SYMBOLCOMMON_NAMEaka. SYNONYMS
win.brute_ratel_c4 (Back to overview)

Brute Ratel C4

aka: BOLDBADGER, BruteRatel
VTCollection    

Brute Ratel C4 (BRC4) is a commercial framework for red-teaming and adversarial attack simulation, which made its first appearance in December 2020. It was specifically designed to evade detection by endpoint detection and response (EDR) and antivirus (AV) capabilities. BRC4 allows operators to deploy a backdoor agent known as Badger (aka BOLDBADGER) within a target environment.
This agent enables arbitrary command execution, facilitating lateral movement, privilege escalation, and the establishment of additional persistence avenues. The Badger backdoor agent can communicate with a remote server via DNS over HTTPS, HTTP, HTTPS, SMB, and TCP, using custom encrypted channels. It supports a variety of backdoor commands including shell command execution, file transfers, file execution, and credential harvesting. Additionally, the Badger agent can perform tasks such as port scanning, screenshot capturing, and keystroke logging. Notably, in September 2022, a cracked version of Brute Ratel C4 was leaked in the cybercriminal underground, leading to its use by threat actors.

References
2025-09-29The DFIR ReportThe DFIR Report
From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion
Brute Ratel C4 Cobalt Strike Latrodectus
2025-06-24BridewellBridewell
2025 Cyber Threat Intelligence Report
AsyncRAT Brute Ratel C4 Cobalt Strike Fog Ghost RAT Lumma Stealer Meduza Stealer Quasar RAT RedLine Stealer Sliver
2025-04-03MicrosoftMicrosoft Threat Intelligence
Threat actors leverage tax season to deploy tax-themed phishing campaigns
Brute Ratel C4 CloudEyE Latrodectus Remcos Storm-0249
2025-01-10SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update July to December 2024
Coper FluBot Hook Mirai FAKEUPDATES AsyncRAT BianLian Brute Ratel C4 Cobalt Strike DanaBot DCRat Havoc Latrodectus NjRAT Quasar RAT RedLine Stealer Remcos Rhadamanthys Sliver Stealc
2024-11-18ProofpointProofpoint Threat Research Team, Selena Larson, Tommy Madjar
Security Brief: ClickFix Social Engineering Technique Floods Threat Landscape
AsyncRAT Brute Ratel C4 DanaBot DarkGate Latrodectus Lumma Stealer NetSupportManager RAT XWorm
2024-10-30EclecticIQEclecticIQ Threat Research Team
Inside Intelligence Center: LUNAR SPIDER Enabling Ransomware Attacks on Financial Sector with Brute Ratel C4 and Latrodectus
BlackCat Brute Ratel C4 Latrodectus
2024-10-22AirbusAdams Kone
Incident Response: Analysis of recent version of BRC4
Brute Ratel C4
2024-08-01KrakzPierre Le Bourhis
Latrodectus dropped by BR4
Brute Ratel C4 Latrodectus
2024-06-24RevEng.AIRevEng.AI
Latrodectus Affiliate Resumes Operations Using Brute Ratel C4 Post Operation Endgame
Brute Ratel C4 Latrodectus
2023-09-27Cyber GeeksVlad Pasca
A Deep Dive into Brute Ratel C4 payloads – Part 2
Brute Ratel C4
2023-09-22MandiantDan Black, Josh Atkins, Luke Jenkins
Backchannel Diplomacy: APT29’s Rapidly Evolving Diplomatic Phishing Operations
Brute Ratel C4 Cobalt Strike EnvyScout GraphDrop QUARTERRIG sRDI Unidentified 107 (APT29)
2023-08-31Cyber GeeksCyberMasterV
A Deep Dive into Brute Ratel C4 Payloads
Brute Ratel C4
2023-08-07Recorded FutureInsikt Group
RedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale
Winnti Brute Ratel C4 Cobalt Strike FunnySwitch PlugX ShadowPad Spyder Earth Lusca
2023-04-28Twitter (@MichalKoczwara)Michael Koczwara
Tweet on hunting BRC4 infrastructure
Brute Ratel C4
2023-03-06ProtectedMo.deBoymoder RE
Brute Ratel - Scandinavian Defence
Brute Ratel C4
2023-02-23Andrea Fortuna's BlogAndrea Fortuna
How to detect Brute Ratel activities
Brute Ratel C4
2023-02-15YoroiCarmelo Ragusa, Luigi Martire
Hunting Cyber Evil Ratels: From the targeted attacks to the widespread usage of Brute Ratel
Brute Ratel C4
2023-01-29Dark VortexParanoid Ninja
Hiding In PlainSight - Indirect Syscall is Dead! Long Live Custom Call Stacks
Brute Ratel C4
2023-01-26Dark VortexParanoid Ninja
Hiding In PlainSight - Proxying DLL Loads To Hide From ETWTI Stack Tracing
Brute Ratel C4
2022-10-25Medium walmartglobaltechJason Reaves
Brute Ratel Config Decoding update
Brute Ratel C4
2022-10-12Trend MicroIan Kenefick, Lucas Silva, Nicole Hernandez
Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike
Black Basta Brute Ratel C4 Cobalt Strike QakBot
2022-10-12Twitter (@embee_research)Embee_research, Huntress Labs
Tweets on detection of Brute Ratel via API Hashes
Brute Ratel C4
2022-10-04splunkSplunk Threat Research Team
Deliver a Strike by Reversing a Badger: Brute Ratel Detection and Analysis
Brute Ratel C4
2022-09-01Medium michaelkoczwaraMichael Koczwara
Hunting C2/Adversaries Infrastructure with Shodan and Censys
Brute Ratel C4 Cobalt Strike Deimos GRUNT IcedID Merlin Meterpreter Nighthawk PoshC2 Sliver
2022-08-22MicrosoftMicrosoft
Extortion Economics - Ransomware’s new business model
BlackCat Conti Hive REvil AgendaCrypt Black Basta BlackCat Brute Ratel C4 Cobalt Strike Conti Hive Mount Locker Nokoyawa Ransomware REvil Ryuk
2022-08-03MDSecDominic Chell
PART 3: How I Met Your Beacon – Brute Ratel
Brute Ratel C4
2022-07-09spookysecRonnie
Analyzing a Brute Ratel Badger
Brute Ratel C4
2022-07-07SOCRadarSOCRadar
Brute Ratel Utilized By Threat Actors In New Ransomware Operations
Brute Ratel C4
2022-07-06YouTube (IppSec)IppSec
Reversing Malware How is APT 29 Successful w/ this Phishing Tech and BRc4 (Brute Ratel) opsec fails?
Brute Ratel C4
2022-07-05Mike Harbison
When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors
Brute Ratel C4
2021-06-01Dark VortexDark Vortex
PE Reflection: The King is Dead, Long Live the King
Brute Ratel C4
Yara Rules
[TLP:WHITE] win_brute_ratel_c4_auto (20251219 | Detects win.brute_ratel_c4.)
rule win_brute_ratel_c4_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-01-05"
        version = "1"
        description = "Detects win.brute_ratel_c4."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.brute_ratel_c4"
        malpedia_rule_date = "20260105"
        malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79"
        malpedia_version = "20251219"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 89542410 48894c2408 4883ec48 8b442458 89442424 48c744242800000000 41b800060400 }
            // n = 7, score = 100
            //   89542410             | mov                 dword ptr [esp + 0x28], 0
            //   48894c2408           | inc                 ecx
            //   4883ec48             | mov                 eax, 0x40600
            //   8b442458             | dec                 eax
            //   89442424             | lea                 edx, [0x2fd0]
            //   48c744242800000000     | dec    eax
            //   41b800060400         | lea                 ecx, [0x42ee3]

        $sequence_1 = { 89442438 4863442430 486bc010 488d0de32e0400 4803c8 }
            // n = 5, score = 100
            //   89442438             | dec                 eax
            //   4863442430           | lea                 ecx, [esp + 0x20]
            //   486bc010             | dec                 eax
            //   488d0de32e0400       | mov                 dword ptr [esp + 0x28], eax
            //   4803c8               | dec                 esp

        $sequence_2 = { 488d0de32e0400 4803c8 488bc1 48634c2434 }
            // n = 4, score = 100
            //   488d0de32e0400       | dec                 eax
            //   4803c8               | lea                 ecx, [0x42ee3]
            //   488bc1               | dec                 eax
            //   48634c2434           | add                 ecx, eax

        $sequence_3 = { 48c744242800000000 41b800060400 488d15d02f0000 488d4c2420 e8???????? 4889442428 4c8d0532200000 }
            // n = 7, score = 100
            //   48c744242800000000     | dec    eax
            //   41b800060400         | mov                 dword ptr [esp + 0x28], 0
            //   488d15d02f0000       | inc                 ecx
            //   488d4c2420           | mov                 eax, 0x40600
            //   e8????????           |                     
            //   4889442428           | dec                 eax
            //   4c8d0532200000       | lea                 edx, [0x2fd0]

        $sequence_4 = { 65488b042560000000 4c8b7868 41837f0400 0f84d9000000 }
            // n = 4, score = 100
            //   65488b042560000000     | mov    dword ptr [esp + 0x28], 0
            //   4c8b7868             | inc                 ecx
            //   41837f0400           | mov                 eax, 0x40600
            //   0f84d9000000         | dec                 eax

        $sequence_5 = { 41ffd7 ffcd 85c0 75cd 4801de 48c1e704 }
            // n = 6, score = 100
            //   41ffd7               | lea                 edx, [0x2fd0]
            //   ffcd                 | mov                 dword ptr [esp + 0x2c], 0
            //   85c0                 | mov                 eax, dword ptr [esp + 0x2c]
            //   75cd                 | mov                 dword ptr [esp + 0x38], eax
            //   4801de               | dec                 eax
            //   48c1e704             | arpl                word ptr [esp + 0x30], ax

        $sequence_6 = { 4d85c0 7415 8b4f04 4801f1 49d1e8 4c89f2 41ffd7 }
            // n = 7, score = 100
            //   4d85c0               | dec                 eax
            //   7415                 | mov                 dword ptr [esp + 8], ecx
            //   8b4f04               | dec                 eax
            //   4801f1               | sub                 esp, 0x48
            //   49d1e8               | mov                 eax, dword ptr [esp + 0x58]
            //   4c89f2               | mov                 dword ptr [esp + 0x24], eax
            //   41ffd7               | dec                 eax

        $sequence_7 = { 488b542430 41ffd4 85c0 75c9 418b74ff2c 458b74ff30 }
            // n = 6, score = 100
            //   488b542430           | dec                 eax
            //   41ffd4               | lea                 edx, [0x2fd0]
            //   85c0                 | dec                 eax
            //   75c9                 | lea                 ecx, [esp + 0x20]
            //   418b74ff2c           | mov                 dword ptr [esp + 0x38], eax
            //   458b74ff30           | dec                 eax

        $sequence_8 = { 83f804 0f8495010000 83f806 0f85b8010000 65488b042560000000 4c8b7868 41837f0c00 }
            // n = 7, score = 100
            //   83f804               | arpl                word ptr [esp + 0x30], ax
            //   0f8495010000         | dec                 eax
            //   83f806               | imul                eax, eax, 0x10
            //   0f85b8010000         | dec                 eax
            //   65488b042560000000     | lea    ecx, [0x42ee3]
            //   4c8b7868             | dec                 eax
            //   41837f0c00           | add                 ecx, eax

        $sequence_9 = { 4189c4 85c0 0f853bffffff 4989f8 }
            // n = 4, score = 100
            //   4189c4               | dec                 eax
            //   85c0                 | mov                 dword ptr [esp + 0x28], 0
            //   0f853bffffff         | inc                 ecx
            //   4989f8               | mov                 eax, 0x40600

        $sequence_10 = { ffcd 90 85ed 78bc }
            // n = 4, score = 100
            //   ffcd                 | dec                 eax
            //   90                   | lea                 edx, [0x2fd0]
            //   85ed                 | dec                 eax
            //   78bc                 | lea                 ecx, [esp + 0x20]

        $sequence_11 = { 0fb6c1 f7d8 4883c438 c3 }
            // n = 4, score = 100
            //   0fb6c1               | dec                 eax
            //   f7d8                 | imul                eax, eax, 0x10
            //   4883c438             | dec                 eax
            //   c3                   | lea                 ecx, [0x42ee3]

    condition:
        1 of them and filesize < 607232
}
[TLP:WHITE] win_brute_ratel_c4_w0   (20221012 | No description)
rule win_brute_ratel_c4_w0 {
	//Looks for API hashes present in Brute Ratel Badger Payloads. 
	meta:
		author = "Embee_Research @ Huntress"
		vendor = "Huntress"
		created = "2022/10/12"
		source = "https://raw.githubusercontent.com/embee-research/Yara/main/BruteSyscalls.yara"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.brute_ratel_c4"
        malpedia_rule_date = "20221012"
        malpedia_hash = ""
        malpedia_version = "20221012"
        malpedia_sharing = "TLP:WHITE"
	strings:
		
		$hash1 = {89 4d 39 8c} //NtProtectVirtualMemory
		$hash2 = {bd ca 3b d3} //NtAllocateVirtualMemory
		$hash3 = {b2 c1 06 ae} //NtWaitForSingleObject
		$hash4 = {74 eb 1d 4d} //NtCreateThreadEx
	
	condition:
		//0x5a4d == regular pe/dll
		//0x00e8 == start of Brute shellcode 
		(2 of them) and (uint16(0) == 0x5a4d or uint16(0) == 0x00e8)
}
Download all Yara Rules