Attackers abuse red teaming tool to deploy Brute Ratel

Hackers are using the MacroPack framework to generate weaponized Microsoft Office documents. These documents, in turn, deploy different malware to their targets, including Blue Ratel, PhantomCore, and Havoc.

This is according to a new report from cybersecurity researchers Cisco Talos. In a detailed analysis published earlier this week, the researchers said they spotted what appear to be multiple threat actor groups abusing MacroPack in their malicious campaigns.

The MacroPack framework is a legitimate tool used to create and manipulate Microsoft Office documents with embedded macros, often used in cybersecurity contexts for penetration testing and red teaming. It allows users to automate the generation of documents that can execute payloads or scripts, which can be exploited by attackers to deliver malicious code.

MacroPack Abuse

As explained in the report, the researchers took multiple files uploaded to the VirusTotal database, and came to the conclusion that at least four different groups are abusing MacroPack. One is from China, Taiwan, and Pakistan, and it was active between May and July this year, distributing Brute Ratel and Havoc. The C2 servers for this campaign were located in Henan, China. One is in Pakistan, impersonating the Pakistan Air Force, and distributing Brute Ratel. One is in Russia, dropping PhantomCore, and the last one is in the US, and was deploying a previously unknown malware labeled mshta.exe.

Brute Ratel is a sophisticated red-teaming and adversary simulation tool designed for offensive cybersecurity professionals. It helps simulate advanced persistent threat (APT) attacks by mimicking real-world tactics, techniques, and procedures (TTPs) used by cyber adversaries. The tool is used to test and improve the defenses of organizations by evaluating their security posture against complex attacks. As such, it is seen as an alternative to Cobalt Strike, another legitimate tool which was abused to the point that antivirus programs started flagging it.

Via BleepingComputer

More from TechRadar Pro

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

https://cdn.mos.cms.futurecdn.net/gkkHx9xfhrqWbW7aqS47UZ-1200-80.jpg

Source link

Celebrate Apple’s 50th birthday with these deals on watches and AirPods

ChatGPT comes to Apple CarPlay but only if you are willing to talk to a robot

7 new horror movies on Netflix, Shudder, HBO Max, and more in April 2026

7 new horror movies on Netflix, Shudder, HBO Max, and more in April 2026

Ex-Israeli Intelligence Official: Shockwaves of Trump’s “Take Over Gaza” Heard, Felt Across Region

What UK political parties are promising in the 2019 general election

Otto Warmbier’s parents want North Korea to suffer for their son’s death

Could a ‘youthquake’ cause Boris Johnson to lose the general election?

Moon Movies to Watch After the Artemis 2 Launch

An Inspired Journey in Airbnb Wealth Creation – Hollywood Life

Lili Reinhart Says Male Director Told Her “Suck In Your Stomach”

What the Cameras Didn’t See (Exclusive)

NASA launches four astronauts on world’s first crewed lunar mission in half a century

US judge says border officials violated her previous order on warrantless arrests

Takeaways from Trump’s speech on Iran

US preparing 100% pharmaceutical tariffs- FT

The YouTuber who has become one of Gen Z’s most beloved celebrities

26 last-minute holiday gifts that are still thoughtful and unique

Practicing gratitude regularly can make you less stressed and sleep better

8 things millennials wish you would just stop getting them for the holidays

Attackers abuse red teaming tool to deploy Brute Ratel

Moon Movies to Watch After the Artemis 2 Launch

NASA launches four astronauts on world’s first crewed lunar mission in half a century

An Inspired Journey in Airbnb Wealth Creation – Hollywood Life

US judge says border officials violated her previous order on warrantless arrests