{ "id": "742738f9-1363-46da-9f5b-cfb0f268b802", "created_at": "2026-04-06T00:17:30.861126Z", "updated_at": "2026-04-10T03:23:38.960437Z", "deleted_at": null, "sha1_hash": "0747ba87393029ecf3d07168b991be1098ec3803", "title": "Orcus RAT - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 51499, "plain_text": "Orcus RAT - Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 15:53:37 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Orcus RAT\n Tool: Orcus RAT\nNames\nOrcus RAT\nOrcus\nSchnorchel\nCategory Malware\nType Backdoor, Keylogger, Credential stealer, Info stealer, DDoS\nDescription\n(Morphisec) In a successful attack, the Orcus RAT can steal browser cookies and\npasswords, launch server stress tests (DDoS attacks), disable the webcam activity light,\nrecord microphone input, spoof file extensions, log keystrokes and more.\nThe Orcus RAT masquerades as a legitimate remote administration tool, although it is\nclear from its features and functionality that it is not and was never intended to be. (Brian\nKrebs published an interesting expose on the man behind the supposed administration\ntool.) Until two weeks ago, it was publicly sold and licensed by a company calling itself\nOrcus Technologies. The project is now closed, according to this “press release” issued,\nand a license-free version available for download, as well as software development tools\nand documentation. Interestingly, the author also claims there is a “kill switch” available\nfor download by security researchers to remotely shut down and lock out any Orcus\ncontrol server that they find are being used for malicious purposes.\nInformation\nMalpedia AlienVault OTX https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=9c969fa3-3382-4713-901d-a864b6c55549\nPage 1 of 2\n\nLast change to this tool card: 15 February 2023\r\nDownload this tool card in JSON format\r\nAll groups using tool Orcus RAT\r\nChanged Name Country Observed\r\nAPT groups\r\n  Pusikurac [Unknown] 2019  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=9c969fa3-3382-4713-901d-a864b6c55549\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=9c969fa3-3382-4713-901d-a864b6c55549\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=9c969fa3-3382-4713-901d-a864b6c55549" ], "report_names": [ "listgroups.cgi?u=9c969fa3-3382-4713-901d-a864b6c55549" ], "threat_actors": [ { "id": "aec996de-aa57-4812-87be-5a0db10b616a", "created_at": "2022-10-25T16:07:24.080546Z", "updated_at": "2026-04-10T02:00:04.86164Z", "deleted_at": null, "main_name": "Pusikurac", "aliases": [], "source_name": "ETDA:Pusikurac", "tools": [ "Orcus", "Orcus RAT", "Schnorchel" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434650, "ts_updated_at": 1775791418, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0747ba87393029ecf3d07168b991be1098ec3803.pdf", "text": "https://archive.orkl.eu/0747ba87393029ecf3d07168b991be1098ec3803.txt", "img": "https://archive.orkl.eu/0747ba87393029ecf3d07168b991be1098ec3803.jpg" } }