Brute Ratel C4
Brute Ratel C4 (also referred to as BRc4 or Brute Ratel) is a commercial command-and-control and post-exploitation framework originally designed for red teaming that has been increasingly abused by threat actors. The provided content describes it as an alternative to heavily detected frameworks such as Cobalt Strike and notes adoption by both cybercrime and state-linked actors.
Observed capabilities in the content include lateral movement via WMI, port scanning, remote access, credential retrieval, hiding memory artifacts, and patching ETW and AMSI for defense evasion. One report also describes a Brute Ratel C4 loader using direct syscalls, SetProcessMitigationPolicy, PPID spoofing, and Early Bird APC injection to decrypt and inject a PureHVNC stage into notepad.exe rather than operating its own C2 channel.
Execution and delivery vectors mentioned in the content include users opening malicious documents, malicious JavaScript leading to MSI installation, ISO/IMG and LNK-based phishing chains, DLL sideloading, inline MSBuild task execution, and delivery by other malware or loaders including Qakbot, Latrodectus, and downloaders used in espionage campaigns. In one financial-sector campaign attributed by the source to LUNAR SPIDER, tax-themed malvertising and SEO poisoning redirected victims to JavaScript that downloaded an MSI from 45[.]14[.]244[.]124/dsa.msi, which deployed Brute Ratel C4 disguised as vierm_soft_x64.dll and executed it via rundll32. That campaign reportedly used persistence via HKCU\Software\Microsoft\Windows\CurrentVersion\Run and communicated with bazarunet[.]com and tiguanin[.]com.
Threat actors and clusters explicitly associated with Brute Ratel C4 in the content include DEV-0506, APT29, APT41, Aquatic Panda, a Russian intelligence-linked diplomatic espionage campaign overlapping with NOBELIUM/APT29 tradecraft, SAP NetWeaver exploitation activity, and the SERPENTINE#CLOUD operator. The content also states that Qakbot infections frequently progressed to Brute Ratel or Cobalt Strike, and that Brute Ratel has been used in ransomware intrusion ecosystems as a post-compromise access tool.
Targeting referenced in the content includes foreign ministries and diplomatic entities, government organizations, financial-sector victims, and environments where attackers sought access to systems such as Veeam Backup & Replication. The content also includes multiple Splunk attack-range datasets associated with Brute Ratel scenarios such as SeDebugPrivilege token activity, loading samlib, service deletion, wallpaper modification via TranscodedWallpaper, and create remote thread, but these are simulation datasets rather than live intrusion reporting.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
3 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
The infection occurred within hours after the mass exploitation of webshells deployed on compromised NetWeaver instances started and involved the use of the Brute Ratel C2 framework.
The infection occurred within hours after the mass exploitation of webshells deployed on compromised NetWeaver instances started and involved the use of the Brute Ratel C2 framework.
... a subsequent attack involved the deployment of the Brute Ratel C2 framework using inline MSBuild task execution.
Groups observed using it
27 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
In late September 2022, Microsoft observed DEV-0506 adding Brute Ratel as a tool to facilitate their hands-on-keyboard access as well as Cobalt Strike Beacons.
Currently, there are many APT groups and cybercrime gangs using this technique. Some examples include: APT41 Group, Aquatic Panda, APT29 using Brute Ratel C4...
Victims searching tax-related content are redirected to download malicious JavaScript files like Document-16-32-50.js. These scripts retrieve an MSI installer, which deploys Brute Ratel C4 (BRc4) by disguising the payload as legitimate software (vierm_soft_x64.dll under rundll32 execution).
Insikt Group observed a late 2022 RedHotel campaign which employed a stolen code signing certificate ... to load the offensive security tool (OST) Brute Ratel C4.
This activity is significant as it may indicate the presence of Brute Ratel C4, a sophisticated remote access tool used for credential dumping and other malicious activities.
This activity is significant as it may indicate the presence of Brute Ratel C4, a sophisticated remote access tool used for credential dumping and other malicious activities.
This activity is significant as it may indicate the presence of Brute Ratel C4, a sophisticated remote access tool used for credential dumping and other malicious activities.
This activity is significant as it may indicate the presence of Brute Ratel C4, a sophisticated remote access tool used for credential dumping and other malicious activities.
This activity is significant as it may indicate the presence of Brute Ratel C4, a sophisticated remote access tool used for credential dumping and other malicious activities.
This activity is significant as it may indicate the presence of Brute Ratel C4, a sophisticated remote access tool used for credential dumping and other malicious activities.
This activity is significant as it may indicate the presence of Brute Ratel C4, a sophisticated remote access tool used for credential dumping and other malicious activities.
This activity is significant as it may indicate the presence of Brute Ratel C4, a sophisticated remote access tool used for credential dumping and other malicious activities.
This activity is significant as it may indicate the presence of Brute Ratel C4, a sophisticated remote access tool used for credential dumping and other malicious activities.
This activity is significant as it may indicate the presence of Brute Ratel C4, a sophisticated remote access tool used for credential dumping and other malicious activities.
This activity is significant as it may indicate the presence of Brute Ratel C4, a sophisticated remote access tool used for credential dumping and other malicious activities.
This activity is significant as it may indicate the presence of Brute Ratel C4, a sophisticated remote access tool used for credential dumping and other malicious activities.
This activity is significant as it may indicate the presence of Brute Ratel C4, a sophisticated remote access tool used for credential dumping and other malicious activities.
This activity is significant as it may indicate the presence of Brute Ratel C4, a sophisticated remote access tool used for credential dumping and other malicious activities.
This activity is significant as it may indicate the presence of Brute Ratel C4, a sophisticated remote access tool used for credential dumping and other malicious activities.
This activity is significant as it may indicate the presence of Brute Ratel C4, a sophisticated remote access tool used for credential dumping and other malicious activities.
This activity is significant as it may indicate the presence of Brute Ratel C4, a sophisticated remote access tool used for credential dumping and other malicious activities.
This activity is significant as it may indicate the presence of Brute Ratel C4, a sophisticated remote access tool used for credential dumping and other malicious activities.
This activity is significant as it may indicate the presence of Brute Ratel C4, a sophisticated remote access tool used for credential dumping and other malicious activities.
This activity is significant as it may indicate the presence of Brute Ratel C4, a sophisticated remote access tool used for credential dumping and other malicious activities.
This activity is significant as it may indicate the presence of Brute Ratel C4, a sophisticated remote access tool used for credential dumping and other malicious activities.
ShadowSyndicate continues to be associated with toolkits including ... Brute Ratel.
Techniques & procedures
37 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 techniqueBrute Ratel, a 'Cobalt-like' alternative toolkit for red-team pen testing, has been deployed by cybercriminal gangs, including the now-defunct Russian-speaking BlackCat threat actor, also known as AlphV, to launch healthcare sector attacks.
Execution
6 techniquesThe content repeatedly describes threat actors and malware using WMI/WMIC/wmiexec for remote execution, lateral movement, discovery, persistence, and administrative actions; e.g., 'APT41 used WMI in several ways, including for execution of commands via WMIEXEC as well as for persistence via PowerSploit' and 'Scattered Spider used Windows Management Instrumentation (WMI) to move laterally via Impacket.'
The malicious executable creates a process specified by the C2 server using the CreateProcessA API... The process’ output that resides in the anonymous pipe is copied into a buffer... The output is read using ReadFile and then transmitted to the C2 server.
During the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL. During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run cmd.exe commands on multiple victim machines. Numerous malware families and groups are described as using cmd.exe, cmd /c, Windows command shell, or command-line interfaces to execute commands, payloads, reconnaissance, persistence, cleanup, and ransomware actions.
The content repeatedly describes victims being lured into opening malicious attachments, enabling macros, launching installers, clicking embedded files/links, or otherwise directly executing malicious content.
Examples include: "Sandworm Team leveraged Microsoft Office attachments which contained malicious macros..."; "Bumblebee has relied upon a user opening an ISO file to enable execution of malicious shortcut files and DLLs"; "Lumma Stealer has gained initial execution through victims opening malicious executable files embedded in zip archives, and MSI files within RAR files."
Privilege Escalation
5 techniquesThe badger opens the target process using OpenProcess... VirtualAllocEx is utilized to allocate a new memory area in the remote process... WriteProcessMemory... VirtualProtectEx... Finally, the binary creates a thread in the remote process that executes the shellcode. | The CryptStringToBinaryA method is utilized to decode from Base64 the shellcode that will be executed... VirtualAllocEx is used to allocate a new memory area in the current process... The shellcode is copied into the new area and its page is made executable... A new thread runs the shellcode copied earlier.
The agent is looking for the “LogonUI.exe”, “winlogon.exe”, and “lsass.exe” processes... ImpersonateLoggedOnUser is used to impersonate the security content of the user extracted from the process identified above... On another branch, the binary calls the DuplicateTokenEx method... Finally, a new process is created using CreateProcessWithTokenW.
On another branch, the binary calls the DuplicateTokenEx method in order to duplicate the access token extracted from “winlogon.exe” or “lsass.exe”. Finally, a new process is created using CreateProcessWithTokenW.
0x8AFA ID – Parent PID Spoofing This command can be used to spoof the parent process ID in order to evade EDR software or other solutions.
The executable enables the above privilege via a function call to AdjustTokenPrivileges... 0x1719 ID – Enable SeDebugPrivilege.
Stealth
10 techniquesThe content repeatedly describes malware and threat actors using obfuscated code, encrypted strings, Base64/XOR/RC4/AES encoding, VMProtect/ConfuserEx/SmartAssembly, stack strings, control-flow flattening, opaque predicates, and hidden payloads to evade analysis and detection.
During the 2016 Ukraine Electric Power Attack, DLLs and EXEs with filenames associated with common electric power sector protocols were used to masquerade files.
Akira has used legitimate names and locations for files to evade defenses.
The badger opens the target process using OpenProcess... VirtualAllocEx is utilized to allocate a new memory area in the remote process... WriteProcessMemory... VirtualProtectEx... Finally, the binary creates a thread in the remote process that executes the shellcode. | The CryptStringToBinaryA method is utilized to decode from Base64 the shellcode that will be executed... VirtualAllocEx is used to allocate a new memory area in the current process... The shellcode is copied into the new area and its page is made executable... A new thread runs the shellcode copied earlier.
The agent is looking for the “LogonUI.exe”, “winlogon.exe”, and “lsass.exe” processes... ImpersonateLoggedOnUser is used to impersonate the security content of the user extracted from the process identified above... On another branch, the binary calls the DuplicateTokenEx method... Finally, a new process is created using CreateProcessWithTokenW.
On another branch, the binary calls the DuplicateTokenEx method in order to duplicate the access token extracted from “winlogon.exe” or “lsass.exe”. Finally, a new process is created using CreateProcessWithTokenW.
0x8AFA ID – Parent PID Spoofing This command can be used to spoof the parent process ID in order to evade EDR software or other solutions.
The content repeatedly describes malware and threat actors decoding, decrypting, or deobfuscating payloads, strings, configuration data, commands, and C2 traffic prior to execution or use, e.g., 'APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload' and 'Action RAT can use Base64 to decode actor-controlled C2 server communications.'
Have you ever heard of the DLL-Hijacking attack method? This type of attack exploits the search order and loading sequence of DLLs in Windows, causing your legitimate programs to load malicious code into memory.
The malicious binary allocates new memory for another DLL that implements the main functionality using VirtualAlloc... Finally, the malware passes the execution flow to the newly constructed DLL.
Defense Impairment
1 technique0xA905 ID – Copy files... 0x9B84 ID – Move files... 0xE993 ID – Delete files... 0x3F61 ID – Create directories... 0x8F40 ID – Delete directories.
Discovery
6 techniquesThe registry key passed as the second argument is opened using the RegOpenKeyExA method... The malicious process retrieves information about the registry key by calling the RegQueryInfoKeyW function... it enumerates the subkeys... and registry values.
GetUserNameW is used to obtain the username associated with the current thread.
The content repeatedly describes threat actors and malware performing network scanning, port scanning, service enumeration, OS fingerprinting, and identifying open ports/services across victim environments.
The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.
GetComputerNameExW is used to obtain the NetBIOS name associated with the local machine... The process retrieves version information about the current operating system using RtlGetVersion.
The files are enumerated in the current directory using the FindFirstFileW and FindNextFileW functions... 0x3C9F ID – Obtain the current directory for the process... 0x0609 ID – Retrieve the available disk drives.
Lateral Movement
2 techniquesExamples include 'Aquatic Panda used WMI for lateral movement in victim environments,' 'Deep Panda group is known to utilize WMI for lateral movement,' and 'Cinnamon Tempest has used Impacket for lateral movement via WMI.'
After Qakbot has all the information and sends it to the C2 server, the infection leads to Cobalt Strike or Brute Ratel.
Collection
2 techniques0x9C41 ID – Take a screenshot and send it to the C2 server... The BitBlt method is used to capture the image... GdipSaveImageToStream is utilized to save the screenshot to a stream.
0x0105 ID – Extract data from the clipboard The process opens the clipboard by calling the OpenClipboard method... The data is obtained from the clipboard in the Unicode format.
Command and Control
5 techniquesA subgroup of DEV-0193, which Microsoft tracks as DEV-0365, provides infrastructure as a service for cybercriminals. Most notably, DEV-0365 provides Cobalt Strike Beacon as a service.
The content repeatedly describes threat actors, malware, and campaigns using HTTP and/or HTTPS for command and control, including examples such as BlackEnergy communicating with C2 over HTTP POST requests and many other families using HTTP/S for C2.
In many instances, attackers test their attacks “in production” from an undetected location in their target’s environment, deploying tools or payloads like commodity malware.
The JSON is encrypted using the XOR operator... The process encodes the encrypted JSON using Base64 and exfiltrates the resulting data using HttpSendRequestW... The response is Base64-decoded and decrypted using the same key.
Cobalt Strike uses a command-line interface to interact with systems. Brute Ratel C4 can use cmd.exe for execution. Havoc can execute commands via cmd.exe. Covenant provides access to a Command Shell in Windows environments for follow-on command execution and tasking.
Exfiltration
1 techniqueMany entries state malware or actors can upload, transfer, send, or exfiltrate files from compromised hosts to command-and-control servers or attacker infrastructure.
Impact
1 technique0xEBC0 ID – Kill processes The target process is opened via a function call to OpenProcess (0x1 = PROCESS_TERMINATE )... The process is killed using the TerminateProcess API.
Other
2 techniquesThe content repeatedly describes threat actors and malware disabling or modifying security tools, EDR/AV, logging, firewall rules, integrity checkers, and security settings; e.g., 'Agrius used several mechanisms to try to disable security tools' and 'BlackByte disabled security tools such as Windows Defender and the Raccine anti-ransomware tool during operations.'
IOCs tracked for this family
24 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
92 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A native x64 Brute Ratel C4 binary used here as a delivery and evasion layer rather than a standalone C2 implant. It decrypts an embedded payload and injects PureHVNC stage 2 into notepad.exe using Early Bird APC queue injection, PPID spoofing to explorer.exe, direct syscalls, and process mitigation policies to block non-Microsoft DLL injection.
Brute Ratel is referenced as an example of a dual-use security tool later adopted by threat actors.
Command-and-control framework referenced in connection with suspicious named pipe usage.
A sophisticated remote access tool used for credential dumping and other malicious activities.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.