{
	"id": "6d575120-63dd-4cac-b3e5-43b14b9771ff",
	"created_at": "2026-04-06T00:08:53.244444Z",
	"updated_at": "2026-04-10T03:23:38.959265Z",
	"deleted_at": null,
	"sha1_hash": "76474540289718379155328b787d5fd7fd5f1c99",
	"title": "New Campaign Delivers Orcus RAT",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3218786,
	"plain_text": "New Campaign Delivers Orcus RAT\r\nBy Morphisec Labs\r\nArchived: 2026-04-05 18:48:13 UTC\r\nThis post was authored by Michael Gorelik, Alon Groisman and Bruno Braga.\r\nA new, highly sophisticated campaign that delivers the Orcus Remote Access Trojan is hitting victims in\r\nongoing, targeted attacks. Morphisec identified the campaign after receiving notifications from its advanced\r\nprevention solution at several deployment sites.Morphisec’s Moving Target Defense technology immediately\r\nstopped the threat. The attack uses multiple advanced evasive techniques to bypass security tools. In a successful\r\nattack, the Orcus RAT can steal browser cookies and passwords, launch server stress tests (DDoS attacks), disable\r\nthe webcam activity light, record microphone input, spoof file extensions, log keystrokes and more. (More about\r\nOrcus RAT below.)\r\nThe forensic data captured by Morphisec from the attack showed a high correlation to additional samples in the\r\nwild, indicating a single threat actor is behind multiple campaigns, including this one.\r\nThis threat actor specifically focuses on information stealing and .NET evasion. Based on unique strings in the\r\nmalware, we have dubbed the actor PUSIKURAC. Before executing the attacks, PUSIKURAC registers domains\r\nthrough FreeDns services. It also utilizes legitimate free text storage services like paste, signs its executables,\r\nheavily missuses commercial .NET packers and embeds payloads within video files and images.\r\nIn this blog we choose to focus and demystify one specific attack chain executed by the attacker. We will show the\r\nfull attack chain, analyzing one of the more interesting malware downloaders that we have investigated over the\r\npast year, including its delivered payload – the Orcus RAT.\r\nTechnical Explanation\r\nBased on the initial attack data, we could see that the attack flow proceeds as follows: A persistent VBscript\r\nexecutes a PowerShell script that downloads a .NET executable obfuscated and encrypted by ConfuserEx. The\r\ndownloaded executable performs known UAC bypass through event viewer registry hijacking to get the highest\r\nprivileges.\r\nThe running process with the highest privileges downloads a legitimate Ramadan-themed Coca-Cola advertising\r\nvideo, which contains an embedded .NET Orcus RAT.\r\nhttps://blog.morphisec.com/new-campaign-delivering-orcus-rat\r\nPage 1 of 14\n\nEach stage of the attack includes additional obfuscation and custom encryption steps, as described below.\r\nDownloader\r\nOne of the more interesting stages of the attack is the downloader – System32Batch94ver1.exe\r\n(B4136B21B9E95FD1FA9C52BD897F4D2F). The .NET downloader is signed by a non-valid Notepad++\r\ncertificate.\r\nhttps://blog.morphisec.com/new-campaign-delivering-orcus-rat\r\nPage 2 of 14\n\nThe downloader is encrypted by a known obfuscation framework (ConfuserEx) and further obfuscated by a\r\ncustom algorithm that can transform strings representing binary number patterns to readable strings and byte\r\narrays. The malware also has the functionality of downloading additional stages from paste.ee \u0026 bit.ly under\r\ncertain conditions.\r\nConfuserEx encrypted binary:\r\nMost of the ConfuserEx unpackers didn’t fully work on this sample out of the box; we needed to modify one of\r\nthe unpackers. Following a successful control flow repair, decryption of constants, strings and the de-obfuscation\r\nof the names we identified a readable .NET library.\r\nAs noted previous, we needed to apply some of the decoding algorithms implemented within the binary in order to\r\ndeobfuscate the next stage binary patterns (similar patterns are downloaded from hxxps://paste[.]ee/r/O53RV).\r\nThe identified strings revealed the persistency methods of the binary, privilege escalation techniques used to\r\nbypass UAC, and next stage artifacts embedded. Some of these strings are included in Table 1 below:\r\nhttps://blog.morphisec.com/new-campaign-delivering-orcus-rat\r\nPage 3 of 14\n\nAlthough the original string table includes much more information, we will focus on the strings included in the\r\ntable above.\r\nThe eventvwr.exe, mmc and mscfile registry hijack clearly indicate a known UAC bypass technique utilized by\r\nmalware over the last 2 years – hijacking the mscfile registry key will cause the event viewer to execute the given\r\nprocess with highest privileges. The vmtoolsd and the Sandboxie strings indicate known anti-VM techniques. The\r\nVBScript code templates, which are compiled by the .NET binary and the task schedule procedures, are indicators\r\nfor persistency and disconnection of the attack chain (as in the scenario we are analyzing).\r\nThe last string was the only one that is not self-explainable and looked unique. This prompted us  to use it as the\r\nname for the threat actor.\r\nWhile hunting for additional strings, we identified an interesting method that is responsible for the AES\r\ndecryption of one of the encrypted resources:\r\nhttps://blog.morphisec.com/new-campaign-delivering-orcus-rat\r\nPage 4 of 14\n\nThe function iterates over its four resources until it finds a resource stream that starts with the leet cookie (1337).\r\nIt then extracts the key and the initialization vector for a successful AES decryption of the resource.\r\nDecryption of the “QFwMhceaY.Resources” resource reveals an additional set of URLs, filename extensions and\r\n.NET target version:\r\nhttps://blog.morphisec.com/new-campaign-delivering-orcus-rat\r\nPage 5 of 14\n\nAgain, the actual string table contains more information and we have included only the most relevant.\r\nThe first string is the URL path for the bit.ly (one of the leading URL shorteners). This path hosts a redirector to\r\nthe next stage malware (Orcus RAT embedded inside mp4 video file).\r\nThe second string is an executable name, which is later concatenated with the .exe extension and used to replace\r\nthe Name.exe template within the VB script shown in Table 1.\r\nhxxps://paste[.]ee/r/bOZW3 contains another encrypted Assembly executable that is later fetched from the internet\r\n(exhibits the same binary patterns as seen inside downloader binary). This is  described below.\r\nThe binary pattern is decrypted into a byte array (same way as previous strings), then it is XOR’d with multiple\r\nembedded characters and transformed into a new embedded assembly. Under certain conditions our downloader\r\nwill execute this Assembly by invoking its Method.\r\nhttps://blog.morphisec.com/new-campaign-delivering-orcus-rat\r\nPage 6 of 14\n\nThe decrypted assembly is minimally obfuscated; its long constant and function names can be easily de-obfuscated using a basic de4dot. Looking deeper inside the assembly, we identified process hollowing\r\nfunctionality that is used to hide additional executable code within new process.\r\nhttps://blog.morphisec.com/new-campaign-delivering-orcus-rat\r\nPage 7 of 14\n\nAES is applied here as well on internal byte array and the C.resources artifacts to be used as parameters to the\r\nhollowing process (hollowing cmd).\r\nOrcus remote access trojan\r\nAs stated previously, the downloader downloads a legitimate 18 MB Ramadam-themed Coca-Cola commerical\r\n(09751bf69d496aaa3c92df5ed446785b).\r\nhttps://blog.morphisec.com/new-campaign-delivering-orcus-rat\r\nPage 8 of 14\n\nAlthough the video looks harmless, it is appended with a .NET executable which represents the Orcus RAT.\r\nThe attached Orcus executable is delivered with AES encrypted settings (the SIGNATURE string is the key). To\r\nproperly decrypt the settings we needed to decompress the embedded Fody-Costura DLLs (deflate the streams)\r\nthat relate to the AES encryption (Orcus.Shared.dll) and extract the initialization vector byte array.\r\nhttps://blog.morphisec.com/new-campaign-delivering-orcus-rat\r\nPage 9 of 14\n\nWith all the decryption keys and the encrypted setting in hand, we easily extracted the full xml settings for the\r\nRAT.\r\nhttps://blog.morphisec.com/new-campaign-delivering-orcus-rat\r\nPage 10 of 14\n\nIt was interesting to discover that someone else identified the same C2 server and decided to hack back the\r\nattacker’s servers https://twitter.com/GuyFoqs/status/1085803756644528129 .\r\nhttps://blog.morphisec.com/new-campaign-delivering-orcus-rat\r\nPage 11 of 14\n\nMore on Orcus rat\r\nThe Orcus RAT masquerades as a legitimate remote administration tool, although it is clear from its features and\r\nfunctionality that it is not and was never intended to be. (Brian Krebs published an interesting expose on the man\r\nbehind the supposed administration tool.) Until two weeks ago, it was publicly sold and licensed by a company\r\ncalling itself Orcus Technologies. The project is now closed, according to a “press release” issued, and a license-free version available for download, as well as software development tools and documentation. Interestingly, the\r\nauthor also claims there is a “kill switch” available for download by security researchers to remotely shut down\r\nand lock out any Orcus control server that they find are being used for malicious purposes.\r\nConclusions\r\nGiven that Orcus Trojan was recently made freely available, we expect to see more attacks delivering new Orcus\r\nRAT variants as a payload.\r\nAs this latest attack demonstrates, organizations may improve their defenses but  attackers find new ways to get\r\naround them. Morphisec customers are protected from this campaign as well as future Orcus variants with its\r\nMoving Target Defense solution that is architected specifically to handle unknown evasive attacks.\r\nhttps://blog.morphisec.com/new-campaign-delivering-orcus-rat\r\nPage 12 of 14\n\nArtifacts:\r\nURLs\r\nhxxps://syswow32batch[.]su/WOW/\r\nhxxps://salesgroup[.]top/Micro18/\r\nhxxp://bit[.]ly/2FRI9rE\r\nhxxps://paste[.]ee/r/bOZW3\r\nhxxps://paste[.]ee/r/O53RV\r\nhxxps://pomf.pyonpyon[.]moe/wmtqck.mp4\r\nhxxps://pomf.pyonpyon[.]moe/ggesuy.jpg (different info stealer)\r\nDownloader:\r\n2091F8A68BE181B0149C83DCBF2CFC05\r\nMP4 Advertisement (embedded Orcus RAT)\r\n09751BF69D496AAA3C92DF5ED446785B (mp4)\r\n161307CD9FA201256B0D17D9F3085E78F32D642A (embedded Orcus)\r\nC2:\r\nweirdly.crabdance[.]com\r\npoulty55.chickenkiller[.]com\r\n194.5.98[.]139:9030\r\nAdditional Artifacts\r\nhttps://blog.morphisec.com/new-campaign-delivering-orcus-rat\r\nPage 13 of 14\n\nStrings: “Dole Food Company”  (this string appeared in many of the .NET assemblies from multiple different\r\nattack chains, it also appeared in some of the persistency stages)\r\nAbout the author\r\nMorphisec Labs\r\nMorphisec Labs continuously researches threats to improve defenses and share insight with the broader cyber\r\ncommunity. The team engages in ongoing cooperation with leading researchers across the cybersecurity spectrum\r\nand is dedicated to fostering collaboration, data sharing and offering investigative assistance.\r\nSource: https://blog.morphisec.com/new-campaign-delivering-orcus-rat\r\nhttps://blog.morphisec.com/new-campaign-delivering-orcus-rat\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://blog.morphisec.com/new-campaign-delivering-orcus-rat"
	],
	"report_names": [
		"new-campaign-delivering-orcus-rat"
	],
	"threat_actors": [
		{
			"id": "aec996de-aa57-4812-87be-5a0db10b616a",
			"created_at": "2022-10-25T16:07:24.080546Z",
			"updated_at": "2026-04-10T02:00:04.86164Z",
			"deleted_at": null,
			"main_name": "Pusikurac",
			"aliases": [],
			"source_name": "ETDA:Pusikurac",
			"tools": [
				"Orcus",
				"Orcus RAT",
				"Schnorchel"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434133,
	"ts_updated_at": 1775791418,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/76474540289718379155328b787d5fd7fd5f1c99.pdf",
		"text": "https://archive.orkl.eu/76474540289718379155328b787d5fd7fd5f1c99.txt",
		"img": "https://archive.orkl.eu/76474540289718379155328b787d5fd7fd5f1c99.jpg"
	}
}