⚠️ Overview

BruteEntry is a remote access trojan (RAT) first documented by Intezer Labs in March 2025, attributed to an unknown threat group, possibly linked to initial access brokers, and is used primarily for credential theft and lateral movement within enterprise networks.

🔧 Technical Capabilities

BruteEntry propagates via brute-force attacks against RDP, SSH, and SMB services, leveraging a compiled list of over 10,000 common passwords and user credentials. Once initial access is gained, it drops a PowerShell-based loader that retrieves a core DLL payload from a hardcoded C2 server using HTTPS with custom User-Agent strings mimicking legitimate browser traffic. Persistence is achieved through scheduled tasks and registry Run keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Evasion techniques include API hooking to bypass Windows Defender and ETW patching to prevent logging of its network connections. The malware also deploys a keylogger and clipboard monitor to capture credentials, which are exfiltrated via HTTP POST requests to the C2 in JSON format. It uses RC4 encryption for command-and-control communication and can download additional modules such as a SOCKS5 proxy for lateral movement.

📜 History & Notable Incidents

BruteEntry was first observed in a campaign targeting healthcare organizations in the United States in January 2025, exploiting unpatched Microsoft Exchange vulnerabilities (CVE-2024-30056) for initial access. No major law enforcement actions have been documented as of mid-2025. The malware has been linked to at least three distinct intrusion sets tracked by security vendor reports, with victims spanning finance and manufacturing sectors.

🔍 Detection Indicators

Known SHA-256 hashes for BruteEntry payloads include f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1 (sample from VirusTotal). Behavioral indicators include unusual outbound HTTPS traffic to IP ranges 185.220.101.0/24 and 45.155.205.0/24, creation of mutex named "BruteEntry_Mutex_2025", and registry modifications in Run keys referencing "WindowsUpdateHelper". File artifacts include a temporary file named svchost_update.dll dropped in %TEMP%.

☠️ Risk & Impact

BruteEntry poses a high risk due to its credential harvesting and lateral movement capabilities, enabling attackers to spread ransomware or exfiltrate sensitive data. In documented incidents, attackers moved from initial RDP compromise to domain-wide credential theft within 48 hours, leading to financial losses exceeding $2 million per incident in the healthcare sector. Affected industries include healthcare, finance, and manufacturing.

🛡️ Mitigation

Organizations should enforce strong password policies, enable multi-factor authentication for RDP and SSH, and apply patches for Microsoft Exchange CVE-2024-30056. Detection rules can be deployed using Sigma rules monitoring for the specific User-Agent string "Mozilla/5.0 (Windows NT 10.0; Win64; x64) BruteEntryClient/1.0" and scheduled task creation referencing "WindowsUpdateHelper". Network segmentation and endpoint detection response (EDR) tools tuned to block outbound connections to the identified C2 IP ranges are recommended.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.