Brute Ratel C4 By Chetan Nayak Archived: 2026-04-05 22:04:48 UTC DNS Over HTTPS Alongside the default HTTPS connections, Badger's DNS over HTTPS provides usability of newly bought domains without the the need of domain fronting or redirector, all the while providing a backup option to be able to switch to other HTTPS profiles on the fly https://bruteratel.com/ Page 1 of 10 External C2 Channels The SMB and TCP badger provide functionality to write custom External C2 Channels over legitimate websites such as Slack, Discord, Microsoft Teams and more https://bruteratel.com/ Page 2 of 10 Indirect Syscalls Badger provides various process injection capabilities and an option to switch between WinAPI to NTAPI to Syscalls on the fly Built-in Debugger To Detect EDR Userland Hooks Badger provides various techniques to hunt EDR userland hooks and DLL, and avoid triggering them using various syscall obfuscation and debugging techniques https://bruteratel.com/ Page 3 of 10 Brute Ratel MITRE graph Brute Ratel features a seamlessly integrated MITRE graph for all built-in commands providing a user friendly interface for Adversary Simulation activities https://bruteratel.com/ Page 4 of 10 One stop for all your LDAP queries Ldap Sentinel provides a rich GUI interface to query various ldap queries to the Domain or a Forest. Whether you want to run SPN queries for a specific user or if you want to query large group objects, all can be done effortlessly using prebuilt queries. https://bruteratel.com/ Page 5 of 10 Multiple Command and Control Channels https://bruteratel.com/ Page 6 of 10 Badger provides mulitple pivot options such as SMB, TCP, WMI, WinRM and managing remote services over RPC. Automate Adversary TTPs Use existing brute ratel modules or build your own using in-memory execute of C-Sharp, BOFs, Powershell Scripts or Reflective DLLs and automate the execution of the commands using the Click Script feature https://bruteratel.com/ Page 7 of 10 Various Out-Of-Box Evasion Capabilities https://bruteratel.com/ Page 8 of 10 Evasion Capabilities x64 Support x86 Support x86 on Wow64 Support Stack Frame Chaining Yes No No Indirect System Calls Yes Yes Yes Hide Shellcode Sections in Memory Yes Yes Yes Multiple Sleeping Masking Techniques Yes No No Unhook EDR Userland Hooks and Dlls Yes No No Unhook DLL Load Notifications Yes No No LoadLibrary Proxy for ETW Evasion Yes No No Thread Stack Encryption Yes Yes Yes Badger Heap Encryption Yes Yes Yes Masquerade Thread Stack Frame Yes Yes Yes Hardware Breakpoint for AMSI/ETW Evasion Yes Yes Yes Reuse Virtual Memory For ETW Evasion Yes Yes Yes Reuse Existing Libraries from PEB Yes Yes Yes Secure Free Badger Heap for Volatility Evasion Yes Yes Yes Advanced Module Stomping with PEB Hooking Yes Yes Yes In-Memory PE and RDLL Execution Yes Yes Yes In-Memory BOF Execution Yes Yes Yes In-Memory Dotnet Execution Yes Yes Yes Network Malleability Yes Yes Yes Built-In Anti-Debug Features Yes Yes Yes Module stomping for BOF/Memexec Yes Yes Yes Want to learn more about our private trainings and services? Dark Vortex provides various trainings related to information security. For a standard list of training programs, visit Dark Vortex or feel free to reach us at chetan@bruteratel.com https://bruteratel.com/ Page 9 of 10 Source: https://bruteratel.com/ https://bruteratel.com/ Page 10 of 10