We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Backdoor:Win32/BruteRatel.MA!MTB
Aliases: No associated aliases
Summary
Backdoor:Win32/BruteRatel.MA!MTB is a sophisticated 32-bit command-and-control (C2) framework that threat actors abuse to remotely control compromised Windows devices. Originally a tool for security testing, it's now used for malicious purposes. This backdoor is popular among threat actors for its advanced evasion capabilities. It's designed to identify, avoid, and subvert security software and forensic analysis. Its techniques include detecting monitoring tools, hiding their activity in memory, and using low-level system calls to bypass defenses.
Once active, it performs comprehensive reconnaissance of the infected host, gathering details like usernames, network configurations, and system specifications. It provides attackers with a wide range of control functions, including file and folder management, running and terminating processes, stealing credentials, and executing scripts. It can also escalate privileges and move laterally across a network. BruteRatel has been linked to ransomware campaigns and data theft. Its ability to evade detection makes it a persistent threat, underscoring the need for behavior-based security protections rather than relying solely on traditional signature-based detection.
The “!MTB” suffix refers to Machine Threat Behavior, which indicates that this trojan was detected using behavioral analysis or machine learning models. Instead of relying on a static signature (like a known file hash), the antivirus engine identified the program's actions, sequence of operations, or code patterns as malicious. These patterns are consistent with the known behavior of the BruteRatel family.
- Disconnect the infected device from all networks (both wired and wireless) to sever the command-and-control connection.
- Use your security software to quarantine and remove identified malicious files, such as the initial LNK, side-loaded DLLs, and memory-resident payloads.
- As a last resort, completely wipe the hard drive and reinstall the operating system and applications from a known-clean source. This ensures that any deep-rooted or memory-resident components are eliminated.
Microsoft Defender Antivirus automatically removes threats as they are detected. However, many infections can leave remnant files and system changes. Updating your antimalware definitions and running a full scan might help address these remnant artifacts.
You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.
