Mastodawn

🌟New report out today!🌟

From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion

➡️ Fake tax form JS (Lunar Spider) → Brute Ratel
➡️ Latrodectus → Cobalt Strike → BackConnect → .NET backdoor
➡️ Cred theft: LSASS, browsers, plaintext DA creds
➡️ Rclone exfil 20 days in
➡️ Nearly 2 months of C2 before eviction — no ransomware, just deep persistence.

Report: https://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion

#DFIR #ThreatIntel #BruteRatel #CobaltStrike #IncidentResponse #DFIR

Show thread

ThreatCat.ch Sep 24, 2024

The payload itself is classified as #brutel / #Latrodectus / #BruteRatel :
https://www.virustotal.com/gui/file/6ab1bee44804b0821933c7b20bbdc92deb6a21fd587a51d43761ba1500c2149d/behavior

VirusTotal

ThreatCat.ch Sep 24, 2024

Finally we also witnessed in the wild one of those #ClearFake / #ClickFix bait delivered per email as reported by Proofpoint in June - ending with a #brutel / #Latrodectus / #BruteRatel
payload https://www.proofpoint.com/au/blog/threat-insight/clipboard-compromise-powershell-self-pwn

From Clipboard to Compromise: A PowerShell Self-Pwn | Proofpoint AU

Key findings Proofpoint researchers identified an increasingly popular technique leveraging unique social engineering to run PowerShell and install malware. Researchers observed TA571 and the Clea...

Proofpoint

The Threat Codex Aug 4, 2024

Latrodectus dropped by BR4
#Latrodectus #BruteRatel
https://blog.krakz.fr/articles/latrodectus/

Latrodectus dropped by BR4 🕷️

This article details the last campaign involving Latrodectus malware that is dropped by BruteRatel, some YARA and hunting pivot are also provided.

The Threat Codex Jul 12, 2024

Latrodectus Affiliate Resumes Operations Using Brute Ratel C4 Post Operation Endgame
#Latrodectus #BruteRatel
https://blog.reveng.ai/latrodectus-distribution-via-brc4/

Show thread

Not Simon Apr 10, 2024

In the part two blog, Rapid7 provides a technical analysis of the typo squatted malvertising, PowerShell scripts, RAR contents, and the IDAT Loader. IOC provided. 🔗 https://www.rapid7.com/blog/post/2024/04/10/stories-from-the-soc-part-2-msix-installer-utilizes-telegram-bot-to-execute-idat-loader/

#threatintel #IDATLoader #BruteRatel #malvertising #IOC

Stories from the SOC Part 2: MSIX Installer Utilizes Telegram Bot to Execute IDAT Loader | Rapid7 Blog

In part one of our blog series, we discussed how a Rust based application was used to download and execute the IDAT Loader. In part two of this series, we will be providing analysis of how an MSIX installer led to the download and execution of the IDAT Loader.

Rapid7

Not Simon Mar 28, 2024

Rapid7 published a blog post (first of a two-part blog series) on a case study of IDAT Loader malware being distributed via a FakeUpdates campaign. The final payload is a Brute Ratel C4 badger. Rapid7 describes the attack chain, provides a technical analysis of the IDAT Loader, and provides IOC, MITRE ATT&CK TTPs and known sandbox usernames and analysis tools 🔗 https://www.rapid7.com/blog/post/2024/03/28/stories-from-the-soc-part-1-idat-loader-to-bruteratel/

#threatintel #IDATLoader #BruteRatel #badger #IOC

Stories from the SoC Part 1: IDAT Loader to BruteRatel | Rapid7 Blog

Rapid7’s Managed Detection and Response (MDR) team continuously monitors our customers' environments, identifying emerging threats and developing new detections.

Rapid7

Show thread

Jesko Hüttenhain Oct 14, 2023

The units "ngrams" and "bruteforce" can be used to do rudimentary brute forcing. The latter is a #FlareOn10 product, but the former came about when I was too lazy to find the 8-byte RC4 key for a #BruteRatel badger config in a memdump. Trying all 8-grams is surprisingly feasible!

Malwar3Ninja | Threatview.io May 31, 2023

[Threatview.io] ⚡🌀 Our proactive hunter C2 scan telemetry indicate 13.82.141[.]216 hosting #BruteRatel C2 on port 443 since atleast 07 July 2022 till date.

🏆The oldest #BruteRatel we have

🗓️11 Months 🤯

#ThreatIntel
#Malware
#CTI
#DFIR
#cybersecurity