intelligence to rapidly deploy protections to their\r\ncustomers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.\r\nNote that the Microsoft name and logo shown are an attempt to impersonate a legitimate organization and do not\r\nrepresent an actual affiliation with Microsoft. This impersonation does not imply a vulnerability in Microsoft’s\r\nproducts or services.\r\nIndicators of Compromise\r\nBrute Ratel C4 ISO Samples:\r\n1FC7B0E1054D54CE8F1DE0CC95976081C7A85C7926C03172A3DDAA672690042C\r\nX64 Brute Ratel C4 Windows Kernel Module:\r\n31ACF37D180AB9AFBCF6A4EC5D29C3E19C947641A2D9CE3CE56D71C1F576C069\r\nAPT29 ISO Samples:\r\nF58AE9193802E9BAF17E6B59E3FDBE3E9319C5D27726D60802E3E82D30D14D46\r\nX64 Brute Ratel C4 Samples:\r\n3ED21A4BFCF9838E06AD3058D13D5C28026C17DC996953A22A00F0609B0DF3B9\r\n3AD53495851BAFC48CAF6D2227A434CA2E0BEF9AB3BD40ABFE4EA8F318D37BBE\r\nhttps://unit42.paloaltonetworks.com/brute-ratel-c4-tool/\r\nPage 18 of 20\n\n973F573CAB683636D9A70B8891263F59E2F02201FFB4DD2E9D7ECBB1521DA03E\r\nDD8652E2DCFE3F1A72631B3A9585736FBE77FFABEE4098F6B3C48E1469BF27AA\r\nE1A9B35CF1378FDA12310F0920C5C53AD461858B3CB575697EA125DFEE829611\r\nEF9B60AA0E4179C16A9AC441E0A21DC3A1C3DC04B100EE487EABF5C5B1F571A6\r\nD71DC7BA8523947E08C6EEC43A726FE75AED248DFD3A7C4F6537224E9ED05F6F\r\n5887C4646E032E015AA186C5970E8F07D3ED1DE8DBFA298BA4522C89E547419B\r\nMalicious DLLs:\r\nEA2876E9175410B6F6719F80EE44B9553960758C7D0F7BED73C0FE9A78D8E669\r\nMalicious Encrypted Payloads:\r\nB5D1D3C1AEC2F2EF06E7D0B7996BC45DF4744934BD66266A6EBB02D70E35236E\r\nX.509 Cert SHA1s:\r\n55684a30a47476fce5b42cbd59add4b0fbc776a3\r\n66aab897e33b3e4d940c51eba8d07f5605d5b275\r\nInfrastructure linked to X.509 Certs or Samples:\r\n104.6.92[.]229\r\n137.184.199[.]17\r\n138.68.50[.]218\r\n138.68.58[.]43\r\n139.162.195[.]169\r\n139.180.187[.]179\r\n147.182.247[.]103\r\n149.154.100[.]151\r\n15.206.84[.]52\r\n159.223.49[.]16\r\n159.65.186[.]50\r\n162.216.240[.]61\r\n172.105.102[.]247\r\n172.81.62[.]82\r\n174.129.157[.]251\r\n178.79.143[.]149\r\n178.79.168[.]110\r\n178.79.172[.]35\r\n18.133.26[.]247\r\n18.130.233[.]249\r\n18.217.179[.]8\r\n18.236.92[.]31\r\n185.138.164[.]112\r\nhttps://unit42.paloaltonetworks.com/brute-ratel-c4-tool/\r\nPage 19 of 20\n\n194.29.186[.]67\r\n194.87.70[.]14\r\n213.168.249[.]232\r\n3.110.56[.]219\r\n3.133.7[.]69\r\n31.184.198[.]83\r\n34.195.122[.]225\r\n34.243.172[.]90\r\n35.170.243[.]216\r\n45.144.225[.]3\r\n45.76.155[.]71\r\n45.79.36[.]192\r\n52.48.51[.]67\r\n52.90.228[.]203\r\n54.229.102[.]30\r\n54.90.137[.]213\r\n89.100.107[.]65\r\n92.255.85[.]173\r\n92.255.85[.]44\r\n94.130.130[.]43\r\nds.windowsupdate.eu[.]org\r\nSource: https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/\r\nhttps://unit42.paloaltonetworks.com/brute-ratel-c4-tool/\r\nPage 20 of 20\n\nrelating to the BRc4 currently development and advertises itself use of penetration as “A Customized testing tools that can Command and Control be exploited for Center for Red offensive Team and purposes. Adversary\nSimulation.” On May 16, Nayak announced that the tool had gained 480 users across 350 customers.\n Page 2 of 20", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MITRE", "ETDA" ], "references": [ "https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/" ], "report_names": [ "brute-ratel-c4-tool" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434052, "ts_updated_at": 1775792237, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b302513aa883525d06be40d83594edaebbe59c60.pdf", "text": "https://archive.orkl.eu/b302513aa883525d06be40d83594edaebbe59c60.txt", "img": "https://archive.orkl.eu/b302513aa883525d06be40d83594edaebbe59c60.jpg" } }