MalwareUsed by 1 actor

BruteRatel C4

Brute Ratel C4 (BRc4) is an adversary simulation and red-teaming framework designed to evade modern security defenses. Although it is a legitimate offensive security tool, the provided reporting states that threat actors have abused it for post-exploitation and command-and-control operations. Microsoft reported tax-themed phishing campaigns observed in early 2025 that attempted to deliver BRc4 and Latrodectus to U.S. targets. In one campaign attributed to the initial access broker Storm-0249, IRS-themed phishing emails used PDF attachments and redirect chains leading to a fake DocuSign page; if filtering conditions were met, a Firebase-hosted JavaScript downloaded an MSI containing BRc4, which then installed Latrodectus. The broader campaigns targeted U.S. users and organizations, including sectors such as engineering, IT, and consulting, and used infrastructure associated with RaccoonO365 phishing-as-a-service. The content also explicitly notes that MalwareBazaar incorrectly classified sample fb91de5a3ce80ac51fded1719dc72c6c71acadc65ada3262e7bc74dac41cd65a as BruteRatel C4; according to the cited analysis, that sample was actually a Delphi self-extracting installer deploying weaponized NQVM/NetSupport Manager tooling, not BRc4.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

Storm-0249

Earlier this April, the Redmond-based company warned of several phishing campaigns leveraging tax-related themes to deploy malware such as Latrodectus, AHKBot, GuLoader, and BruteRatel C4 (BRc4). The phishing pages, it added, were delivered via RaccoonO365, with one such campaign attributed to an initial access broker called Storm-0249.

via the hacker newsthehackernews.com

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app

breakglass intelNews

Mar 12, 2026

Not BruteRatel: MalwareBazaar's Misclassified Sample Is a Weaponized Korean Remote Support Tool With a 727-Export Trojanized GDI32.dll - Breakglass Intelligence - Breakglass Intelligence

Mentioned only as an incorrect classification for the sample; the content explicitly states the sample is not BruteRatel C4.

the hacker newsNews

Sep 17, 2025

RaccoonO365 Phishing Network Dismantled as Microsoft, Cloudflare Take Down 338 Domains

Post-exploitation tool deployed via phishing campaigns delivered through RaccoonO365.

microsoft security blogNews

Apr 3, 2025

Threat actors leverage tax season to deploy tax-themed phishing campaigns | Microsoft Security Blog

Commercial/legitimate red-teaming framework abused by threat actors for post-exploitation and command-and-control; designed to evade/bypass modern defenses.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.