{
	"id": "5ee1d752-1bdb-48d5-888a-0625d62d22d3",
	"created_at": "2026-04-06T00:10:35.656864Z",
	"updated_at": "2026-04-10T03:20:01.581661Z",
	"deleted_at": null,
	"sha1_hash": "1ddc07a168dfa6f904c83437742fcee2d45458b8",
	"title": "Orcus RAT Being Distributed Disguised as a Hangul Word Processor Crack - ASEC",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4824311,
	"plain_text": "Orcus RAT Being Distributed Disguised as a Hangul Word Processor\r\nCrack - ASEC\r\nBy ATCP\r\nPublished: 2023-01-03 · Archived: 2026-04-02 12:35:43 UTC\r\nThe ASEC analysis team recently identified Orcus RAT being distributed on file-sharing sites disguised as a cracked version\r\nof Hangul Word Processor. The threat actor that distributed this malware is the same person that distributed BitRAT and\r\nXMRig CoinMiner disguised as a Windows license verification tool on file-sharing sites.[1] The malware distributed by the\r\nthreat actor has a similar form as those of the past, except for the fact that Orcus RAT was used instead of BitRAT.\r\nFurthermore, the new malware is highly more sophisticated than the past versions, considering the fact that it includes a\r\ncomplicated process to evade behavior detection by antivirus software and registers PowerShell commands on the task\r\nscheduler to periodically install the latest malware.\r\nFile-sharing sites are the main platform alongside torrents used by threat actors to distribute malware to Korean users.\r\nRegistered users upload media files such as movies and TV series, as well as programs such as games and utilities, and also\r\nadult content. Other users can pay a set fee and download the uploaded files. The ASEC analysis team is monitoring\r\nmalware being distributed via file-sharing sites and has shared information over multiple blog posts in the past.[2] [3] [4]\r\nUnlike cases of malware distributed randomly by various threat actors using malware that can easily be found on the\r\ninternet, the threat actor that was distributing BitRAT and XMRig CoinMiner continues targeting Korean users, developing\r\ntheir malware themselves and making attempts to evade AhnLab’s V3 products. Additionally, a cracked version of BitRAT\r\nhas not yet been found, which shows us that although the threat actor develops the malware themselves, the latest malware\r\nstrains are sometimes purchased.\r\nOrcus RAT is a Remote Access Trojan malware that has been sold since around 2016.[5] Orcus Technologies, which\r\ndeveloped this program, described this as a remote administration tool when selling the software, but as to be covered later\r\non, it includes not only the remote control feature, but also malicious features such as keylogging, collecting webcam and\r\naccount information, and executing commands. Accordingly, there has been a news article about Canadian authorities\r\nraiding the developers in 2019.[6]\r\nLike other RAT malware, there is a cracked version of the Orcus RAT, and thus various threat actors are taking advantage of\r\nthis in their attacks. In this post, we will summarize the process from the initial distribution method where the threat actor\r\ninduces the user to install the malware, to ultimately having Orcus RAT and XMRig CoinMiner installed.\r\n1. Distribution Method\r\nThe malware that installs Orcus RAT and XMRig CoinMiner is uploaded to multiple file-sharing sites under the disguise of\r\na crack for Hangul Word Processor 2022. Hangul Word Processor is a major Korean word processing program like\r\nMicrosoft Office Word.\r\nWhen the downloaded compressed file is decompressed, we can see a folder named “install” and a program named\r\n“install.exe”. This “install.exe” file is the malware, and running this will execute an obfuscated PowerShell command and\r\nhttps://asec.ahnlab.com/en/45462/\r\nPage 1 of 8\n\nrun the actual installer program in the “install” folder.\r\n2. Installer\r\nLike other compressors, 7z supports SFX formats. Upon compressing a file using this format, .exe executable is created\r\ninstead of .zip or .z compressed file. This is often used in installation programs because of its convenience, like its ability to\r\nlet the creator install programs to the path of their choice simply by running the file. Not only does 7z SFX allow the\r\ninstallation of the included files, but it also has an additional feature. If this feature is used, a specific command can be\r\nexecuted during the installation process.\r\nThe following is the installation script of “install.exe” (7z SFX). Besides the feature that runs the actual installer program, it\r\nalso includes encoded PowerShell commands. The malware copies the original PowerShell program to the current\r\ninstallation directory under the name of the original program, “VC_redist.x86.exe” and uses this to run the encoded\r\nPowerShell commands. Going through this process instead of directly running PowerShell seems to be an attempt to evade\r\nbehavior detection by antivirus software.\r\nDecoding the encoded PowerShell command reveals the following. First, with the “Add-MpPreference” command, certain\r\nprocess names and paths are set as exceptions to evade detection by Windows Defender Antivirus. While this is a commonly\r\nused method, the threat actor also includes a process of allowing threats detected by Windows Defender.\r\nAfterward, it downloads files uploaded to Google Docs. Instead of directly downloading and installing the malware, the\r\nthreat actor installs it by first installing the 7z files, “7z.exe” and “7z.dll”, before downloading a compressed file, giving it\r\nthe password “x”, and decompressing then running it. This is also seen as an attempt to evade behavior detection by\r\nantivirus software.\r\n3. Downloader\r\nThe initially installed malware is a downloader, and according to the set conditions, it installs different types of malware.\r\nThe following is a diagram showing the general flow.\r\nhttps://asec.ahnlab.com/en/45462/\r\nPage 2 of 8\n\nThe malware that is installed initially checks for a virtual machine environment and if the “asdmon” process is running, and\r\nif it is determined to be an analysis environment, it is terminated. Afterward, it checks if an anti-malware software is\r\ncurrently installed, and its scan targets include AhnLab V3 (“v3l4sp”, “V3UI”, “v3csp”) and Naver Antivirus\r\n(“Nsavsvc.npc”).\r\nBefore moving on to the installation process, the malware collects basic information such as the infected system’s username\r\nand IP address and transmits this information via Telegram API.\r\nWhen all of the above processes are complete, it then copies the PowerShell executable to\r\n“C:\\ProgramData\\KB5019959.exe” and uses this file. The PowerShell commands executed according to whether or not V3\r\nis installed are mostly similar. The difference is that when V3 is installed, XMRig CoinMiner is installed, and if V3 is not\r\ninstalled, a second downloader malware is installed.\r\nOut of the files installed, 7z is the same as the one covered above, and the “GoogleUpdate.exe” file is a tool called NirCmd\r\nfrom NirSoft. NirCmd is a command line tool that offers various features. With just simple commands, it can perform\r\nbehaviors such as capturing screenshots, emptying the recycle bin, and device control.\r\nhttps://asec.ahnlab.com/en/45462/\r\nPage 3 of 8\n\nIt is deemed that the threat actor installs NirCmd in the infected system in order to evade behavior detection by antivirus\r\nsoftware. The PowerShell command registered to the task scheduler is also run through NirCmd and a copy of the\r\nPowerShell executable. Examining the task scheduler file downloaded from Google Docs and registered in the system\r\nreveals that it uses “GoogleUpdate.exe” (NirCmd) to execute “Kb5019959.exe”, a PowerShell command, as shown below.\r\nThe registered tasks are PowerShell commands encoded in a similar way to the commands covered above, and they are\r\nresponsible for installing XMRig or an additional downloader.\r\n4. XMRig CoinMiner\r\nThe XMRig CoinMiner malware is installed under the name “software_reporter_tool.exe”. It executes explorer.exe, a\r\nnormal program, before injecting XMRig CoinMiner. This means that the actual mining behavior is performed in the\r\nexplorer process. Additionally, it has the characteristic of giving the following encrypted string as an argument to the target\r\nexplorer for injection before running it.\r\nXMRig, seen to have been created by the threat actor, decodes the strings it receives as arguments in the initial routine. The\r\noverall options transmitted when XMRig is run are as follows.\r\n–algo=rx/0\r\n–url=xmr.2miners[.]com:12222\r\n–\r\nuser=”4AKATTrazYSEKTQhqwmH1Z9tu2jqF1pLzSEsRbTx9oMSPsBEGNSxPoV89vTajjEd3vbNfWLZPwvrkWURhZ194osPKJ3wDbC\r\n–pass=””\r\n–cpu-max-threads-hint=30\r\nhttps://asec.ahnlab.com/en/45462/\r\nPage 4 of 8\n\n–cinit-stealth-targets=”Taskmgr.exe,ProcessHacker.exe,perfmon.exe,procexp.exe,procexp64.exe,MSIAfterburner.exe,TslGame.exe,TslGame_SE.exe,GTA\r\nof\r\nLegends.exe,LOSTARK.exe,VALORANT.exe,Overwatch.exe,suddenattack.exe,javaw.exe,SC2.exe,SC2_x64.exe,DNF.exe,TekkenGame-Win64-Shipping.exe”\r\n–cinit-stealth-fullscreen\r\n–cinit-kill-targets=”V3Lite_Setup.exe,V3Lite_Setup (1).exe,V3Lite_Setup\r\n(2).exe,Monitor.exe,openssl.exe,natsvc.exe,smmgr.exe,v_service.exe,v_member.exe”\r\n–cinit-version=”2.5.0″\r\n–tls\r\n–cinit-idle-wait=1\r\n–cinit-idle-cpu=100\r\n–cinit-id=”mijzwzakiitazgng”\r\nExamining each option reveals that there are various settings including the mining pool address, user ID, and password.\r\nFirst, the “–cinit-stealth-targets” option is used to designate management tools such as task manager, process hacker, and\r\nprocess explorer, so that when the user runs these, the mining process is halted, making it difficult for users to notice that\r\nCPU usage has increased. There are multiple other games that are also included, and the malware is set so that the mining\r\nprocess stops when the user is playing a game, in order to prevent the user from finding out.\r\nThe “–cinit-kill-targets” option has the V3 product designated in it, so that when the user installs V3, it force-closes it,\r\nhindering the malware treatment process. It also force-terminates grid-type PUP programs.\r\n5. Orcus RAT\r\nIn the past, the threat actor installed XMRig in environments where V3 was installed, and BitRAT in other environments.\r\nHowever, it has recently been identified that Orcus RAT is being installed instead of BitRAT. Additionally, the following\r\ncondition must also be met; Orcus RAT is only installed in environments that have Telegram or Visual Studio installed.\r\nLike other RAT malware, Orcus RAT offers various features that let the treat actor control the infected system. The\r\nfollowing is the Orcus RAT management tool, cracked and disclosed.\r\nhttps://asec.ahnlab.com/en/45462/\r\nPage 5 of 8\n\nOrcus RAT has some differences from other simple types of RAT malware. Generally, RAT malware have the builder and\r\nmanagement program like those shown above act as the C\u0026C server. In the case of Orcus RAT, however, instead of directly\r\nestablishing a connection to these management tools, it accesses the Orcus server. Thus, the management tools used by the\r\nthreat actor to control the infected system and the Orcus server which acts as the C\u0026C server are separate.\r\nThis is similar to the structure of Cobalt Strike’s TeamServer. Orcus RAT communicates with the following Orcus server,\r\nand the Orcus management tools used by the threat actor also establish a connection to the Orcus server. This allows the\r\noperator to control the Orcus RATs connected to the Orcus server.\r\nThe following is a summary of the features offered by Orcus RAT. Orcus RAT can distinguish an infected system, and when\r\n“logged in” to the system, it allows the threat actor to use basic control features such as collecting system information,\r\nfile/registry/process tasks, and executing commands.\r\nhttps://asec.ahnlab.com/en/45462/\r\nPage 6 of 8\n\nBesides these, Orcus RAT also supports remote desktop, keylogging, webcam control, and RDP control feature. The RDP\r\ncontrol feature involves installing RDP Wrapper and creating an account named “OrcusRDP”. Afterward, the threat actor\r\ncan use this account to log in remotely.\r\nBecause Orcus RAT by default uses the TLC protocol in communications with the C\u0026C server, packets are encrypted. The\r\nfollowing is a packet in communication between the Orcus RAT used in attacks and the C\u0026C server. Here, we can see that\r\nthe “Orcus Server” string used in the certificate remains.\r\nConclusion\r\nAs malware is being distributed actively via Korean file-sharing sites, users need to take caution. Users must be wary when\r\nrunning executables downloaded from file-sharing sites, and it is recommended to download products such as utility\r\nprograms and games from their official websites. Users should also apply the latest patch for OS and programs such as\r\ninternet browsers, and update V3 to the latest version to prevent malware infection in advance.\r\nFile Detection\r\n– Dropper/Win.Androm.C5347183 (2023.01.01.01)\r\n– Downloader/JOB.Generic (2023.01.02.02)\r\n– Downloader/Win.Agent.R547968 (2023.01.02.02)\r\n– CoinMiner/Win.XMRig.R547974 (2023.01.02.02)\r\n– Trojan/Win.Injection.C5347028 (2023.01.01.00)\r\nhttps://asec.ahnlab.com/en/45462/\r\nPage 7 of 8\n\n– Backdoor/Win.Orcusrat.C5347952 (2023.01.02.02)\r\n– CoinMiner/Win.XMRig.C5347951 (2023.01.02.02)\r\nBehavior Detection\r\n– Injection/MDP.Hollowing.M4180\r\nMD5\r\n516a2bde694b31735c52e013d65de48d\r\n6a1fc56b4ce8a62f1ebe25bf7bbe2dbd\r\n7303e2f671f86909527d8514e1f1f171\r\n74bdc2a8d48a6a4833aac4832e38c3b9\r\n9c11f58ed5e7b2806042bc9029a5cca8\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttp[:]//minecraftrpgserver[.]com/\r\nhttp[:]//minecraftrpgserver[.]com[:]27036/\r\nhttp[:]//xmr[.]2miners[.]com[:]12222/\r\nhttps[:]//api[.]telegram[.]org/bot5538205016[:]AAH7S9IGtFpb6RbC8W2TfNkjD7Cj_3qxCnI/sendMessage\r\nhttps[:]//docs[.]google[.]com/uc?export=download\u0026id=1-B3960J-kcD_v9PaVP0gYyGpZVWDTHOw\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner\r\nbelow.\r\nSource: https://asec.ahnlab.com/en/45462/\r\nhttps://asec.ahnlab.com/en/45462/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://asec.ahnlab.com/en/45462/"
	],
	"report_names": [
		"45462"
	],
	"threat_actors": [],
	"ts_created_at": 1775434235,
	"ts_updated_at": 1775791201,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1ddc07a168dfa6f904c83437742fcee2d45458b8.pdf",
		"text": "https://archive.orkl.eu/1ddc07a168dfa6f904c83437742fcee2d45458b8.txt",
		"img": "https://archive.orkl.eu/1ddc07a168dfa6f904c83437742fcee2d45458b8.jpg"
	}
}