BleepingComputer reports that more ransomware groups and hacking operations have been using the Brute Ratel threat simulation tool instead of Cobalt Strike to conceal their attacks from antivirus and endpoint detection and response systems. Nearly all security systems were unable to identify Brute Ratel, or BRc4, as malicious in the wild, according to a report from Palo Alto Networks' Unit 42 threat intelligence unit. Russian state-backed hacking operation APT29, also known as CozyBear or Dukes, has been suspected to be associated with attacks leveraging Brute Ratel for the distribution of malicious ISOs with an attached rsum file that will load Brute Ratel to facilitate remote device access and command execution. While Brute Ratel developer Chetan Nayak, who was a red teamer at CrowdStrike and Mandiant, noted that attackers behind the new campaign have acquired the software license from a leak by an aggrieved employee, AdvIntel CEO Vitali Kremez said that former Conti ransomware members have been establishing phony U.S. companies to secure software licenses. "The criminals behind the former Conti ransomware operations explored multiple penetration testing kits beyond usage of Cobalt Strike... To get access to the Brute Ratel licenses, the threat actors create fake US companies which are used as part of the verification process," added Kremez.