{
	"id": "af948125-e269-4858-be2a-b4807de5075f",
	"created_at": "2026-04-06T00:19:06.160102Z",
	"updated_at": "2026-04-10T03:23:38.956749Z",
	"deleted_at": null,
	"sha1_hash": "5cf1b3fbfec5b075642d9f587b48bf972681978f",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 43048,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 15:01:33 UTC\r\n APT group: Pusikurac\r\nNames Pusikurac (Morphisec)\r\nCountry [Unknown]\r\nMotivation Information theft and espionage\r\nFirst seen 2019\r\nDescription\r\n(Morphisec) A new, highly sophisticated campaign that delivers the Orcus Remote Access\r\nTrojan is hitting victims in ongoing, targeted attacks. Morphisec identified the campaign after\r\nreceiving notifications from its advanced prevention solution at several deployment sites.\r\n(Morphisec’s Moving Target Defense technology immediately stopped the threat.) The attack\r\nuses multiple advanced evasive techniques to bypass security tools. In a successful attack, the\r\nOrcus RAT can steal browser cookies and passwords, launch server stress tests (DDoS\r\nattacks), disable the webcam activity light, record microphone input, spoof file extensions, log\r\nkeystrokes and more.\r\nThe forensic data captured by Morphisec from the attack showed a high correlation to\r\nadditional samples in the wild, indicating a single threat actor is behind multiple campaigns,\r\nincluding this one.\r\nThis threat actor specifically focuses on information stealing and .NET evasion. Based on\r\nunique strings in the malware, we have dubbed the actor PUSIKURAC. Before executing the\r\nattacks, PUSIKURAC registers domains through FreeDns services. It also utilizes legitimate\r\nfree text storage services like paste, signs its executables, heavily misuses commercial .NET\r\npackers and embeds payloads within video files and images.\r\nObserved\r\nTools used Orcus RAT.\r\nInformation \u003chttps://blog.morphisec.com/new-campaign-delivering-orcus-rat\u003e\r\nLast change to this card: 29 April 2020\r\nDownload this actor card in PDF or JSON format\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=e34230e0-182e-402d-a351-0479525fa0eb\r\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=e34230e0-182e-402d-a351-0479525fa0eb\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=e34230e0-182e-402d-a351-0479525fa0eb\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=e34230e0-182e-402d-a351-0479525fa0eb"
	],
	"report_names": [
		"showcard.cgi?u=e34230e0-182e-402d-a351-0479525fa0eb"
	],
	"threat_actors": [
		{
			"id": "aec996de-aa57-4812-87be-5a0db10b616a",
			"created_at": "2022-10-25T16:07:24.080546Z",
			"updated_at": "2026-04-10T02:00:04.86164Z",
			"deleted_at": null,
			"main_name": "Pusikurac",
			"aliases": [],
			"source_name": "ETDA:Pusikurac",
			"tools": [
				"Orcus",
				"Orcus RAT",
				"Schnorchel"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434746,
	"ts_updated_at": 1775791418,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5cf1b3fbfec5b075642d9f587b48bf972681978f.pdf",
		"text": "https://archive.orkl.eu/5cf1b3fbfec5b075642d9f587b48bf972681978f.txt",
		"img": "https://archive.orkl.eu/5cf1b3fbfec5b075642d9f587b48bf972681978f.jpg"
	}
}