{
	"id": "5bb12763-55a6-41ac-b7e7-f9636e92a2b2",
	"created_at": "2026-04-06T00:19:06.86399Z",
	"updated_at": "2026-04-10T13:11:43.386828Z",
	"deleted_at": null,
	"sha1_hash": "da891483274b558678d08f177873bb25bb56d1ed",
	"title": "Brute Ratel C4",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2999523,
	"plain_text": "Brute Ratel C4\r\nBy Chetan Nayak\r\nArchived: 2026-04-05 22:04:48 UTC\r\nDNS Over HTTPS\r\nAlongside the default HTTPS connections, Badger's DNS over HTTPS provides usability of newly bought\r\ndomains without the the need of domain fronting or redirector, all the while providing a backup option to be able\r\nto switch to other HTTPS profiles on the fly\r\nhttps://bruteratel.com/\r\nPage 1 of 10\n\nExternal C2 Channels\r\nThe SMB and TCP badger provide functionality to write custom External C2 Channels over legitimate websites\r\nsuch as Slack, Discord, Microsoft Teams and more\r\nhttps://bruteratel.com/\r\nPage 2 of 10\n\nIndirect Syscalls\r\nBadger provides various process injection capabilities and an option to switch between WinAPI to NTAPI to\r\nSyscalls on the fly\r\nBuilt-in Debugger To Detect EDR Userland Hooks\r\nBadger provides various techniques to hunt EDR userland hooks and DLL, and avoid triggering them using\r\nvarious syscall obfuscation and debugging techniques\r\nhttps://bruteratel.com/\r\nPage 3 of 10\n\nBrute Ratel MITRE graph\r\nBrute Ratel features a seamlessly integrated MITRE graph for all built-in commands providing a user friendly\r\ninterface for Adversary Simulation activities\r\nhttps://bruteratel.com/\r\nPage 4 of 10\n\nOne stop for all your LDAP queries\r\nLdap Sentinel provides a rich GUI interface to query various ldap queries to the Domain or a Forest. Whether you\r\nwant to run SPN queries for a specific user or if you want to query large group objects, all can be done effortlessly\r\nusing prebuilt queries.\r\nhttps://bruteratel.com/\r\nPage 5 of 10\n\nMultiple Command and Control Channels\r\nhttps://bruteratel.com/\r\nPage 6 of 10\n\nBadger provides mulitple pivot options such as SMB, TCP, WMI, WinRM and managing remote services over\r\nRPC.\r\nAutomate Adversary TTPs\r\nUse existing brute ratel modules or build your own using in-memory execute of C-Sharp, BOFs, Powershell\r\nScripts or Reflective DLLs and automate the execution of the commands using the Click Script feature\r\nhttps://bruteratel.com/\r\nPage 7 of 10\n\nVarious Out-Of-Box Evasion Capabilities\r\nhttps://bruteratel.com/\r\nPage 8 of 10\n\nEvasion Capabilities\r\nx64\r\nSupport\r\nx86\r\nSupport\r\nx86 on Wow64\r\nSupport\r\nStack Frame Chaining Yes No No\r\nIndirect System Calls Yes Yes Yes\r\nHide Shellcode Sections in Memory Yes Yes Yes\r\nMultiple Sleeping Masking Techniques Yes No No\r\nUnhook EDR Userland Hooks and Dlls Yes No No\r\nUnhook DLL Load Notifications Yes No No\r\nLoadLibrary Proxy for ETW Evasion Yes No No\r\nThread Stack Encryption Yes Yes Yes\r\nBadger Heap Encryption Yes Yes Yes\r\nMasquerade Thread Stack Frame Yes Yes Yes\r\nHardware Breakpoint for AMSI/ETW Evasion Yes Yes Yes\r\nReuse Virtual Memory For ETW Evasion Yes Yes Yes\r\nReuse Existing Libraries from PEB Yes Yes Yes\r\nSecure Free Badger Heap for Volatility Evasion Yes Yes Yes\r\nAdvanced Module Stomping with PEB\r\nHooking\r\nYes Yes Yes\r\nIn-Memory PE and RDLL Execution Yes Yes Yes\r\nIn-Memory BOF Execution Yes Yes Yes\r\nIn-Memory Dotnet Execution Yes Yes Yes\r\nNetwork Malleability Yes Yes Yes\r\nBuilt-In Anti-Debug Features Yes Yes Yes\r\nModule stomping for BOF/Memexec Yes Yes Yes\r\nWant to learn more about our private trainings and services?\r\nDark Vortex provides various trainings related to information security. For a standard list of training programs,\r\nvisit Dark Vortex or feel free to reach us at chetan@bruteratel.com\r\nhttps://bruteratel.com/\r\nPage 9 of 10\n\nSource: https://bruteratel.com/\r\nhttps://bruteratel.com/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://bruteratel.com/"
	],
	"report_names": [
		"bruteratel.com"
	],
	"threat_actors": [],
	"ts_created_at": 1775434746,
	"ts_updated_at": 1775826703,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/da891483274b558678d08f177873bb25bb56d1ed.pdf",
		"text": "https://archive.orkl.eu/da891483274b558678d08f177873bb25bb56d1ed.txt",
		"img": "https://archive.orkl.eu/da891483274b558678d08f177873bb25bb56d1ed.jpg"
	}
}