Analysis of internal Black Basta chat logs that had leaked online in February 2025 revealed the existence of this malicious framework. BRUTED simplifies the initial access to networks for hackers and makes it possible to scale ransomware attacks on vulnerable endpoints. According to experts, Black Basta has been using BRUTED since 2023 to deliver massive credential-stuffing and brute-forcing attacks.
Source code analysis showed that the framework is specially designed to brute-force credentials in the following products: SonicWall NetExtender, Palo Alto GlobalProtect, Cisco AnyConnect, Fortinet SSL VPN, Citrix NetScaler (Citrix Gateway), Microsoft RDWeb (Remote Desktop Web Access), and WatchGuard SSL VPN.
The framework discovers publicly accessible edge network devices that match its target list by enumerating subdomains, resolving IP addresses, and adding prefixes like vpn and remote. Information about matches is transmitted to the remote command-and-control server.
After identifying potential targets, the frameworks gathers password candidates from a remote server, combines them with locally generated guesses, and performs bulk authentication attempts using multiple CPU processes. Special query headers and tailored user-agent strings are used for each target device.
To generate additional password guesses, BRUTED extracts common names (CN) and Subject Alternative Names (SAN) from a target’s SSL certificate getCertDomainsList().
To avoid detection, the framework uses multiples SOCKS5 proxies (all from the domain fuck-you-usa[.]) while performing high volume of brute-forcing requests. Its three servers are registered under Proton66 (AS 198953) and located in Russia.
Experts believe that tools like BRUTED make ransomware easier to operate; as a result, hackers infiltrate multiple networks with minimal effort, which accelerates monetization.
The key protection strategy against such threats involves strong and unique passwords for all edge devices and VPN accounts, as well as multifactor authentication (MFA) that blocks access even in situations when the credentials were compromised.
2025.04.25 — Asus patches vulnerability in AMI's MegaRAC enabling attackers to brick servers
Asus released patches for the CVE-2024-54085 vulnerability that allows attackers to seize and disable servers. The security hole affects the American Megatrends International (AMI) MegaRAC Baseboard Management…
Full article →
2025.03.07 — YouTube warns of scam video featuring its CEO
According to YouTube, scammers use an AI-generated video of the company's CEO in phishing attacks to steal user credentials. The scammers attack content creators by sending them…
Full article →
2025.04.22 — Scammers pose as FBI IC3 specialists, offer 'assistance' to fraud victims
According to the FBI, scammers impersonating employees of the FBI Internet Fraud Complaint Center (IC3) contact fraud victims offering them 'assistance' in getting their money…
Full article →
2025.04.15 — Hackers exploit authentication bypass bug in OttoKit WordPress plugin
Hackers exploit an authentication bypass vulnerability in the OttoKit (formerly SureTriggers) WordPress plugin used by more than 100,000 websites. First attacks were recorded just…
Full article →
2025.02.14 — 12,000 Kerio Control firewalls remain vulnerable to RCE
Security experts report that more than 12,000 GFI Kerio Control firewall instances remain vulnerable to the critical RCE vulnerability CVE-2024-52875, which was fixed…
Full article →
2025.02.07 — 768 vulnerabilities were exploited by hackers in 2024
According to VulnCheck, 768 CVEs were registered as exploited in real-life attacks in 2024. This is 20% greater compared to 2023 when hackers exploited 639 vulnerabilities. Interestingly,…
Full article →
2025.02.23 — New JavaScript obfuscation technique uses invisible Unicode characters
According to Juniper Threat Labs , a new JavaScript obfuscation technique that uses invisible Unicode characters was used in a phishing attack targeting Political Action…
Full article →
2025.02.20 — Newly-discovered vulnerabilities in OpenSSH open the door to MiTM and DoS attacks
OpenSSH fixed two vulnerabilities that could result in MiTM and denial of service (DoS) attacks. Interestingly, one of these bugs appeared in the code more than 10…
Full article →
2025.02.17 — Dutch police seize 127 servers belonging to Zservers hosting provider
Following the introduction of international sanctions against Zservers, Russian 'bulletproof' hosting services provider, the Dutch National Police (Politie) shut down and seized 127 servers belonging to Zservers/XHost.…
Full article →
2025.02.09 — Abandoned AWS S3 buckets could be used in attacks targeting supply chains
watchTowr discovered plenty of abandoned Amazon S3 buckets that could be used by attackers to deliver malware and backdoors to government agencies and large corporations. The researchers discovered…
Full article →