Cybercriminals and ransomware groups are using an alternative post-exploitation toolkit that replaces Cobalt Strike. The new tool, named Brute Ratel (aka BRc4), is used to evade detection by EDR and anti-malware solutions.

About Brute Ratel

A report from Palo Alto Unit 42 claims that some cybercriminals are now moving away from Cobalt Strike to using Brute Ratel. The tool was released by an ex-red teamer at Mandiant and CrowdStrike in 2020.
  • The change in tactics is a major update in tactics, as BRc4 is developed to avoid detection by EDR and anti-malware solutions.
  • At first, almost all security software failed to detect it as malicious. Having such capability allowed the tool to stay out of the limelight.

Separately, the researchers observed a piece of malware that 56 anti-malware products failed to detect. It was created using Brute Ratel (BRC4) by Russia's Cozy Bear (APT29).

Ransomware groups also own it

Some ex-Conti ransomware members have already acquired licenses of this tool by creating fake U.S. companies to pass licensing verification systems. They are using it for lateral movement and network encryption via ransomware payload.

How do attackers get access to the tool?

  • At present, Brute Ratel costs around $2,500 per user for a one-year license, with customers having to provide a business email address that should be verified before getting a license.
  • The tool requires a manual verification process, raising questions about how attackers obtained the licenses. It is believed to have been leaked by a displeased employee of the BRc4 developer’s customer.


Brute Ratel, as a new alternative post-exploitation toolkit, is making significant news due to being abused by attackers. The effectiveness of BRc4 at avoiding present EDR and AV detection capabilities is alarming. Thus, organizations are suggested to stay protected and subscribe to threat intel sharing for better protection.
Cyware Publisher