Brute Ratel C4
Brute Ratel C4 (also referred to as Brute Ratel, BRC4, or BRc4) is a commercial post-exploitation and command-and-control framework originally positioned as an attack simulation or red-team tool but widely adopted by threat actors. The content describes it as a customized attack simulation tool designed to evade common defensive controls and notes that its implants can take multiple forms, including executables, service binaries, DLLs, and PowerShell scripts.
Documented capabilities in the provided content include account and domain discovery using LDAP queries, net group "Domain Admins" /domain, and net user /domain; lateral movement via WMI and SMB; port scanning and broader network/service discovery; privilege escalation; process creation and injection for defense evasion; and the ability to hide memory artifacts and patch ETW and AMSI. The framework is also referenced in infrastructure-hunting research focused on identifying Brute Ratel C4 command-and-control infrastructure using sources such as JARM and HTTP response characteristics.
The content links Brute Ratel C4 to multiple intrusion chains and actor ecosystems. It states that Qakbot/QBot infections were observed leading to Brute Ratel in 2022, and that Arechclient2 reportedly delivered Cobalt Strike and Brute Ratel as a precursor to BlackSuit ransomware deployment in May 2024. Proofpoint identified a 20 September 2024 ClickFix campaign using HTML attachments and user-executed PowerShell to deliver Brute Ratel C4, which then led to Latrodectus. CERT Polska and Poland’s Military Counterintelligence Service reported an espionage campaign linked to Russian intelligence services, overlapping with APT29/NOBELIUM tradecraft, in which manually verified victims received Cobalt Strike or Brute Ratel after delivery through spear-phishing, compromised websites, HTML smuggling, ISO/IMG images, LNK execution, and DLL sideloading. Microsoft also observed DEV-0506 adding Brute Ratel in late September 2022 to support hands-on-keyboard access, and the content cites APT29 and APT41 among actors discussed in relation to techniques or broader use of such tooling.
Observed infection and execution vectors in the content include users opening malicious documents or attachments, phishing-delivered HTML attachments, ClickFix or fake CAPTCHA-style social engineering that tricks users into pasting PowerShell into the Run dialog, and delivery as a follow-on payload from malware such as Qakbot and Arechclient2. The content also places Brute Ratel among emerging alternatives to heavily detected frameworks such as Cobalt Strike, alongside Sliver and Mythic, as threat actors shift toward other dual-use red-team tools to reduce detection.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
3 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
The infection occurred within hours after the mass exploitation of webshells deployed on compromised NetWeaver instances started and involved the use of the Brute Ratel C2 framework.
The infection occurred within hours after the mass exploitation of webshells deployed on compromised NetWeaver instances started and involved the use of the Brute Ratel C2 framework.
... a subsequent attack involved the deployment of the Brute Ratel C2 framework using inline MSBuild task execution.
Groups observed using it
29 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
On 20 September 2024, Proofpoint researchers identified a campaign delivering Brute Ratel C4 and Latrodectus.
On 20 September 2024, Proofpoint researchers identified a campaign delivering Brute Ratel C4 and Latrodectus.
In late September 2022, Microsoft observed DEV-0506 adding Brute Ratel as a tool to facilitate their hands-on-keyboard access as well as Cobalt Strike Beacons.
Currently, there are many APT groups and cybercrime gangs using this technique. Some examples include: APT41 Group, Aquatic Panda, APT29 using Brute Ratel C4...
Victims searching tax-related content are redirected to download malicious JavaScript files like Document-16-32-50.js. These scripts retrieve an MSI installer, which deploys Brute Ratel C4 (BRc4) by disguising the payload as legitimate software (vierm_soft_x64.dll under rundll32 execution).
Insikt Group observed a late 2022 RedHotel campaign which employed a stolen code signing certificate ... to load the offensive security tool (OST) Brute Ratel C4.
Techniques & procedures
29 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
3 techniques
Initial Access
Brute Ratel, a 'Cobalt-like' alternative toolkit for red-team pen testing, has been deployed by cybercriminal gangs, including the now-defunct Russian-speaking BlackCat threat actor, also known as AlphV, to launch healthcare sector attacks.
Execution
6 techniques
Execution
The content repeatedly describes threat actors and malware using WMI/WMIC/wmiexec for remote execution, lateral movement, discovery, persistence, and administrative actions; e.g., 'APT41 used WMI in several ways, including for execution of commands via WMIEXEC as well as for persistence via PowerSploit' and 'Scattered Spider used Windows Management Instrumentation (WMI) to move laterally via Impacket.'
This dialog box includes instructions that appear to describe how to “fix” the problem, but will either: automatically copy and paste a malicious script into the PowerShell terminal, or the Windows Run dialog box, to eventually run a malicious script via PowerShell.
During the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL. During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run cmd.exe commands on multiple victim machines. Numerous malware families and groups are described as using cmd.exe, cmd /c, Windows command shell, or command-line interfaces to execute commands, payloads, reconnaissance, persistence, cleanup, and ransomware actions.
The inclusion of the “Browser check identificate:” prompt and a subsequent change made to the RunMRU registry key indicates this likely uses a paste-and-run fake CAPTCHA lure for initial execution.
Sandworm Team leveraged Microsoft Office attachments which contained malicious macros that were automatically executed once the user permitted them... APT29 has used various forms of spearphishing attempting to get a user to open attachments... DarkGate is distributed through phishing links to VBS or MSI objects requiring user interaction for execution.
Privilege Escalation
1 technique
Privilege Escalation
Stealth
6 techniques
Stealth
The sample observed in this campaign attempted to evade analysts by reversing strings in the HTML body of the webpage.
During the 2016 Ukraine Electric Power Attack, DLLs and EXEs with filenames associated with common electric power sector protocols were used to masquerade files.
Akira has used legitimate names and locations for files to evade defenses.
Brute Ratel is a commercial post-exploitation framework... capable of... creating processes to inject itself into for defense evasion.
Discovery
6 techniques
Discovery
BoomBox has the ability to execute an LDAP query to enumerate the distinguished name, SAM account name, and display name for all domain users. IceApple Active Directory Querier module can perform authenticated requests against an Active Directory server. Sandworm Team has used a tool to query Active Directory using LDAP.
The content repeatedly describes threat actors and malware performing network scanning, port scanning, service enumeration, OS fingerprinting, and identifying open ports/services across victim environments.
The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.
Brute Ratel C4 can use LDAP queries, net group "Domain Admins" /domain and net user /domain for discovery. OilRig has run net group "domain admins" /domain and net group "Exchange Trusted Subsystem" /domain to get account listings on a victim. Wizard Spider has identified domain admins through the use of net group "Domain admins" /DOMAIN.
Lateral Movement
3 techniques
Lateral Movement
Brute Ratel is a commercial post-exploitation framework with implants that can take many forms, including executables, service binaries, DLLs, and PowerShell scripts. It is capable of moving laterally via Server Message Block (SMB)...
Command and Control
4 techniques
Command and Control
Hunting C2/Adversaries Infrastructure with Shodan and Censys ... My research Cobalt Strike C2 Metasploit/MSF Covenant C2 Deimos C2 Posh C2 Brute Ratel C4 Mythic C2 Sliver C2 ... Night Hawk C2 NimPlant C2 ShadowPad C2 Infrastructure Async Rat C2 Infrastructure Meterpreter C2 Infrastructure
The content repeatedly describes threat actors and malware using HTTP and HTTPS for command and control, such as: "Sandworm Team used BlackEnergy to communicate between compromised hosts and their command-and-control servers via HTTP post requests."
If the user performed the requested steps, PowerShell code was executed to download an executable that led to the installation of Lumma Stealer.
Cobalt Strike uses a command-line interface to interact with systems. Brute Ratel C4 can use cmd.exe for execution. Havoc can execute commands via cmd.exe. Covenant provides access to a Command Shell in Windows environments for follow-on command execution and tasking.
Exfiltration
1 technique
Exfiltration
IOCs tracked for this family
32 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
100 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A native x64 Brute Ratel C4 binary used here as a delivery and evasion layer rather than a standalone C2 implant. It decrypts an embedded payload and injects PureHVNC stage 2 into notepad.exe using Early Bird APC queue injection, PPID spoofing to explorer.exe, direct syscalls, and process mitigation policies to block non-Microsoft DLL injection.
Brute Ratel is referenced as an example of a dual-use security tool later adopted by threat actors.
Command-and-control framework referenced in connection with suspicious named pipe usage.
A sophisticated remote access tool used for credential dumping and other malicious activities.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.