{ "id": "a83373b0-c79d-4fab-b7ff-0ced907dc131", "created_at": "2026-04-06T01:29:13.274209Z", "updated_at": "2026-04-10T03:21:56.815782Z", "deleted_at": null, "sha1_hash": "207d8c62a1c0bfce57cdf061d8bc7091c5dac2a4", "title": "RAT Ratatouille: Backdooring PCs with leaked RATs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4179673, "plain_text": "RAT Ratatouille: Backdooring PCs with leaked RATs\r\nBy Holger Unterbrink\r\nPublished: 2019-08-28 · Archived: 2026-04-06 00:38:10 UTC\r\nWednesday, August 28, 2019 10:59\r\nExecutive summary\r\nOrcus RAT and RevengeRAT are two of the most popular remote access trojans (RATs) in use across the threat\r\nlandscape. Since its emergence in 2016, various adversaries used RevengeRAT to attack organizations and\r\nindividuals around the world. The source code associated with RevengeRAT was previously released to the public,\r\nallowing attackers to leverage it for their own malicious purposes. There are typically numerous, unrelated\r\nattackers attempting to leverage this RAT to compromise corporate networks for the purposes of establishing an\r\ninitial point of network access, the performance of lateral movement, as well as to exfiltrate sensitive information\r\nthat can be monetized. Orcus RAT was in the news earlier this year due to Canadian law enforcement activity\r\nrelated to the individual believed to have authored the malware.\r\nCisco Talos recently discovered a threat actor that has been leveraging RevengeRAT and Orcus RAT in various\r\nmalware distribution campaigns targeting organizations including government entities, financial services\r\norganizations, information technology service providers and consultancies. We discovered several unique tactics,\r\ntechniques, and procedures (TTPs) associated with these campaigns including the use of persistence techniques\r\nmost commonly associated with \"fileless\" malware, obfuscation techniques designed to mask C2 infrastructure, as\r\nwell as evasion designed to circumvent analysis by automated analysis platforms such as malware sandboxes.\r\nThe characteristics associated with these campaigns evolved over time, showing the attacker is constantly\r\nchanging their tactics in an attempt to maximize their ability to infect corporate systems and work toward the\r\nhttps://blog.talosintelligence.com/2019/08/rat-ratatouille-revrat-orcus.html\r\nPage 1 of 14\n\nachievement of their longer-term objectives.\r\nMalicious email campaigns\r\nThere have been several variations of the infection process associated with these malware distribution campaigns\r\nover time. In general, the emails in every case claim to be associated with complaints against the organization\r\nbeing targeted. They purport to be from various authorities such as the Better Business Bureau (BBB). Below is an\r\nexample of one of these emails:\r\nPhishing email\r\nIn addition to Better Business Bureau, Talos has also observed emails purporting to be associated with other\r\nentities such as Australian Competition \u0026 Consumer Commission (ACCC), Ministry of Business Innovation \u0026\r\nEmployment (MBIE) and other regional agencies.\r\nEarlier malware campaigns contained a hyperlink that directed potential victims to the malicious content\r\nresponsible for initiating the malware infection. The attacker made use of the SendGrid email delivery service to\r\nredirect victims to an attacker-controlled malware distribution server.\r\nThe link in one example email was pointed to the following SendGrid URL:\r\nhttps://u12047697[.]ct[.]sendgrid[.]net/wf/click?upn=X2vR6-2FdIf8y2XI902U8Tc8qh9KOPBogeTLss4h7AKXe0xRjCQw1VcMTs\r\nhttps://blog.talosintelligence.com/2019/08/rat-ratatouille-revrat-orcus.html\r\nPage 2 of 14\n\nThis URL is responsible for redirecting the client to a URL hosted on an attacker-controlled server that hosts a ZIP\r\narchive containing the malicious PE32 used to infect the system. Below, you can see the HTTP GET request that\r\nis responsible for retrieving this and continuing the infection process.\r\nZIP File download\r\nA PE32 executable is inside of the ZIP archive. It needs to be executed by the victim to infect the system with\r\nOrcus RAT. The PE32 filename features the use of double extensions (478768766.pdf.exe) which, by default on\r\nthe Windows operating system, will only display the first extension (.PDF.) The PE32 icon has been set to make\r\nthe file appear as if it is associated with Adobe Acrobat\r\nDouble extensions trick\r\nThis loader (478768766.pdf.exe) is protected by the SmartAssembly .NET protector (see below), but can easily be\r\ndeobfuscated via d4dot. It is responsible for extracting and decrypting the Orcus RAT. It extracts the Orcus\r\nexecutable from its Resource \"人豆认关尔八七\" as shown in the screenshots below.\r\nhttps://blog.talosintelligence.com/2019/08/rat-ratatouille-revrat-orcus.html\r\nPage 3 of 14\n\nOrcus loader resources\r\nThe Class5.smethod_1 method, shown in the screenshot below, decodes the content from the resource section and\r\nrestores the original Orcus RAT PE file.\r\nResource section payload decoding\r\nThe smethod_3 shown below finally starts another instance of the loader (478768766.pdf.exe) and injects the\r\nOrcus PE file into this loader process. Then it resumes the process, which executes the Orcus RAT PE file in\r\nmemory in the 478768766.pdf.exe process context. This means the original Orcus RAT PE file is never written to\r\ndisk in clear text. This makes it more difficult for anti virus systems to detect it.\r\nhttps://blog.talosintelligence.com/2019/08/rat-ratatouille-revrat-orcus.html\r\nPage 4 of 14\n\nProcess injection method\r\nThe loader achieves persistence by creating a shortcut that points to its executable and storing the shortcut in the\r\nfollowing Startup directory:\r\nC:\\Users\\\u003cUsername\u003e\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\r\nThe dropper also copies itself over to %APPDATA%\\Roaming\\trfgtf\\rfgrf.exe and creates and starts the\r\nrfgrf.exe.bat file, which you can see below. The bat file executes the copy of the loader every 60 seconds.\r\nrfgrf.exe.bat\r\nIn later campaigns, the adversary modified the infection process and emails no longer leveraged the SendGrid\r\nURLs. Later emails featured the same themes and verbiage but were modified to contain ZIP archive attachments.\r\nhttps://blog.talosintelligence.com/2019/08/rat-ratatouille-revrat-orcus.html\r\nPage 5 of 14\n\nPhishing email\r\nThe attached ZIP archives contain malicious batch files responsible for retrieving the malicious PE32 file and\r\nexecuting it, thus infecting the system. Early versions of the batch file retrieved additional malicious content from\r\nthe same server previously used to host the ZIP archives.\r\nMalicious .bat downloader\r\nOne interesting thing to note about the batch files was the use of an obfuscation technique that is not commonly\r\nseen. In early campaigns, the attacker prepended the bytes \"FF FE 26 63 6C 73 0D 0A\" into the file, causing\r\nvarious file parsers to interpret the file contents as UTF-16 LE, resulting in the parsers failing to properly display\r\nthe contents of the batch file.\r\nhttps://blog.talosintelligence.com/2019/08/rat-ratatouille-revrat-orcus.html\r\nPage 6 of 14\n\nUnicode obfuscation standard editor\r\nThe hex view of the same file shows these prepended bytes which are responsible for this parsing issue.\r\nUnicode obfuscation hex view\r\nThis is a well-known technique as can be observed in the forum thread here.\r\nLater versions of the .bat downloader featured the use of obfuscation in an attempt to make analysis more difficult.\r\nThey are using a simple obfuscation method and are just replacing all characters by variables that are resolved at\r\nruntime.\r\nObfuscated RevengeRat .bat downloader\r\nThe decoded version of the .bat file looks like this. Like in the non-obfuscated versions of the .bat file, the\r\nadversaries are downloading the .js file to a local directory (C:\\windows\\r2.js) and executing it.\r\nhttps://blog.talosintelligence.com/2019/08/rat-ratatouille-revrat-orcus.html\r\nPage 7 of 14\n\nDecoded obfuscated .bat file\r\nThis r2.js file is another obfuscated script. It is filled with a bunch of rubbish and one long line of code.\r\nDownloaded r2.js file\r\nThis scripts writes the 'TVqQ…' string into the registry.\r\nr2.js payload\r\nStored encoded malware in registry key\r\nIt loads this string at the end of the infection process, decodes it and executes it.\r\nr2.js payload decoding routine\r\nDecompiling this payload in dnSpy shows an old friend: RevengeRAT.\r\nhttps://blog.talosintelligence.com/2019/08/rat-ratatouille-revrat-orcus.html\r\nPage 8 of 14\n\nRevengeRAT decompiled binary\r\nCommand and control (C2) obfuscation\r\nAs is the case with many popular RATs, the C2 infrastructure was observed leveraging Dynamic Domain Name\r\nSystem (DDNS) in an attempt to obfuscate the attacker's infrastructure. In the case of these malware campaigns,\r\nthe attacker took an additional step. They pointed the DDNS over to the Portmap service to provide an additional\r\nlayer of infrastructure obfuscation.\r\nPortmap is a service designed to facilitate external connectivity to systems that are behind firewalls or otherwise\r\nnot directly exposed to the internet.\r\nPort forwarding service\r\nhttps://blog.talosintelligence.com/2019/08/rat-ratatouille-revrat-orcus.html\r\nPage 9 of 14\n\nThese systems initiate an OpenVPN connection to the Portmap service, which is responsible for handling requests\r\nto those systems via port mapping. We have recently observed an increase in the volume of malicious attackers\r\nabusing this service to facilitate the C2 process across various malware families.\r\nHTTPS certificate\r\nAs demonstrated above, the DNS configuration for the DDNS hostname used by the malware for C2 has actually\r\nbeen pointed to the Portmap service. Let's Encrypt issued the SSL certificate associated with this host.\r\nPayload analysis\r\nThe adversaries used at least two different RATs in the campaigns which we have closely analyzed: Orcus RAT\r\nand RevengeRAT. For both RATs, the source code was leaked in the underground and several adversaries have\r\nused it to build their own versions. You can see the comparison of the leaked version of RevengeRAT and the one\r\nwe analyzed below.\r\nhttps://blog.talosintelligence.com/2019/08/rat-ratatouille-revrat-orcus.html\r\nPage 10 of 14\n\nCompairson leaked malware and modified one\r\nThe adversaries changed the source code slightly. They moved the original code into separate functions and\r\nchanged the execution order a bit plus added other minor changes like additional variables, but overall the code is\r\nstill very similar to the leaked code. On the other hand, it is modified so that the resulting binary looks different\r\nfor AVs.\r\nIt is interesting to see that both (Client) IDs are pointing to the same name: CORREOS. In the Nuclear_Explosion\r\nfile, aka RevengeRAT, it is only base64 encode \"Q09SUkVPUw==\".\r\nRevengeRAT Atomic class config\r\nhttps://blog.talosintelligence.com/2019/08/rat-ratatouille-revrat-orcus.html\r\nPage 11 of 14\n\nOrcus decoded XML config\r\nConclusion\r\nThese malware distribution campaigns are ongoing and will likely continue to be observed targeting various\r\norganizations around the world. RevengeRAT and Orcus RAT are two of the most popular RATs in use across the\r\nthreat landscape and will likely continue to be heavily favored for use during the initial stages of attacks.\r\nOrganizations should leverage comprehensive defense-in-depth security controls to ensure that they are not\r\nadversely impacted by attacks featuring these malware families. At any given point in time, there are several\r\nunrelated attackers distributing these RATs in different ways. Given that the source code of both of these malware\r\nfamilies is readily available, we will likely continue to see new variants of each of these RATs for the foreseeable\r\nfuture.\r\nCoverage\r\nAdditional ways our customers can detect and block this threat are listed below.\r\nhttps://blog.talosintelligence.com/2019/08/rat-ratatouille-revrat-orcus.html\r\nPage 12 of 14\n\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these\r\nthreat actors.\r\nCisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious\r\nwebsites and detects malware used in these attacks.\r\nEmail Security can block malicious emails sent by threat actors as part of their campaign.\r\nNetwork Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention\r\nSystem (NGIPS), and Meraki MX can detect malicious activity associated with this threat.\r\nAMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.\r\nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs,\r\nwhether users are on or off the corporate network.\r\nOpen Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nIndicators of Compromise (IOCs)\r\nThe following indicators of compromise (IOCs) have been observed to be associated with malware campaigns.\r\nZIP Hashes (SHA256):\r\nc66c96c8c7f44d0fd0873ea5dbaaa00ae3c13953847f0ca308d1f56fd28f230c\r\nd6c5a75292ac3a6ea089b59c11b3bf2ad418998bee5ee3df808b1ec8955dcf2a\r\nBAT Hashes (SHA256):\r\n20702a8c4c5d74952fe0dc050025b9189bf055fcf6508987c975a96b7e5ad7f5\r\n946372419d28a9687f1d4371f22424c9df945e8a529149ef5e740189359f4c8d\r\nPE32 Hashes (SHA256):\r\nff3e6d59845b65ad1c26730abd03a38079305363b25224209fe7f7362366c65e\r\n5e4db38933c0e3922f403821a07161623cd3521964e6424e272631c4492b8ade\r\nJS Hashes (SHA256):\r\n4c7d2efc19cde9dc7a1fcf2ac4b30a0e3cdc99d9879c6f5af70ae1b3a846b64b\r\nDomains:\r\nThe following domains have been observed to be associated with malware campaigns:\r\nskymast231-001-site1[.]htempurl[.]com\r\nqstorm[.]chickenkiller[.]com\r\nhttps://blog.talosintelligence.com/2019/08/rat-ratatouille-revrat-orcus.html\r\nPage 13 of 14\n\nIP Addresses:\r\nThe following IP addresses have been observed to be associated with malware campaigns:\r\n193[.]161[.]193[.]99\r\n205[.]144[.]171[.]185\r\nSource: https://blog.talosintelligence.com/2019/08/rat-ratatouille-revrat-orcus.html\r\nhttps://blog.talosintelligence.com/2019/08/rat-ratatouille-revrat-orcus.html\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://blog.talosintelligence.com/2019/08/rat-ratatouille-revrat-orcus.html" ], "report_names": [ "rat-ratatouille-revrat-orcus.html" ], "threat_actors": [], "ts_created_at": 1775438953, "ts_updated_at": 1775791316, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/207d8c62a1c0bfce57cdf061d8bc7091c5dac2a4.pdf", "text": "https://archive.orkl.eu/207d8c62a1c0bfce57cdf061d8bc7091c5dac2a4.txt", "img": "https://archive.orkl.eu/207d8c62a1c0bfce57cdf061d8bc7091c5dac2a4.jpg" } }