{
	"id": "dba957ac-d295-4a54-891f-355f514368ab",
	"created_at": "2026-04-06T00:19:31.011857Z",
	"updated_at": "2026-04-10T03:21:59.541568Z",
	"deleted_at": null,
	"sha1_hash": "fab05e522a61ec29f4781d8abe8c56c4e4b3e417",
	"title": "Canadian Man Behind Popular ‘Orcus RAT’",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 743284,
	"plain_text": "Canadian Man Behind Popular ‘Orcus RAT’\r\nPublished: 2016-07-24 · Archived: 2026-04-05 14:44:32 UTC\r\nFar too many otherwise intelligent and talented software developers these days apparently think they can get away\r\nwith writing, selling and supporting malicious software and then couching their commerce as a purely legitimate\r\nenterprise. Here’s the story of how I learned the real-life identity of Canadian man who’s laboring under that same\r\nillusion as proprietor of one of the most popular and affordable tools for hacking into someone else’s computer.\r\nEarlier this week I heard from Daniel Gallagher, a security professional who occasionally enjoys analyzing new\r\nmalicious software samples found in the wild. Gallagher said he and members of @malwrhunterteam and\r\n@MalwareTechBlog recently got into a Twitter fight with the author of Orcus RAT, a tool they say was explicitly\r\ndesigned to help users remotely compromise and control computers that don’t belong to them.\r\nA still frame from a Youtube video demonstrating Orcus RAT’s keylogging ability to steal passwords from\r\nFacebook and other sites.\r\nThe author of Orcus — a person going by the nickname “Ciriis Mcgraw” a.k.a. “Armada” on Twitter and other\r\nsocial networks — claimed that his RAT was in fact a benign “remote administration tool” designed for use by\r\nnetwork administrators and not a “remote access Trojan” as critics charged. Gallagher and others took issue with\r\nthat claim, pointing out that they were increasingly encountering computers that had been infected with Orcus\r\nunbeknownst to the legitimate owners of those machines.\r\nThe malware researchers noted another reason that Mcgraw couldn’t so easily distance himself from how his\r\nclients used the software: He and his team are providing ongoing technical support and help to customers who\r\nhttps://krebsonsecurity.com/2016/07/canadian-man-is-author-of-popular-orcus-rat/\r\nPage 1 of 5\n\nhave purchased Orcus and are having trouble figuring out how to infect new machines or hide their activities\r\nonline.\r\nWhat’s more, the range of features and plugins supported by Armada, they argued, go well beyond what a system\r\nadministrator would look for in a legitimate remote administration client like Teamviewer, including the ability to\r\nlaunch a keylogger that records the victim’s every computer keystroke, as well as a feature that lets the user peek\r\nthrough a victim’s Web cam and disable the light on the camera that alerts users when the camera is switched on.\r\nA new feature of Orcus announced July 7 lets users configure the RAT so that it evades digital forensics tools used\r\nby malware researchers, including an anti-debugger and an option that prevents the RAT from running inside of a\r\nvirtual machine.\r\nOther plugins offered directly from Orcus’s tech support page (PDF) and authored by the RAT’s support team\r\ninclude a “survey bot” designed to “make all of your clients do surveys for cash;” a “USB/.zip/.doc spreader,”\r\nintended to help users “spread a file of your choice to all clients via USB/.zip/.doc macros;” a “Virustotal.com\r\nchecker” made to “check a file of your choice to see if it had been scanned on VirusTotal;” and an “Adsense\r\nInjector,” which will “hijack ads on pages and replace them with your Adsense ads and disable adblocker\r\non Chrome.”\r\nWHO IS ARMADA?\r\nGallagher said he was so struck by the guy’s “smugness” and sheer chutzpah that he decided to look closer at any\r\nclues that Ciriis Mcgraw might have left behind as to his real-world identity and location. Sure enough, he found\r\nthat Ciriis Mcgraw also has a Youtube account under the same name, and that a video Mcgraw posted in July 2013\r\npointed to a 33-year-old security guard from Toronto, Canada.\r\nGallagher noticed that the video — a bystander recording on the\r\nscene of a police shooting of a Toronto man — included a link to the domain policereview[dot]info. A search of\r\nthe registration records attached to that Web site name show that the domain was registered to a John Revesz in\r\nToronto and to the email address john.revesz@gmail.com.\r\nhttps://krebsonsecurity.com/2016/07/canadian-man-is-author-of-popular-orcus-rat/\r\nPage 2 of 5\n\nA reverse WHOIS lookup ordered from Domaintools.com shows the same john.revesz@gmail.com address was\r\nused to register at least 20 other domains, including “thereveszfamily.com,” “johnrevesz.com,\r\nrevesztechnologies[dot]com,” and — perhaps most tellingly —  “lordarmada.info“.\r\nJohnrevesz[dot]com is no longer online, but this cached copy of the site from the indispensable archive.org\r\nincludes his personal résumé, which states that John Revesz is a network security administrator whose most recent\r\njob in that capacity was as an IT systems administrator for TD Bank. Revesz’s LinkedIn profile indicates that for\r\nthe past year at least he has served as a security guard for GardaWorld International Protective Services, a\r\nprivate security firm based in Montreal.\r\nRevesz’s CV also says he’s the owner of the aforementioned Revesz Technologies, but it’s unclear whether that\r\nbusiness actually exists; the company’s Web site currently redirects visitors to a series of sites promoting spammy\r\nand scammy surveys, come-ons and giveaways.\r\nIT’S IN THE EULA, STUPID!\r\nContacted by KrebsOnSecurity, Revesz seemed surprised that I’d connected the dots, but beyond that did not try\r\nto disavow ownership of the Orcus RAT.\r\n“Profit was never the intentional goal, however with the years of professional IT networking experience I have\r\nmyself, knew that proper correct development and structure to the environment is no free venture either,” Revesz\r\nwrote in reply to questions about his software. “Utilizing my 15+ years of IT experience I have helped manage\r\nOrcus through its development.”\r\nRevesz continued:\r\n“As for your legalities question.  Orcus Remote Administrator in no ways violates Canadian laws for software\r\ndevelopment or sale.  We neither endorse, allow or authorize any form of misuse of our software.  Our EULA [end\r\nuser license agreement] and TOS [terms of service] is very clear in this matter. Further we openly and candidly\r\nwork with those prudent to malware removal to remove Orcus from unwanted use, and lock out offending users\r\nwhich may misuse our software, just as any other company would.”\r\nRevesz said none of the aforementioned plugins were supported by Orcus, and were all developed by third-party\r\ndevelopers, and that “Orcus will never allow implementation of such features, and or plugins would be outright\r\nblocked on our part.”\r\nIn an apparent contradiction to that claim, plugins that allow Orcus users to disable the Webcam light on a\r\ncomputer running the software and one that enables the RAT to be used as a “stresser” to knock sites and\r\nindividuals users offline are available directly from Orcus Technologies’ Github page.\r\nRevesz’s also offers a service to help people cover their tracks online. Using his alter ego “Armada” on the hacker\r\nforum Hackforums[dot]net, Revesz also sells a “bulletproof dynamic DNS service” that promises not to keep\r\nrecords of customer activity.\r\nDynamic DNS services allow users to have Web sites hosted on servers that frequently change their Internet\r\naddresses. This type of service is useful for people who want to host a Web site on a home-based Internet address\r\nhttps://krebsonsecurity.com/2016/07/canadian-man-is-author-of-popular-orcus-rat/\r\nPage 3 of 5\n\nthat may change from time to time, because dynamic DNS services can be used to easily map the domain name to\r\nthe user’s new Internet address whenever it happens to change.\r\nUnfortunately, these dynamic DNS providers are extremely popular in the attacker community, because they allow\r\nbad guys to keep their malware and scam sites up even when researchers manage to track the attacking IP address\r\nand convince the ISP responsible for that address to disconnect the malefactor. In such cases, dynamic DNS\r\nallows the owner of the attacking domain to simply re-route the attack site to another Internet address that he\r\ncontrols.\r\nFree dynamic DNS providers tend to report or block suspicious or outright malicious activity on their networks,\r\nand may well share evidence about the activity with law enforcement investigators. In contrast, Armada’s dynamic\r\nDNS service is managed solely by him, and he promises in his ad on Hackforums that the service — to which he\r\nsells subscriptions of various tiers for between $30-$150 per year — will not log customer usage or report\r\nanything to law enforcement.\r\nAccording to writeups by Kaspersky Lab and Heimdal Security, Revesz’s dynamic DNS service has been seen\r\nused in connection with malicious botnet activity by another RAT known as Adwind.  Indeed, Revesz’s service\r\nappears to involve the domain “nullroute[dot]pw”, which is one of 21 domains registered to a “Ciriis Mcgraw,”\r\n(as well as orcus[dot]pw and orcusrat[dot]pw).\r\nI asked Gallagher (the researcher who originally tipped me off about Revesz’s activities) whether he was\r\npersuaded at all by Revesz’s arguments that Orcus was just a tool and that Revesz wasn’t responsible for how it\r\nwas used.\r\nGallagher said he and his malware researcher friends had private conversations with Revesz in which he seemed\r\nto acknowledge that some aspects of the RAT went too far, and promised to release software updates to remove\r\ncertain objectionable functionalities. But Gallagher said those promises felt more like the actions of someone\r\ntrying to cover himself.\r\nhttps://krebsonsecurity.com/2016/07/canadian-man-is-author-of-popular-orcus-rat/\r\nPage 4 of 5\n\n“I constantly try to question my assumptions and make sure I’m playing devil’s advocate and not jumping the\r\ngun,” Gallagher said. “But I think he’s well aware that what he’s doing is hurting people, it’s just now he knows\r\nhe’s under the microscope and trying to do and say enough to cover himself if it ever comes down to him being\r\nquestioned by law enforcement.”\r\nSource: https://krebsonsecurity.com/2016/07/canadian-man-is-author-of-popular-orcus-rat/\r\nhttps://krebsonsecurity.com/2016/07/canadian-man-is-author-of-popular-orcus-rat/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://krebsonsecurity.com/2016/07/canadian-man-is-author-of-popular-orcus-rat/"
	],
	"report_names": [
		"canadian-man-is-author-of-popular-orcus-rat"
	],
	"threat_actors": [],
	"ts_created_at": 1775434771,
	"ts_updated_at": 1775791319,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fab05e522a61ec29f4781d8abe8c56c4e4b3e417.pdf",
		"text": "https://archive.orkl.eu/fab05e522a61ec29f4781d8abe8c56c4e4b3e417.txt",
		"img": "https://archive.orkl.eu/fab05e522a61ec29f4781d8abe8c56c4e4b3e417.jpg"
	}
}