Attackers abuse red teaming tool to deploy Brute Ratel

News
By published

Cisco Talos says different groups are abusing the MacroPack framework to deploy malware

Cyber crime and security vector concept showing a laptop, credit card and open padlock.
(Image credit: Shutterstock / Jozsef Bagota)

Hackers are using the MacroPack framework to generate weaponized Microsoft Office documents. These documents, in turn, deploy different malware to their targets, including Blue Ratel, PhantomCore, and Havoc.

This is according to a new report from cybersecurity researchers Cisco Talos. In a detailed analysis published earlier this week, the researchers said they spotted what appear to be multiple threat actor groups abusing MacroPack in their malicious campaigns.

The MacroPack framework is a legitimate tool used to create and manipulate Microsoft Office documents with embedded macros, often used in cybersecurity contexts for penetration testing and red teaming. It allows users to automate the generation of documents that can execute payloads or scripts, which can be exploited by attackers to deliver malicious code.

MacroPack Abuse

As explained in the report, the researchers took multiple files uploaded to the VirusTotal database, and came to the conclusion that at least four different groups are abusing MacroPack. One is from China, Taiwan, and Pakistan, and it was active between May and July this year, distributing Brute Ratel and Havoc. The C2 servers for this campaign were located in Henan, China. One is in Pakistan, impersonating the Pakistan Air Force, and distributing Brute Ratel. One is in Russia, dropping PhantomCore, and the last one is in the US, and was deploying a previously unknown malware labeled mshta.exe.

Brute Ratel is a sophisticated red-teaming and adversary simulation tool designed for offensive cybersecurity professionals. It helps simulate advanced persistent threat (APT) attacks by mimicking real-world tactics, techniques, and procedures (TTPs) used by cyber adversaries. The tool is used to test and improve the defenses of organizations by evaluating their security posture against complex attacks. As such, it is seen as an alternative to Cobalt Strike, another legitimate tool which was abused to the point that antivirus programs started flagging it.

Via BleepingComputer

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.
Microsoft Teams and other Windows tools hijacked to hack corporate networks
A digital representation of a lock
Security experts are being targeted with fake malware discoveries
A pair of hands using a keyboard
Microsoft SharePoint hijacked to spread Havoc malware
Trojan
Microsoft warns of a devious new RAT malware which can avoid detection with apparent ease
Illustration of a laptop with a magnifying glass exposing a beetle on-screen
Microsoft Outlook targeted by new malware attacks allowing sneaky hijacking
Shutterstock.com / kanlaya wanon
Microsoft Teams abused in Russian email bombing ransomware campaign
Latest in Pro
A person holding out their hand with a digital AI symbol.
AI is booming — but are businesses seeing real impact?
China
Notorious Chinese hackers FamousSparrow allegedly target US financial firms
A digital representation of a lock
NYU website defaced as hacker leaks info on a million students
NHS
NHS IT supplier hit with major fine following ransomware attack
Businessman holding a magnifier and searching for a hacker within a business team.
Cloud streaming hoster StreamElements confirms data breach following attack
A digital representation of blockchain.
Malicious npm packages use devious backdoors to target users
Latest in News
Three angles of the Apple MacBook Air 15-inch M4 laptop above a desk
Apple MacBook Air 15-inch (M4) review roundup – should you buy Apple's new lightweight laptop?
Witchbrook
Witchbrook, the life-sim I've been waiting years for, finally has a release window and it's sooner than you think
Shigeru Miyamoto presents Nintendo Today app
Nintendo Today smartphone app is out now on iOS and Android devices – and here's what it does
Nintendo Virtual Game Card
Nintendo reveals the new Virtual Game Card feature, an easier way to manage your digital Switch games
Nintendo Switch 2
The Nintendo Switch 2 pre-order date has seemingly been confirmed by Best Buy Canada – here's when you'll be able to order yours
Person printing
Microsoft’s latest Windows 11 update exorcises possessed printers that spewed out pages of random characters
More about pro
Businessman holding a magnifier and searching for a hacker within a business team.

Cloud streaming hoster StreamElements confirms data breach following attack
ai distillation

Over-hyped & under pressure: can AI really deliver in financial services?
The cast of Black Mirror season 7

Everything new on Netflix in April 2025 – including Black Mirror season 7 and Love on the Spectrum
See more latest
Most Popular
The cast of Black Mirror season 7
Everything new on Netflix in April 2025 – including Black Mirror season 7 and Love on the Spectrum
Witchbrook
Witchbrook, the life-sim I've been waiting years for, finally has a release window and it's sooner than you think
Businessman holding a magnifier and searching for a hacker within a business team.
Cloud streaming hoster StreamElements confirms data breach following attack
Three angles of the Apple MacBook Air 15-inch M4 laptop above a desk
Apple MacBook Air 15-inch (M4) review roundup – should you buy Apple's new lightweight laptop?
Nintendo Virtual Game Card
Nintendo reveals the new Virtual Game Card feature, an easier way to manage your digital Switch games
Shigeru Miyamoto presents Nintendo Today app
Nintendo Today smartphone app is out now on iOS and Android devices – and here's what it does
A digital representation of blockchain.
Malicious npm packages use devious backdoors to target users
Quordle on a smartphone held in a hand
Quordle hints and answers for Friday, March 28 (game #1159)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Friday, March 28 (game #390)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Friday, March 28 (game #656)