You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Conveniently sold as a 'red teaming tool' with advanced capabilities to avoid detection from EDR and antivirus, BruteRatel is unsurprisingly used and abused by various cybercrime or state sponsored threat actors :
23
+
24
+
[BruteRatel and CVE-2025-31324](https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/)
25
+
[BruteRatel and APT29](https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/)
26
+
27
+
As a mean to raise awareness and help blue teams better understand the threat posed by this specific tool, I publish a [stripped-down version](https://bazaar.abuse.ch/sample/) from a sample found in the wild and uploaded on bazar.abuse.ch
28
+
29
+
This version has been modified in the following fashion :
30
+
31
+
- The First stage loader/obfuscator have been removed
32
+
- The inner payload only connects to the following local IP : http://192.168.30.46/admin.php on port 80
33
+
- SSL encryption has been removed
34
+
35
+
I also publish a basic php framework to issue commands to this modified sample :
This is a very basic php framework meant to test various commands from the malware and doesn't offer any 'C2' features
40
+
41
+
A summary from most commands available from this sample is available on my [blog](https://cedricg-mirror.github.io/2025/03/24/BruteRatelCommandList.html)
42
+
43
+
I didn't fully reverse / understood evry commands available nor do I intend to do so
0 commit comments