{
	"id": "8ab22359-addc-4e06-8abe-b0505b0b0033",
	"created_at": "2026-04-06T00:12:17.846476Z",
	"updated_at": "2026-04-10T03:30:57.347696Z",
	"deleted_at": null,
	"sha1_hash": "17669d09beef147eebd67db169dcf80a4eed8e35",
	"title": "Canadian Police Raid ‘Orcus RAT’ Author",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 142519,
	"plain_text": "Canadian Police Raid ‘Orcus RAT’ Author\r\nPublished: 2019-04-02 · Archived: 2026-04-05 20:38:56 UTC\r\nCanadian police last week raided the residence of a Toronto software developer behind “Orcus RAT,” a product\r\nthat’s been marketed on underground forums and used in countless malware attacks since its creation in 2015. Its\r\nauthor maintains Orcus is a legitimate Remote Administration Tool that is merely being abused, but security\r\nexperts say it includes multiple features more typically seen in malware known as a Remote Access Trojan.\r\nAn advertisement for Orcus RAT.\r\nAs first detailed by KrebsOnSecurity in July 2016, Orcus is the brainchild of John “Armada” Revesz, a Toronto\r\nresident who until recently maintained and sold the RAT under the company name Orcus Technologies.\r\nIn an “official press release” posted to pastebin.com on Mar. 31, 2019, Revesz said his company recently was the\r\nsubject of an international search warrant executed jointly by the Royal Canadian Mounted Police (RCMP) and\r\nthe Canadian Radio-television and Telecommunications Commission (CRTC).\r\n“In this process authorities seized numerous backup hard drives [containing] a large portion of Orcus\r\nTechnologies business, and practices,” Revesz wrote. “Data inclusive on these drives include but are not limited\r\nto: User information inclusive of user names, real names, financial transactions, and further. The arrests and\r\nsearches expand to an international investigation at this point, including countries as America, Germany, Australia,\r\nCanada and potentially more.”\r\nReached via email, Revesz declined to say whether he was arrested in connection with the search warrant, a copy\r\nof which he shared with KrebsOnSecurity. In response to an inquiry from this office, the RCMP stopped short of\r\nnaming names, but said “we can confirm that our National Division Cybercrime Investigative Team did execute a\r\nsearch warrant at a Toronto location last week.”\r\nThe RCMP said the raid was part of an international coordinated effort with the Federal Bureau of Investigation\r\nand the Australian Federal Police, as part of “a series of ongoing, parallel investigations into Remote Access\r\nhttps://krebsonsecurity.com/2019/04/canadian-police-raid-orcus-rat-author/\r\nPage 1 of 4\n\nTrojan (RAT) technology. This type of malicious software (malware) enables remote access to Canadian\r\ncomputers, without their users’ consent and can lead to the subsequent installation of other malware and theft of\r\npersonal information.”\r\n“The CRTC executed a warrant under Canada’s Anti-Spam Legislation (CASL) and the RCMP National Division\r\nexecuted a search warrant under the Criminal Code respectively,” reads a statement published last week by the\r\nCanadian government. “Tips from international private cyber security firms triggered the investigation.”\r\nRevesz maintains his software was designed for legitimate use only and for system administrators seeking more\r\npowerful, full-featured ways to remotely manage multiple PCs around the globe. He’s also said he’s not\r\nresponsible for how licensed customers use his products, and that he actively kills software licenses for customers\r\nfound to be using it for online fraud.\r\nYet the list of features and plugins advertised for this RAT includes functionality that goes significantly beyond\r\nwhat one might see in a traditional remote administration tool, such as DDoS-for-hire capabilities, and the ability\r\nto disable the light indicator on webcams so as not to alert the target that the RAT is active.\r\n“It can also implement a watchdog that restarts the server component or even trigger a Blue Screen of Death\r\n(BSOD) if the someone tries to kill its process,” wrote researchers at security firm Fortinet in a Dec. 2017 analysis\r\nof the RAT. “This makes it harder for targets to remove it from their systems. These are, of course, on top of the\r\nobviously ominous features such as password retrieval and key logging that are normally seen in Remote Access\r\nTrojans.”\r\nAs KrebsOnSecurity noted in 2016, in conjunction with his RAT Revesz also sold and marketed a bulletproof\r\n“dynamic DNS service” that promised not to keep any records of customer activity.\r\nRevesz appears to have a flair for the dramatic, and has periodically emailed this author over the years.\r\nSometimes, the missives were taunting, or vaguely ominous and threatening. Like the time he reached out to say\r\nhe was hiring a private investigator to find and track me. Still other unbidden communications from Revesz were\r\nfriendly, even helpful with timely news tips.\r\nAccording to Revesz himself, he is no stranger to the Canadian legal system. In June 2018, Revesz shared court\r\ndocuments indicating he has been involved in multiple physical assault charges since 2007, including “7 domestic\r\ndisputes between partners as well as incidents with his parents.”\r\n“I am not your A-typical computer geek, Brian,” he wrote in a 2018 email. “I tend to have a violent nature, and\r\nhave both Martial arts and Military training. So, I suppose it is really good that I took your article with a grain of\r\nsalt instead of actually really getting upset.”\r\nhttps://krebsonsecurity.com/2019/04/canadian-police-raid-orcus-rat-author/\r\nPage 2 of 4\n\nThe sale and marketing of remote administration tools is not illegal in the United States, and indeed there are\r\nplenty of such tools sold by legitimate companies to help computer experts remotely administer computers.\r\nHowever, these tools tend to be viewed by prosecutors as malware and spyware when their proprietors advertise\r\nthem as hacking devices and provide customer support aimed at helping buyers deploy the RATs stealthily and\r\nevade detection by anti-malware programs.\r\nLast year, a 21-year-old Kentucky man pleaded guilty to authoring and distributing a popular hacking tool called\r\n“LuminosityLink,” which experts say was used by thousands of customers to gain access to tens of thousands of\r\ncomputers across 78 countries worldwide.\r\nAlso in 2018, 27-year-old Arkansas resident Taylor Huddleston was sentenced to three years in jail for making\r\nand selling the “NanoCore RAT,” which was being used to spy on webcams and steal passwords from systems\r\nrunning the software.\r\nIn many previous law enforcement investigations targeting RAT developers and sellers, investigators also have\r\ntargeted customers of these products. In 2014, the U.S. Justice Department announced a series of actions against\r\nmore than 100 people accused of purchasing and using “Blackshades,” a cheap and powerful RAT that the U.S.\r\ngovernment said was used to infect more than a half million computers worldwide.\r\nEarlier this year, Revesz posted on Twitter that he was making the source code for Orcus RAT publicly available,\r\nand focusing his attention on developing a new and improved RAT product.\r\nMeanwhile on Hackforums[.]net — the forum where Orcus was principally advertised and sold — members and\r\ncustomers expressed concern that authorities would soon be visiting Orcus RAT customers, posts that were deleted\r\nalmost as quickly by the Hackforums administrator.\r\nAs if in acknowledgement of that concern, in the Pastebin press release published this week Revesz warned\r\npeople away from using Orcus RAT, and added some choice advice for others who would follow his path.\r\n“Orcus is no longer to be considered safe or secure solution to Remote Administrative needs,” he wrote, pointing\r\nto a screenshot of a court order he says came from one of the police investigators, which requires him to abstain\r\nfrom accessing Hackforums or Orcus-related sites. “Please move away from this software without delay. It has\r\nhttps://krebsonsecurity.com/2019/04/canadian-police-raid-orcus-rat-author/\r\nPage 3 of 4\n\nbeen a pleasure getting to know everyone in my time online, and I hope you all can take my words as a life\r\nlesson. Stay safe, don’t do stupid shit.”\r\nSource: https://krebsonsecurity.com/2019/04/canadian-police-raid-orcus-rat-author/\r\nhttps://krebsonsecurity.com/2019/04/canadian-police-raid-orcus-rat-author/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://krebsonsecurity.com/2019/04/canadian-police-raid-orcus-rat-author/"
	],
	"report_names": [
		"canadian-police-raid-orcus-rat-author"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "f9806b99-e392-46f1-9c13-885e376b239f",
			"created_at": "2023-01-06T13:46:39.431871Z",
			"updated_at": "2026-04-10T02:00:03.325163Z",
			"deleted_at": null,
			"main_name": "Watchdog",
			"aliases": [
				"Thief Libra"
			],
			"source_name": "MISPGALAXY:Watchdog",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434337,
	"ts_updated_at": 1775791857,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/17669d09beef147eebd67db169dcf80a4eed8e35.pdf",
		"text": "https://archive.orkl.eu/17669d09beef147eebd67db169dcf80a4eed8e35.txt",
		"img": "https://archive.orkl.eu/17669d09beef147eebd67db169dcf80a4eed8e35.jpg"
	}
}