{
	"id": "cda1e3ae-fbef-49a5-baa4-a2b12eb66289",
	"created_at": "2026-04-06T00:14:19.35791Z",
	"updated_at": "2026-04-10T13:12:26.988909Z",
	"deleted_at": null,
	"sha1_hash": "3bd7135b9b7286eee8d9d7092d115efe5e1091c2",
	"title": "Orcus – Birth of an unusual plugin builder RAT",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 755200,
	"plain_text": "Orcus – Birth of an unusual plugin builder RAT\r\nBy Vicky Ray\r\nPublished: 2016-08-02 · Archived: 2026-04-05 15:31:19 UTC\r\nUnit 42 has been tracking a new Remote Access Trojan (RAT) being sold for $40 USD since April 2016, known as\r\n“Orcus”. Though Orcus has all the typical features of RAT malware, it allows users to build custom plugins and\r\nalso has a modular architecture for better management and scalability. The objective of this blog is to highlight\r\nsome of the capabilities of this new RAT family and the impact seen so far.\r\nBackground\r\nBefore we discuss the details of this RAT family, let's discuss how Orcus became a commercially sold RAT.\r\nAround October 2015, the developer of Orcus, going with the alias of “Sorzus”, posted a thread on a hacker forum\r\nabout a RAT he was developing, soliciting feedback on how it could be published. The developer had then named\r\nthe tool as “Schnorchel”, German for “Snorkel”.\r\nFigure 1 Sorzus discusses publishing Orcus\r\nThe figure below shows the early versions of Orcus when it was being developed. It is interesting to see that the\r\ndeveloper details mentioned on the earlier version indicates \"Vincent (Alkalinee)\", and we are also aware that\r\n'Alkalinee' was the alias which was being used by the developer before taking the new alias of 'Sorzus'. (This also\r\nsuggests that the real name of the Orcus developer may be 'Vincent'.)\r\nhttp://researchcenter.paloaltonetworks.com/2016/08/unit42-orcus-birth-of-an-unusual-plugin-builder-rat/\r\nPage 1 of 8\n\nFigure 2 Early version of Orcus which was known as “Schnorchel”\r\nThe developer had shared intentions to publish the RAT for free and make it open-source. However, some of the\r\nusers in the forum responded, advising to make it commercial instead of sharing it for free or making it open\r\nsource, citing that the source code would eventually be used by others to repackage and sell it as a new RAT. One\r\nforum user, alias \"Armada\", offered to assist \"Sorzus\" on helping out with publishing the tool and apparently\r\nbecame Sorzus' eventual partner.\r\n\"Sorzus\" and \"Armada\" are believed to be the two main individuals currently managing the sales and development\r\nof Orcus. Brian Krebs published a blog a few weeks ago disclosing details of the individual who has been\r\nsupposedly known to be the person behind Orcus. Our analysis suggests that 'Sorzus' is the main developer of the\r\nRAT and 'Armada' is mostly responsible for sales and support of the tool.\r\nArchitecture\r\nOrcus is developed using C# with the Windows administration/controller component developed using WPS\r\n(Windows Presentation Foundation), which is used to render user interfaces in Windows based systems. Orcus has\r\nthree main components to its architecture: Orcus controller, Orcus Server and the trojan binary which is deployed\r\non a victim machine. The delivery vectors vary, ranging from a spear phishing attack using the malware binary\r\nwith the email, having a hyperlink with a download link to the Orcus malware binary, or even using drive-by\r\ndownload methods.\r\nIn most RAT malware, once a victim has been infected, the malware connects back to the admin panel of the\r\nattacker to send data and provide control to the infected machine. However, if a victim machine is infected with an\r\nOrcus RAT, it connects back to the Orcus server which does not have the admin panel on it. Orcus has a separate\r\ncomponent for the admin panel (Orcus controller) which enables control of all infected machines from the Orcus\r\ncontroller. This set up offers multiple benefits to the cyber criminals using Orcus. For example, they are able to\r\nshare access to victim machines by accessing a single Orcus server which would enable a group of cyber criminals\r\nhttp://researchcenter.paloaltonetworks.com/2016/08/unit42-orcus-birth-of-an-unusual-plugin-builder-rat/\r\nPage 2 of 8\n\nworking together to better manage their infected victim networks and also allow scalability of their Orcus network\r\nby deploying multiple ‘Orcus servers’.\r\nFigure 3 Orcus Architecture\r\nThe developer not only has a controller build for Windows, but also created an Android app for the admin\r\ncontroller to control the infected machines using an Android device. An Android app for the\r\ncontroller/administration component is also available from Google Play.\r\nFigure 4 Orcus administration component for Android platform\r\nhttp://researchcenter.paloaltonetworks.com/2016/08/unit42-orcus-birth-of-an-unusual-plugin-builder-rat/\r\nPage 3 of 8\n\nUnique Features\r\nBelow are some Orcus features that can enable full control of a victim machine:\r\nKeylogger\r\nScreengrabs\r\nRemote code execution\r\nWebcam monitor\r\nDisable webcam light\r\nMicrophone recorder\r\nRemote administration\r\nPassword stealers\r\nDenial of Service\r\nVM Detection\r\nInfoStealer\r\nHVNC\r\nReverse Proxy\r\nRegistry explorer/editor\r\nReal Time Scripting\r\nAdvanced Plugin System\r\nOrcus has many common features of a RAT, however the features which are unique and stand out the most is the\r\n‘Plugin System’ and 'Real time scripting'. The plugin feature allows users of Orcus to build their own plugins or\r\ndownload plugins which have been developed by the author. If a user has basic knowledge on one of the\r\nsupported programming languages, which are C#, VB.Net or C++, that user can easily extend and write plugins to\r\nbuild on to the current capabilities of Orcus. The author also provides a developer package to create the plugins\r\nwith an IDE (Integrated Development Environment), which is an application used by programmers to develop\r\nprograms.\r\nThe Orcus sellers also provide very well documented tutorials to create plugins, and also maintain a Github page\r\nwhich has a few sample plugins created. Orcus allows seven different types of plugins to be created. Figure 5\r\nshows the current list of plugin types that can be built.\r\nhttp://researchcenter.paloaltonetworks.com/2016/08/unit42-orcus-birth-of-an-unusual-plugin-builder-rat/\r\nPage 4 of 8\n\nFigure 5 Types of plugins\r\nThe libraries are well documented and are currently being hosted on 'sharpdox.de'. Sharpdox is a tool to create C#\r\ncode documentations and can be hosted on 'sharpdox.de'. Figure 6 shows an example of the methods or functions\r\nwhich are available to the Orcus plugin's 'ClientController' class.\r\nFigure 6 Example of a plugin library documentation\r\nThe Real Time scripting feature allows Orcus users to write and execute code (C#, VB.Net) in real time while\r\nremotely managing the compromised system.\r\nhttp://researchcenter.paloaltonetworks.com/2016/08/unit42-orcus-birth-of-an-unusual-plugin-builder-rat/\r\nPage 5 of 8\n\nFigure 7 Real time scripting feature on Orcus\r\nAnalysis: Orcus Protections\r\nFrom an incident responder or threat analyst's perspective, it is important to understand the type of anti-analysis\r\nprotections a malware family employs so one is able to build an environment to successfully analyze the malware.\r\nThis blog is not intended to discuss reverse-engineering the RAT in detail; however, it is interesting to see some of\r\nthe anti-analysis features which Orcus employs to avoid being detected in a standard analysis environment.\r\nWe reverse-engineered one of the Orcus samples seen on a recent attack to check and verify some of the\r\nconfigured features. Given Orcus is developed in C# / VB.Net, we can easily peek into the code using a .NET\r\ndisassembler. If an Orcus user enables the VMDetection feature while building the malware binary, the malware\r\nwould check if the malware is running within a virtual machine environment. The virtual machines that Orcus\r\ndetects are ParallelsDesktop, VirtualBox, VirtualPC and VMWare. The figure below shows the code excerpt for\r\ndetecting the presence of virtual machines.\r\nhttp://researchcenter.paloaltonetworks.com/2016/08/unit42-orcus-birth-of-an-unusual-plugin-builder-rat/\r\nPage 6 of 8\n\nFigure 8 Virtual Machine detection in Orcus\r\nOrcus also checks for processes of network monitoring tools like Netmon, TCPView and Wireshark as shown in\r\nthe figure below.\r\nFigure 9 Detection for network analysis tools\r\nImpact\r\nFigure 10 below shows the trending graph seen in Autofocus on the number of malware download sessions for\r\nOrcus. Given the feature rich toolset and the scalability Orcus provides, it is not a surprise that the usage and\r\nacceptance of the Orcus RAT is growing among cyber criminals since being first sold early this year. Given the\r\nincreasing popularity of Orcus, it is likely that we will see more cyber crime campaigns where the RAT of choice\r\nis Orcus.\r\nhttp://researchcenter.paloaltonetworks.com/2016/08/unit42-orcus-birth-of-an-unusual-plugin-builder-rat/\r\nPage 7 of 8\n\nFigure 10 Autofocus graph of Orcus download sessions over time\r\nConclusion\r\nThe individuals behind Orcus are selling the RAT by advertising it as a \"Remote Administration Tool\" under a\r\nsupposedly registered business and claiming that this tool is only designed for legitimate business use. However,\r\nlooking at the feature capabilities, architecture of the tool, and the publishing and selling of the tool in hacker\r\nforums, it is clear that Orcus is a malicious tool, and that its target customer is cyber criminals. It's not uncommon\r\nbut this is an interesting case where a developer with an initial intention to release the code for free or open\r\nsource, ends up in collaborating with an individual in a hacker forum who has prior experience in building and\r\nselling similar malicious tools, and creates a commercial RAT which has started to gain wide acceptance among\r\ncyber criminals with its unique feature set and flexible architecture.\r\nPalo Alto Networks WildFire correctly identifies Orcus as malicious and AutoFocus customers can track this\r\nthreat using the Orcus tag.\r\nIOCs:\r\nThe current list of hashes for Orcus samples can be found on the Unit 42 github page here.\r\nSource: http://researchcenter.paloaltonetworks.com/2016/08/unit42-orcus-birth-of-an-unusual-plugin-builder-rat/\r\nhttp://researchcenter.paloaltonetworks.com/2016/08/unit42-orcus-birth-of-an-unusual-plugin-builder-rat/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"http://researchcenter.paloaltonetworks.com/2016/08/unit42-orcus-birth-of-an-unusual-plugin-builder-rat/"
	],
	"report_names": [
		"unit42-orcus-birth-of-an-unusual-plugin-builder-rat"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434459,
	"ts_updated_at": 1775826746,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3bd7135b9b7286eee8d9d7092d115efe5e1091c2.pdf",
		"text": "https://archive.orkl.eu/3bd7135b9b7286eee8d9d7092d115efe5e1091c2.txt",
		"img": "https://archive.orkl.eu/3bd7135b9b7286eee8d9d7092d115efe5e1091c2.jpg"
	}
}