Brute Ratel C4 Blogs

Keep yourself updated with the latest tactics and techniques using Brute Ratel C4.

  • Release v2.0 - Everything Everywhere All At Once

    Release

    Brute Ratel v2.0 [codename Metamorphosis] is now available for download. This release introduces significant changes compared to previous versions, so it’s strongly recommended to review this blog, the private videos, and the documentation before using it. The Badger component has undergone extensive rewrites, featuring major updates in evasion tactics and new functionalities. The server has been optimized for speed and efficiency, with significant improvements to the licensing algorithm, ensuring each license is linked to a specific host to prevent misuse. However, the license can still be transfered from one host to another while deactivating the previous one. Additionally, several minor updates have been made to the Commander, which operators will notice during operation.

  • Release v1.9 - Eclipse

    Release

    Brute Ratel v1.9 [codename Eclipse] is now available for download. This update includes enhancements in evasion techniques, anti-debugging measures, and new encryption keying methods for the core, along with an update to the licensing algorithm. Please note that the Ratel server, Commander, and previous versions of badgers are not compatible with v1.8 or older releases due to significant changes in the core architecture.

  • Release v1.8 - Mirage - Evading Every EDR On The Planet Part 2

    Release

    Brute Ratel v1.8 [codename Mirage] is now available for download. This release provides a heavy update towards evasion and other feature requests by the community. Customers using v1.7 release should note that the Badgers of v1.7 will not support v1.8. Do not upgrade to this release if you are in an active engagement. Release notes have been disabled from here on out as we’ve noticed that it helps various security solutions to build detection capabilities on them. All blog updates/documentation will only contain minimalistic information on the internals starting from this release. Customers wanting further information can reach out to us on the dedicated email or discord support channel.

  • Release v1.7 - Pandemonium

    Release

    Brute Ratel v1.7 [codename Pandemonium] is now available for download. This release is an entire overhaul of the Badger, Ratel Server and Commander to provide support for Yara evasions and Apple Silicon. Customers using v1.6 release should note that the Badger, Ratel server and Commander of v1.6 will not support v1.7. Do not upgrade to this release if you are in an active engagement. Operators should read this blog or the release notes section to understand the changes before upgrading. A quick summary of changes can be found in the release notes.

  • Release v1.6 - Reboot

    Release

    Brute Ratel v1.6 codename Reboot is now available for download. This release brings in several updates to existing evasion techniques, support for Windows Commander, Hi-DPI scaling and various heavy user experience updates (QOL) requested by the BRc4 community. A quick summary of the changes can be found in the release notes.

  • Release v1.5 (Nightmare) - Ghosts From The Past

    Release

    Brute Ratel v1.5 codename Nightmare is now available for download. This release brings in new evasion techniques and user experience updates (QOL) requested by the BRc4 community. A quick summary of the changes can be found in the release notes. This release also brings several changes to the licensing server which now provides support for backward compatibility. More on this at the end of the blog.

  • Release v1.4 (Blitzkrieg) - Reflection In a Nut Shell

    Release

    Brute Ratel v1.4 codename Blitzkrieg is now available for download. This release brings in a few new features, updates to EtwTI evasion techniques, and user experience (QOL) requested by the BRc4 community. A quick summary of the changes can be found in the release notes.

  • Release v1.3 (Resurgence) - No Strings Attached

    Release

    Brute Ratel v1.3 codename Resurgence is now available for download. This release brings in various changes to evasion techniques, improvements to Badger, user experience (QOL) and several features requested by the BRc4 community. Since this is a major release, I’ve divided the blog into various segments which can be directly accessed with the links below. A quick summary of the changes can be found in the release notes.

  • Evasion Updates v1.2.3 - Scandinavian Defense

    Release

    This release is a minor update under v1.2.3 release tag towards the core of the badger along with some bug fixes, UI overhaul and improvements to the QOL of the badger/server and the UI. Most of the previous releases were focused on adding evasions to the badger. However, one of the important things that was left out was updates to the UI. This update brings in various changes to the UI along with a Material theme. The below images showcase the updates made to the user interface. Along with the UI updates, the user interface now also allows to spawn a standalone instance of the badger’s terminal from the UI detached from the main GUI. A quick summary of the changes can be found in the release notes.

  • Release v1.2 - Scandinavian Defense - Evading Every EDR On The Planet

    Release

    Brute Ratel v1.2 codename Scandinavian Defense is now available for download. The main highlight of this release is memory evasion and support for bringing in your own injection techniques via COFF. This release brings major improvements to the badger’s core, both staged and stageless thereby avoiding every EDR trap in memory. This release was tested against 17 different EDRs and Antiviruses prior to the release to detect and bypass all possible traps into memory. There are several major changes made to the sleep masking and dot net evasion techniques following the detection blog from MdSec on suspicious stack threads and dotnet execution detections. A quick summary of the changes can be found in the release notes. The below image shows some of the top tier EDRs which were tested against these techniques and evaded successfully in their highest prevention mode.

  • Release v1.1 - Stoffel's Escape

    Release

    Brute Ratel v1.1 codename Stoffel’s Escape is now available for download. This release brings several new feature additions and improvements to the Badger, Ratel Server and Commander, including a complete re-write of the badger’s core to avoid some subtle detection techniques following the Palo Alto blog. A quick summary of the changes can be found in the release notes. The release name (Stoffel’s Escape) gives subtle hints foreshadowing the nature of this release. This release could not have been better without the support from the blue team community. As BRc4 initially started as a personal project two years back, there were still some remnants of IOCs that needed to be changed. Palo Alto’s reversing blog came in as a surprise, but it only helped to rebuild the payload and optimize it in a certain way to avoid as many IOCs as possible. This release was focused to overcome all the IOCs listed in public or private blogs, conferences and github detections, till date, about Badger and change them to avoid attribution and detection.

  • Release v1.0 - Sicilian Defense

    Release

    Brute Ratel v1.0 codename Sicilian Defense is now available for download. This release brings several new feature additions and improvements to the Badger and Commander. The release is focused towards the Egress comms of the badger. There will be a follow up blog, post the release which will showcase the external C2 capabilities. A quick summary of the changes can be found in the release notes.

  • Release v0.9 - Checkmate

    Release

    Brute Ratel v0.9.0 (Checkmate) is biggest release for Brute Ratel till date. This release brings major changes to the Brute Ratel’s loader, reflective DLL, shellcode and the internal APIs being called. As detailed in the previous version, where several syscall injection techniques were added for evasion, but they were limited to the reflective DLL’s loader of BRc4 and the VEH (Vectored Exception Handler) API of Windows. This version uses an updated version of Syscalls for almost everything except a few of those which I was pretty sure would never be hooked since they are too noisy. This release was built after reverse engineering several top tier EDR and Antivirus DLLs. A quick summary of the changes can be found in the release notes.

  • Release v0.8 - Warfare Tactics

    Release

    Brute Ratel v0.8.0 (Warfare Tactics) is now available for download and provides a major update towards in-memory and network evasion features. This release bring plethora of new capabilities which provide a gateway for in-memory evasion features like self-debugging, unhooking syscalls and hooking your own payload for monitoring via Process Instrumentation. I have listed the technical details of the release below, however a detailed list on the features and bug fixes can be found in the release notes.

  • Release v0.7 - The Pain of Tsukuyomi

    Release

    Brute Ratel v0.7.0 (Tsukuyomi) is now available for download and provides a major update towards in-memory evasion and addition of open source tooling. This release also contains addition and conversion of several public BOFs to internal functions of Brute Ratel so that users won’t have to depend on public BOFs which might not necessarily be stable. This also helps to avoid VirtualAlloc API call for BOF allocation altogether which is an added cherry on the top. I have listed the technical details of the release below, however a detailed list on the features and bug fixes can be found in the release notes.

  • Release v0.6 - Resurrection

    Release

    Brute Ratel v0.6.0 (Resurrection) is now available for download and provides a major update towards the x86 architecture support and various in-memory execution features. This release contains a major rewrite of a portion of the backend which provides better stability, at the same time allowing to make feature additions easier for future releases. I have listed the technical details of the release below, however a detailed list on the features and bug fixes can be found in the release notes.

  • Release v0.5 - Syndicate

    Release

    Brute Ratel v0.5.0 (Syndicate) is now available for download and provides a major update towards several features and the user interface of Brute Ratel. Commander comes with a new user interface providing a much more granular information on the metadata of the C4 features which can be seen in the figure below.

  • Update v0.4.2 - Chaos Theory

    Release

    This is a minor update to Brute Ratel C4 v0.4.1 (Chaos Theory) which was released a few days back. This update brings a minor feature release and a few UI bug fixes on Commander. The next major release will be focusing on Credential Harvesting. So, I decided to add the process mitigation policy feature as a minor update along with some bug fixes before I move to the next major release.

  • Release v0.4.1 - Chaos Theory

    Release

    Brute Ratel C4 v0.4.1 (Chaos Theory) is now available for download and provides a major update towards process injection, memory allocation, thread execution and Adversary Simulations. Multiple other commands for discovery and lateral movement and graphical changes for ease of use have also been added to the Badger and the Commander UI.

  • Release v0.3 - Pivots, Rotations and Payloads

    Release

    Brute Ratel C4 v0.3 (Vendetta) is now available for download and provides a major update towards lateral movement and payload generation capabilities. We have officially started providing trial licenses of 7 days now which wasn’t possible earlier due to the way the licensing system was programmed.

  • Release v0.2 - Big Things Have Small Beginnings

    Release

    Brute Ratel C4 v0.2 (Prometheus) is now available for download and provides a major update towards process injections and adversary simulations. Along with this release, we have started providing access to an Active Directory trial lab to test the features of injection and pivoting of BRC4 over the test environment.