{
	"id": "4d5a853c-9587-45ed-bc65-f198e0ca577e",
	"created_at": "2026-04-06T00:17:01.682811Z",
	"updated_at": "2026-04-10T03:30:57.28726Z",
	"deleted_at": null,
	"sha1_hash": "47105c0e41c42802d83d60449172e4d36a4ddd72",
	"title": "A Peculiar Case of Orcus RAT Targeting Bitcoin Investors",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 5627099,
	"plain_text": "A Peculiar Case of Orcus RAT Targeting Bitcoin Investors\r\nPublished: 2017-12-07 · Archived: 2026-04-05 17:32:50 UTC\r\nBitcoin has been the talk of the past few years, at least as far as crypto-currency is concerned, primarily due to its\r\ngrowing acceptance and steady rise in value ($17,740 USD as of writing.) Inevitably, financial market traders and\r\ninvestors have found this to represent a good opportunity for profits.\r\nHowever, active trading in bitcoin, as in any currency in the financial market, generally requires a great deal of\r\nattention in order to maximize profitability. Throw the emotions involved with every trading decision into the mix\r\nand it can become a stressful ordeal. Hence, the advent of automatic trading applications, popularly known as\r\ntrading bots.\r\nIn simple terms, these bots monitor bitcoin price differences between different trading platforms. If an opportunity\r\nfor profit appears, they automatically buy or sell bitcoin between the platforms, effectively arbitraging between\r\nthe two. The criteria for an opportunity are still based on parameters set by the user though. So obviously, they are\r\nnot fully autonomous.\r\nBitcoin trading bots, or trading bots in general, however, are not at all new. But with bitcoin’s increasing value and\r\npopularity, the market for them is.\r\nAnd as expected, as this parade of bandwagons grows larger, malware threat actors are ready to jump on to get a\r\npiece of the profit. As evidence of this, FortiGuards Labs’ Kadena Threat Intelligence System (KTIS) has spotted a\r\nnew phishing campaign that targets bitcoin investors by offering Gunbot, a relatively new bitcoin trading bot\r\napplication. However, instead of being a tool designed to ensure more profit, it serves an Orcus RAT malware that\r\nresults in the loss of investments and more.\r\nSpam\r\nhttps://www.fortinet.com/blog/threat-research/a-peculiar-case-of-orcus-rat-targeting-bitcoin-investors.html\r\nPage 1 of 15\n\nThe email spam arrives as an announcement of a new bitcoin trading bot called Gunbot, which is a product\r\ndeveloped by GuntherLab or Gunthy.\r\nFig1. Spam email disguised as a GunBot promotion\r\nAn attachment with the filename sourcode.vbs.zip is actually an archive that contains a simple VB Script with the\r\nsame filename, which when executed downloads a file from\r\nhttps[:]//bltcointalk.com/flashplayer27pp_ka_install.jpeg. Although the extension suggests it is a JPEG image\r\nfile, it is actually a PE binary file.\r\nhttps://www.fortinet.com/blog/threat-research/a-peculiar-case-of-orcus-rat-targeting-bitcoin-investors.html\r\nPage 2 of 15\n\nThe comments on the script imply that the threat actors behind this campaign have no intention of hiding its\r\nbehavior. It’s possible that they lack the technical knowledge and simply bought the components used in this\r\ncampaign elsewhere. It can also be that they just simply don’t care as long as there’s someone out there that\r\ndouble-clicks the file without any inspection, which may well be the case.\r\nFig2. Commented VBScript downloader\r\nTrojanized Inventory System\r\nAt first glance, the downloaded executable appears to be a benign inventory system tool with a lot of references to\r\nSQL commands for inventory procedures. After further analysis, however, we found that it is a trojanized version\r\nof an open source inventory system tool named TTJ-Inventory System.\r\nhttps://www.fortinet.com/blog/threat-research/a-peculiar-case-of-orcus-rat-targeting-bitcoin-investors.html\r\nPage 3 of 15\n\nFig3. Comparison between the downloaded executable and the TTJ-Inventory System source code\r\nAs we dug deeper in the decompiled code, we found an access reference to a big chunk of data named\r\n“Mastering” from a resource named “DVDImageBurn”. It contains encrypted binary data from a resource name\r\n“Mastering” that will be decrypted using a hardcoded key. As it turns out, this data is another .NET PE executable\r\nthat is loaded and executed directly to memory.\r\nFig4. Decrypt Resource Data\r\nhttps://www.fortinet.com/blog/threat-research/a-peculiar-case-of-orcus-rat-targeting-bitcoin-investors.html\r\nPage 4 of 15\n\nFig5. Loading the decrypted MZ application\r\nTo make sure that only one instance of the malware is running, the system checks for the existence of a mutex\r\nnamed “dgonfUsV”.\r\nBefore the malware proceeds to its main payload, it first checks to see if it’s running from the path\r\n%APPDATA%\\Roaming\\Microsoft\\Windows\\DwiDesk\\nethost.exe. If not, it creates a copy of itself in the said\r\ndirectory and executes from there instead.\r\nWe now turn our analysis to the previously mentioned embedded executable. Once it is loaded and executed in\r\nmemory, it ensures that the malware is executed upon reboot. A shortcut file is created in the same directory which\r\npoints to the newly created path. The path of the shortcut file is added as new entry\r\nHKEY_CURRENT_USER\\\\Software\\Microsoft\\Windows|CurrentVersion\\RunOnce with the value name “Load”.\r\nhttps://www.fortinet.com/blog/threat-research/a-peculiar-case-of-orcus-rat-targeting-bitcoin-investors.html\r\nPage 5 of 15\n\nFig6. Creating Auto Start Registry\r\nThis executable further contains three embedded PE executables in its resource where the actual Orcus RAT server\r\ncan be found.\r\nFig7. Payload Resource File\r\nM – Orcus RAT server\r\nPkawjfiajsVIOefjsakoekAOEFKasoefjsa – persistence watchdog\r\nR – RunPE module\r\nThe RunPE module is not only able to execute other modules without writing their physical files in the system,\r\nbut also to execute them under legitimate executables. This is usually done by executing an application in\r\nsuspended mode, and then replacing the new process’ memory with the malicious code before resuming. It’s a\r\ncommon stealth technique. In this case, it uses components of the Microsoft .NET framework, MSBuild.exe and\r\nRegAsm.exe, as shells to hide their malicious processes. However, as shown in the next figure, the path to the\r\nmentioned executables are hardcoded, which means that if the system has a different version of .NET framework\r\n(different path) the malware will not be able to proceed.\r\nhttps://www.fortinet.com/blog/threat-research/a-peculiar-case-of-orcus-rat-targeting-bitcoin-investors.html\r\nPage 6 of 15\n\nFig8. Loading Orcus RAT by Process Hollowing\r\nThe module from the PkawjfiajsVIOefjsakoekAOEFKasoefjsa resource acts as a watchdog to keep the malware\r\nrunning by repeatedly executing it unless the client decides to stop it by dropping ”stop.txt” in its directory.\r\nhttps://www.fortinet.com/blog/threat-research/a-peculiar-case-of-orcus-rat-targeting-bitcoin-investors.html\r\nPage 7 of 15\n\nFig9. Process Persistence\r\nPutting The ‘T’ in RAT\r\nhttps://www.fortinet.com/blog/threat-research/a-peculiar-case-of-orcus-rat-targeting-bitcoin-investors.html\r\nPage 8 of 15\n\nFig10. Decompiled Orcus binary showing command modules\r\nOrcus has been advertised as a Remote Administration Tool (RAT) since early 2016. It has all the features that\r\nwould be expected from a RAT and probably more. The long list of the commands is documented on their website.\r\nBut what separates Orcus from the others is its capability to load custom plugins developed by users, as well as\r\nplugins that are readily available from the Orcus repository. In addition to that, users can also execute C# and\r\nVB.net code on the remote machine in real-time.\r\nBasically, if a server component gets “installed” to your system, the person on the other side is practically in front\r\nof your machine while seeing and hearing you at the same time – yes, it can activate your microphone and\r\nwebcam even without you knowing.\r\nhttps://www.fortinet.com/blog/threat-research/a-peculiar-case-of-orcus-rat-targeting-bitcoin-investors.html\r\nPage 9 of 15\n\nOrcus, although advertised as a Remote Administration Tool, offers features that are beyond that scope.For\r\ninstance, the user has the ability to disable the light indicator on webcams so as to not alert the target that it’s\r\nactive. It can also implement a watchdog that restarts the server component or even trigger a Blue Screen of Death\r\n(BSOD) if the someone tries to kill its process. This makes it harder for targets to remove it from their systems. A\r\nplugin that can be used to perform Distributed Denial of Service (DDOS) is also available directly from their\r\nrepository. These are, of course, on top of the obviously ominous features such as password retrieval and key\r\nlogging that are normally seen in Remote Access Trojans.\r\nInterestingly, this is not the first time that Orcus’ self-claimed status of being a benign tool has been questioned. In\r\nJuly of 2016, KrebsonSecurity published an article tackling this same issue.\r\nThe One-letter Modus\r\nIt is obvious that the malware download site https://bltcointalk.com is trying to imitate the bitcoin forum\r\nbitcointalk.org. When accessed, the website is just an open directory containing the previously mentioned as well\r\nas an archive with the filename . Unfortunately, in the middle of writing this article, the contents of the website\r\nchanged before we could download an updated copy.\r\nFig11. blcointalk.com contents listed on Dec. 1\r\nDuring our access on Dec. 4, flashplayer27pp_ka_install.jpeg was no longer hosted. However, a new file with the\r\nfilename Gunbot.XT.Edition.-.Windows.package.zip had been uploaded to the server and this time we were able to\r\ntake a deeper look.\r\nhttps://www.fortinet.com/blog/threat-research/a-peculiar-case-of-orcus-rat-targeting-bitcoin-investors.html\r\nPage 10 of 15\n\nFig12. bltcointalk.com contents listed on Dec. 4\r\nAs it turns out, the contents of the package, which is disguised as the GunBot tool, contains a similar trojanized\r\n“Inventory System” as well as the VB Script downloader. We speculate this small change in the setup is being\r\n(will be) used in another campaign.\r\nFig13. Fake GunBot package contains similar malicious files\r\nChecking the Whois information of the domain, we found its registrant to be “Cobainin Enterprises” and other\r\ndomains are laos registered under that entity.\r\nFig14. Whois information of bltcointalk.com\r\nIt was no surprise, therefore, that we found other domains that use similar domain names with replaced letters.\r\nWhen accessed, most of the sites display the “We’ll be back soon!” message, which is the same page that is\r\ndisplayed when “index.phptopic=3D1715214.0/” is accessed in “bltcointalk.com”.\r\nhttps://www.fortinet.com/blog/threat-research/a-peculiar-case-of-orcus-rat-targeting-bitcoin-investors.html\r\nPage 11 of 15\n\nFig15. Domains registered under “Cobainin Enterprises”\r\nFig16. Maintenance message from some of the “inactive” domains\r\nIt’s possible that the threat actors cycle these sites between their malware campaigns. One of the websites on the\r\nlist, “qunthy.org” leads to a fake website for Gunbot. On the legitimate Gunbot website, interested clients are\r\nredirected to the developer’s Telegram profile, which is done by clicking the “CONTACT” button. In the case of\r\nthe fake website, that button is replaced with a “GET IT” button that can be triggered just by hovering on it. This\r\nleads to a file hosting website, “http[:]//desfichiers.com/?9onk0nboih”. However, as of this writing, the file\r\npointed to by the URL no longer exists , however it seems safe to assume that it’s nothing benign.\r\nhttps://www.fortinet.com/blog/threat-research/a-peculiar-case-of-orcus-rat-targeting-bitcoin-investors.html\r\nPage 12 of 15\n\nFig17. Official website of Gunbot\r\nFig18. Fake website of Gunbot\r\nhttps://www.fortinet.com/blog/threat-research/a-peculiar-case-of-orcus-rat-targeting-bitcoin-investors.html\r\nPage 13 of 15\n\nFig19. Hosted file that no longer exists\r\nConclusion\r\nThe rise of Bitcoin to the top of the burgeoning cryptocurrency market has paved the way to the creation of bot\r\ntrading applications such as Gunbot. Malicious counterfeit sites are sophisticated in terms of stealth and general\r\ninfrastructure, and pose great risks to Bitcoin traders who may be tricked by its schemes.\r\nIn our investigation of Orcus RAT, we have again proven again that its capabilities go beyond the scope of a\r\nharmless administration tool. Regardless of the developer’s claim and defense, the reality is that the application is\r\nbeing used in cybercrime campaigns.\r\n-= FortiGuard Lion Team =-\r\nProtection\r\n1. FortiSandbox rates all the samples with High Risk without additional reconfiguration.\r\n2. C\u0026C’s and download sites are already blocked using Fortinet Web Filtering.\r\nIOC\r\n5a87b68d38993a429fedf258198dce24ddffe4e9ba5e20b11bc78d7d045e85ca – MSIL/Orcus.KAD!tr\r\n457d8e6f3a4be23dd46c91bfc45c97c241bc741656d6192aca05dfeaecc17fa4 – MSIL/Orcus.KAD!tr\r\n5ef25d21925b2b116548fcc21fd3d8e47f2e540aaffae124da50787d124e62d5 – MSIL/Orcus.KAD!tr\r\n3941995e94d491968e95f19e6b0b0ded8b97084b219b722f6766a45e05f286db - MSIL/Orcus.KAD!tr\r\nhttps://www.fortinet.com/blog/threat-research/a-peculiar-case-of-orcus-rat-targeting-bitcoin-investors.html\r\nPage 14 of 15\n\na949b92d82e66816f791683aa40e4b20cf132ec190c2936463a15068c31d0588 – MSIL/Orcus.KAD!tr\r\n0a3280b85932d9aca690bb770a104c2d4123af37494a3af6ec469972f4907de6 – MSIL/Orcus.KAD!tr\r\n41104f7d0087ea6e2a973f91ab2f18fce3ba5d31d81ab18434e3fcd24d871fef – MSIL/Orcus.KAD!tr\r\nb98b1626071d7f6ef368813f4f5f6f77123c6243f6957be3aa3102aa012d5921 – MSIL/Orcus.KAD!tr\r\n9e50bdad057ce4e3e386a44e3ffbd644f59e03c252b244e783d03684bf91bd11 - VBS/Agent.NYT!tr.dldr\r\nC\u0026C\r\n172.111.160.213\r\nSign up for our weekly FortiGuard Labs intel briefs or to be a part of our open beta of Fortinet’s FortiGuard\r\nThreat Intelligence Service.\r\nSource: https://www.fortinet.com/blog/threat-research/a-peculiar-case-of-orcus-rat-targeting-bitcoin-investors.html\r\nhttps://www.fortinet.com/blog/threat-research/a-peculiar-case-of-orcus-rat-targeting-bitcoin-investors.html\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/a-peculiar-case-of-orcus-rat-targeting-bitcoin-investors.html"
	],
	"report_names": [
		"a-peculiar-case-of-orcus-rat-targeting-bitcoin-investors.html"
	],
	"threat_actors": [
		{
			"id": "f9806b99-e392-46f1-9c13-885e376b239f",
			"created_at": "2023-01-06T13:46:39.431871Z",
			"updated_at": "2026-04-10T02:00:03.325163Z",
			"deleted_at": null,
			"main_name": "Watchdog",
			"aliases": [
				"Thief Libra"
			],
			"source_name": "MISPGALAXY:Watchdog",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434621,
	"ts_updated_at": 1775791857,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/47105c0e41c42802d83d60449172e4d36a4ddd72.pdf",
		"text": "https://archive.orkl.eu/47105c0e41c42802d83d60449172e4d36a4ddd72.txt",
		"img": "https://archive.orkl.eu/47105c0e41c42802d83d60449172e4d36a4ddd72.jpg"
	}
}