MalwareExploits 1 CVE

kerbrute

Kerbrute is an open-source Kerberos brute-forcing and user-enumeration tool used against Windows Active Directory environments. In the provided reporting, Microsoft observed a threat actor using Kerbrute as part of NTLM- and Windows-oriented lateral movement and reconnaissance from a compromised Linux host during a multi-stage intrusion that began with an internet-facing F5 BIG-IP appliance, pivoted to an internal Linux system, and then to an internal Atlassian Confluence server. The actor used Kerbrute alongside enum4linux, netexec, nmbclient, smbclient, rpcclient, timeroast, ldapsearch, nxc, and responder while attempting authentication abuse and relay-style attacks against Windows infrastructure, including subsequent Kerberos relay activity and exploitation of CVE-2025-33073. Microsoft published file hash indicators for Kerbrute in that incident and identified attacker infrastructure including 206.189.27[.]39. Separately, Unit 42 reported Kerbrute in espionage activity targeting a Southeast Asian government, where cluster CL-STA-0045, attributed with moderate confidence to Alloy Taurus (GALLIUM), used Kerbrute together with Zapoa, ReShell, GhostCringe RAT, Quasar RAT, Cobalt Strike, and China Chopper. High-confidence context indicates Kerbrute is used for credential attacks and reconnaissance against AD accounts in intrusions affecting government and enterprise Windows environments.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

EXPLOITED CVES

Vulnerabilities exploited

1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

1 CVES

CVE-2025-33073Windows SMB Client Elevation of Privilege Vulnerability

Key indicators include the C2 address 206.189.27[.]39 and file hashes for the custom scanner, Kerbrute, gowitness, and an NTLM relay script.

via cyber security newscybersecuritynews.com

MITRE ATT&CK

Techniques & procedures

12 distinct techniques documented for this family, organized by ATT&CK tactic.

Reconnaissance

1 technique

T1589.002Email AddressesEvidence1

Kerberos user enumeration using kerbrute.

Initial Access

1 technique

T1078Valid AccountsEvidence1

"Gaining access : one of the tested username and password combinations works, and the account can be abused to enumerate assets in the AD network, exploit authenticated services and put the organization at risk."

Persistence

1 technique

T1078Valid AccountsEvidence1

Privilege Escalation

1 technique

T1078Valid AccountsEvidence1

Stealth

1 technique

T1078Valid AccountsEvidence1

Credential Access

6 techniques

T1110Brute ForceEvidence3

В MITRE ATT&CK обе техники живут под T1110 (Brute Force): credential stuffing - T1110.004, password spraying - T1110.003.

T1110.001Password GuessingEvidence1

"There are two main types of trial-and-error attacks on passwords: Brute-force attacks: attempts to log on to a given account using several passwords entered one after the other. Passwords can be random or taken from a dictionary of commonly used passwords."

T1110.003Password SprayingEvidence4

Credential stuffing атаки и password spraying атака - два подхода к одной задаче: получить валидные учётные данные для initial access. В MITRE ATT&CK обе техники живут под T1110 (Brute Force): credential stuffing - T1110.004, password spraying - T1110.003.

T1558Steal or Forge Kerberos TicketsEvidence2

This includes Impacket, KrbRelayX, Coercer, BloodHound.py, NetExec, Kerbrute, and Metasploit... Observed malicious activity included downloading credentials, enumerating Kerberos usernames via Kerbrute...

T1558.003KerberoastingEvidence1

FIN12 has leveraged various publicly available tools to access credentials via kerberoasting attacks. These tools have included KERBRUTE, RUBEUS, and the Invoke-Kerberoast PowerShell cmdlet.

T1558.004AS-REP RoastingEvidence2

Pre-auth Kerberos Kerbrute userenum AS-REP Roasting DONT_REQ_PREAUTH ... Offline Roasting Kerberoasting Rubeus GetUserSPNs.py AS-REP Roasting GetNPUsers.py

Discovery

2 techniques

T1046Network Service DiscoveryEvidence1

The threat actor performed extensive reconnaissance of the host and network, including file enumeration, network scanning, and service discovery. They aggressively scanned the internal network subnets with Nmap to identify connected hosts, and then used Nmap on the identified hosts to detect open services.

T1087.002Domain AccountEvidence1

"Study common AD enumeration techniques... tools... to enumerate Active Directory users, such as kerbrute"

Lateral Movement

1 technique

T1021.002SMB/Windows Admin SharesEvidence1

Where Windows servers were discovered, the actor attempted NTLM-based lateral movement using a familiar open-source toolkit, including enum4linux, netexec, smbclient, rpcclient, timeroast, ldapsearch, kerbrute, and responder, though these initial attempts failed.

Command and Control

1 technique

T1105Ingress Tool TransferEvidence4

The threat actor then downloaded a custom scanning tool from 206.189.27[.]39 using wget... Assuming network-level blocking, the threat actor set up an FTP server on the initial Linux host... to transfer the custom scanning tool to the Confluence server.

INDICATORS OF COMPROMISE

IOCs tracked for this family

2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Hashes

2 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting

hash.sha256●●●●●●●●●●●●View more in app1 month ago

hash.sha256●●●●●●●●●●●●View more in app3 years ago

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app

cyber security newsNews

May 23, 2026

Hackers Exploit F5 BIG-IP Appliance to Gain SSH Access and Pivot Into Enterprise Linux Networks

Kerbrute was used as part of the actor’s NTLM/Kerberos-focused lateral movement and credential attack activity against Windows infrastructure and Active Directory.

malware newsNews

May 22, 2026

From edge appliance to enterprise compromise: Multi-stage Linux intrusion via F5 and Confluence - Malware News - Malware Analysis, News and Indicators

An open-source tool used in this intrusion for Kerberos/Active Directory-focused enumeration and authentication abuse during lateral movement and privilege escalation attempts.

microsoft security blogNews

May 22, 2026

From edge appliance to enterprise compromise: Multi-stage Linux intrusion via F5 and Confluence | Microsoft Security Blog

An open-source tool used for Kerberos-focused enumeration and authentication abuse during lateral movement and privilege escalation attempts against Active Directory.

palo alto networks unit 42 blogNews

Sep 22, 2023

Unit 42 Researchers Discover Multiple Espionage Operations Targeting Southeast Asian Government

Tool used to enumerate and/or brute-force Active Directory accounts via Kerberos, supporting credential access and discovery.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching2

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities1

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping12

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.