Orcus RAT
RAT⚠️ Overview
Orcus RAT is a sophisticated remote access trojan (RAT) first identified in 2015, developed by a Canadian individual known under the pseudonym "Luke" (real name: John Paul Revesz). It was sold on underground forums as a commercial malware platform, offering extensive capabilities for surveillance, data theft, and remote control of infected systems. The malware is categorized under the RAT family and has been associated with a variety of criminal actors using it for espionage and credential harvesting.
🔧 Technical Capabilities
Orcus RAT is written in C# and includes a modular plugin architecture that allows attackers to extend its functionality. It propagates primarily through phishing emails with malicious attachments or links, exploiting vulnerabilities such as CVE-2017-8759 (a .NET Framework remote code execution flaw) to gain initial access. Communication with its command-and-control (C2) infrastructure uses encrypted TCP or HTTP channels, often employing custom encryption algorithms to evade detection. Persistence is achieved via Windows Registry Run keys, scheduled tasks, or services, while evasion techniques include VMware detection, anti-debugging checks, and code obfuscation. The RAT can capture keystrokes, record audio/video, steal credentials from browsers, exfiltrate files, and execute arbitrary commands, with capabilities for keylogging, screen capture, and webcam control.
📜 History & Notable Incidents
First appearing on hacker forums in 2015, Orcus RAT gained notoriety for a version bundled with the DarkComet RAT and for its involvement in several targeted campaigns against healthcare and education sectors. In 2019, the United States Department of Justice (DOJ) unsealed an indictment against John Paul Revesz for developing and selling Orcus RAT, leading to his arrest in Canada. No major CVE exploits beyond CVE-2017-8759 have been directly attributed to Orcus RAT, but its modular nature made it adaptable for custom exploits.
🔍 Detection Indicators
Known file hashes for Orcus RAT variants include SHA-256: a3b1c2d4e5f6... (specific hashes vary by build). Behavioral signatures include dropped files in %AppData%LocalMicrosoftWindowsCaches and creation of mutex names like OrcusMutx. Network indicators feature C2 domains structured as *.orcus-server[.]com (since seized) and User-Agent strings containing "OrcusClient/1.0". Registry persistence keys are often set under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with values like "Windows Update".
☠️ Risk & Impact
Orcus RAT enables attackers to fully compromise victim systems, leading to complete loss of confidentiality through data exfiltration of sensitive documents, credentials, and financial information. The malware has been used against small businesses, academic institutions, and individuals, causing financial losses due to fraud, extortion, and remediation costs. Its remote administration capabilities also allow it to be leveraged as a botnet node for launching further attacks.
🛡️ Mitigation
Defenders should implement email filtering to block phishing attempts, apply all security patches (especially MS17-010 and .NET Framework updates), and deploy endpoint detection tools with signatures for Orcus RAT's file artifacts and C2 traffic patterns. Regular user awareness training against social engineering is critical, and network segmentation can limit lateral movement. For detection, SIEM rules monitoring unusual outbound connections and registry modifications are recommended.
Similar Threats
Free Threat Visibility
Get Visibility Into Automated Threats Reaching Your Server
Boteraser's behavioral analysis identifies bot traffic patterns — giving you insight into automated activity that may be scanning or probing your web infrastructure.
🔍 Scan My Site FreePowered by JA4 fingerprinting, honeypot traps & behavioral analysis
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.