{ "id": "b5bfbbe7-bd57-4321-b5b1-f65332fb12a7", "created_at": "2026-04-06T00:07:25.489552Z", "updated_at": "2026-04-10T03:35:10.830368Z", "deleted_at": null, "sha1_hash": "4cb5ac59b53563be2ebef7b48050f276bec0d2aa", "title": "oRAT (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 41393, "plain_text": "oRAT (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 22:25:03 UTC\r\nosx.orat (Back to overview)\r\noRAT\r\nSentinelOne describes this as a malware written in Go, mixing own custom code with code from public\r\nrepositories.\r\nReferences\r\n2022-05-23 ⋅ Trend Micro ⋅ Daniel Lunghi, Jaromír Hořejší\r\nOperation Earth Berberoka\r\nreptile oRAT Ghost RAT PlugX pupy Earth Berberoka\r\n2022-05-09 ⋅ Dinesh Devadoss, Phil Stokes\r\nFrom the Front Lines | Unsigned macOS oRAT Malware Gambles For The Win\r\noRAT\r\n2022-04-27 ⋅ Trendmicro ⋅ Daniel Lunghi, Jaromír Hořejší\r\nOperation Gambling Puppet\r\nreptile oRAT AsyncRAT Cobalt Strike DCRat Ghost RAT PlugX Quasar RAT Trochilus RAT Earth Berberoka\r\n2022-04-27 ⋅ Trendmicro ⋅ Trendmicro\r\nIOCs for Earth Berberoka - MacOS\r\noRAT Earth Berberoka\r\nThere is no Yara-Signature yet.\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/osx.orat\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/osx.orat\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.orat" ], "report_names": [ "osx.orat" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "452d2d74-e812-45d6-b0fe-b8a6cc4ebd01", "created_at": "2022-10-25T16:07:23.562676Z", "updated_at": "2026-04-10T02:00:04.662064Z", "deleted_at": null, "main_name": "Earth Berberoka", "aliases": [ "GamblingPuppet" ], "source_name": "ETDA:Earth Berberoka", "tools": [ "Agent.dhwf", "AngryRebel", "AsyncRAT", "CinaRAT", "Destroy RAT", "DestroyRAT", "Farfli", "Gh0st RAT", "Ghost RAT", "Kaba", "Korplug", "Moudour", "Mydoor", "PCRat", "PlugX", "PuppetLoader", "Quasar RAT", "QuasarRAT", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "Xamtrav", "Yggdrasil", "oRAT" ], "source_id": "ETDA", "reports": null }, { "id": "2664d6f5-f918-4978-87f8-f6afad7402c6", "created_at": "2023-01-06T13:46:39.393669Z", "updated_at": "2026-04-10T02:00:03.312065Z", "deleted_at": null, "main_name": "Earth Berberoka", "aliases": [ "GamblingPuppet" ], "source_name": "MISPGALAXY:Earth Berberoka", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434045, "ts_updated_at": 1775792110, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4cb5ac59b53563be2ebef7b48050f276bec0d2aa.pdf", "text": "https://archive.orkl.eu/4cb5ac59b53563be2ebef7b48050f276bec0d2aa.txt", "img": "https://archive.orkl.eu/4cb5ac59b53563be2ebef7b48050f276bec0d2aa.jpg" } }