Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now

Orcus RAT

orcus rat trojan
34
Global rank
76 infographic chevron month
Month rank
74 infographic chevron week
Week rank
0
IOCs

Orcus is a modular Remote Access Trojan with some unusual functions. This RAT enables attackers to create plugins using a custom development library and offers a robust core feature set that makes it one of the most dangerous malicious programs in its class.

RAT
Type
Canada
Origin
1 April, 2016
First seen
15 September, 2025
Last seen
Also known as
Schnorchel

How to analyze Orcus RAT with ANY.RUN

RAT
Type
Canada
Origin
1 April, 2016
First seen
15 September, 2025
Last seen

IOCs

IP addresses
213.209.143.58
185.243.99.45
193.161.193.99
147.185.221.21
147.185.221.25
196.251.117.118
94.19.26.210
147.185.221.16
195.88.218.126
147.185.221.24
198.50.242.157
31.44.184.52
185.37.62.158
45.91.92.112
147.185.221.17
173.249.217.7
82.9.246.24
94.141.122.171
35.154.189.194
108.231.94.28
Domains
7.tcp.eu.ngrok.io
0.tcp.eu.ngrok.io
a-ended.gl.at.ply.gg
6.tcp.eu.ngrok.io
5.tcp.eu.ngrok.io
4.tcp.eu.ngrok.io
hostip00.duckdns.org
6.tcp.ngrok.io
4.tcp.ngrok.io
dailyupdates.warzonedns.com
dailyupdates.theworkpc.com
0.tcp.ap.ngrok.io
57581.client.sudorat.top
2vh3dz.casacam.net
64515.client.sudorat.top
0.tcp.in.ngrok.io
dandev.us.to
15475.client.sudorat.top
58820.client.sudorat.top
44893.client.sudorat.top
Last Seen at
13 September, 2025
Malicious activity
ddr.exe
rat
orcus
8 September, 2025
Malicious activity
ccc.exe
rat
orcus
8 September, 2025
Malicious activity
ee.exe
rat
orcus
3 September, 2025
Malicious activity
rat.exe
rat
orcus
2 September, 2025
Malicious activity
Orcus.exe
rat
orcus
31 August, 2025
Malicious activity
Installer.exe
rat
orcus
30 August, 2025
Malicious activity
c3fed5171f45a2403ef621b247d1e3a2.dll
auto-reg
rat
orcus
28 August, 2025
Malicious activity
eb8df076a9c27ca87f349a751a3f74d8f121ec0e96da9.exe
rat
orcus
auto-reg
28 August, 2025
Malicious activity
55073fbca764ca83d9710cd3dc7c2d66.exe
rat
orcus
auto-reg
loader
28 August, 2025
Malicious activity
55073fbca764ca83d9710cd3dc7c2d66.exe
rat
orcus
auto-reg
loader
TRACK THEM ALL AT
Public Submissions
Last Seen at
13 September, 2025
Malicious activity
ddr.exe
rat
orcus
8 September, 2025
Malicious activity
ccc.exe
rat
orcus
8 September, 2025
Malicious activity
ee.exe
rat
orcus
3 September, 2025
Malicious activity
rat.exe
rat
orcus
2 September, 2025
Malicious activity
Orcus.exe
rat
orcus
31 August, 2025
Malicious activity
Installer.exe
rat
orcus
30 August, 2025
Malicious activity
c3fed5171f45a2403ef621b247d1e3a2.dll
auto-reg
rat
orcus
28 August, 2025
Malicious activity
eb8df076a9c27ca87f349a751a3f74d8f121ec0e96da9.exe
rat
orcus
auto-reg
28 August, 2025
Malicious activity
55073fbca764ca83d9710cd3dc7c2d66.exe
rat
orcus
auto-reg
loader
28 August, 2025
Malicious activity
55073fbca764ca83d9710cd3dc7c2d66.exe
rat
orcus
auto-reg
loader
TRACK THEM ALL AT
Public Submissions

Recent blog posts

post image
Lazarus Group Attacks in 2025: Here's Everyth...
watchers 2214
comments 0
post image
ANY.RYN x IBM QRadar SIEM: Real-Time Intellig...
watchers 2945
comments 0
post image
Release Notes: Fresh Connectors, SDK Update,...
watchers 2041
comments 0

Contents

  • What is Orcus RAT?
  • General description of Orcus RAT
  • Orcus RAT malware analysis
  • Orcus RAT execution process
  • Orcus RAT malware distribution
  • How to detect Orcus RAT?
  • Conclusion

Recent blog posts

post image
Lazarus Group Attacks in 2025: Here's Everyth...
watchers 2214
comments 0
post image
ANY.RYN x IBM QRadar SIEM: Real-Time Intellig...
watchers 2945
comments 0
post image
Release Notes: Fresh Connectors, SDK Update,...
watchers 2041
comments 0

What is Orcus RAT?

Orcus, previously known as Schnorchel, is a Remote Access Trojan, which enables remote control of infected systems. Although Orcus RAT malware is mostly a typical member of the RAT family, it has some competitive advantages over similar malware and unique features.

In addition, Orcus RAT has a modular structure, and it gives users the ability to create custom plugins for the malware. The modularity of this trojan gives it higher than standard scalability and management, allowing it to tailor the malware to the needs of various campaigns.

The first time we heard about this malware was from a forum post by one of its authors. The post announced the development of a new RAT that was named Schnorchel at the time. Soon after the announcement, the malware became commercially available under the name “Orcus RAT” and was presented to the public as legal software for remote administration, similar to Teamviewer. Interestingly, the authors claimed that the abbreviation RAT stood for Remote Administration Tool and not Remote Access Trojan.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

General description of Orcus RAT

Apart from a few exceptions, Orcus RAT malware has a relatively standard but robust feature set for a technologically advanced Remote Access Trojan. The malware can grab screenshots and record user input, activate the webcam, steal passwords, record audio, and steal information. In addition, Orcus comes with the ability to detect if it’s being launched on a virtual machine to complicate the analysis by security researchers.

The functions described above already make this malware quite capable. However, it offers a few unusual functions that enhance its functionality. Namely, the RAT in question supports plugins, and besides offering the ability to build them, it has a whole library of already created plugins that attackers can choose from. Furthermore, Orcus RAT plugins can be written in multiple languages, including C#, C++, and VB.Net.

To make the development of extensions more streamlined, malware creators rolled out a dedicated development environment. What’s more, those who lack the skills to build plugins from scratch on their own can follow detailed tutorials and benefit from well-maintained documentation libraries.

Additionally, Orcus had a Github page where authors have published samples of created plugins.

Another relatively unique feature that the malware authors packed into this virus is real-time scripting. Real-time scripting allows Orcus to write and run code on machines that it infected.

Speaking of Orcus RAT malware authors, we know that the virus was developed by a 36-year-old John Revesz, also known as “Armada" on the underground forums. In 2019, Canadian authorities accused Revesz of operating an international malware distribution scheme.

In his defense, Revesz claimed that the RAT is, in fact, a legitimate program for remote administration, and his company “Orcus Technologies” is a legal business. However, an examination of the functionality clearly revealed that the software is intended for malicious use cases, which resulted in the arrest of Revesz.

It is believed that Revesz wasn’t working alone. Therefore, a joint development effort theory makes sense, especially considering the technological complexity of certain aspects of this malware. For example, Orcus RAT consists of multiple components, with the control panel being a separate component. In addition, the server that the malware establishes a connection with after infection does not hold an admin panel. This architecture provides several advantages to the attackers, for example, the ability to share access to infected PCs from the same server. Additionally, it allows for greater scalability or infected networks.

Orcus RAT malware analysis

A video recorded in the ANY.RUN interactive malware hunting service displays the execution process of Orcus RAT in real-time.

Read a detailed analysis of OrcusRAT in our blog.

process_graph_of_orcus_rat_execution

Figure 1: Displays the execution process of the Orcus RAT. This visualization was generated by ANY.RUN.

text_report_of_orcus_rat_execution

Figure 2: Displays a text report generated by ANY.RUN. Text reports are useful for demonstration and can be customized by a user to show necessary data.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Orcus RAT execution process

The execution process of the Orcus RAT is straightforward. This malware often disguises itself as a cheat code or crack, so it is mostly delivered to a system as an archive file with the compressed executable file inside. Since this trojan was written in C#, it often uses .NET infrastructure, available in Windows. To compile the C# source code, our sample started Visual C# compiler, which, in turn, started the Resource File To COFF Object Conversion Utility. After it was compiled, the executable file began its execution and malicious activity. Note that Orcus remote access tool does not always make its way into an infected system, as described above. In some cases, it comes as a precompiled executable file which only needs a user to double click on it to start the execution.

Orcus RAT malware distribution

Orcus RAT commonly makes its way into target machines as a downloadable attachment in malicious spam emails. Campaigns are often highly targeted and aim at organizations rather than at individuals.

Attackers use phishing and social engineering to trick victims into downloading an attachment or visiting a link that points to a server that holds the payload. In order to begin execution, Orcus does require user input. However, in most cases, it is unable to infect the system without user interaction.

How to detect Orcus RAT?

This malware creates files that allow analysts to detect it with a high degree of certainty. To identify the Orcus RAT, open the "Advanced details of process" by clicking on the "More info" button and switch events display to "Raw." This trojan often creates files with "Orcus" in the names, so all we need is to find such a file. To make it easier, type the word "Orcus" in the filename field. If such a file is found, you can be sure that Orcus RAT is in front of you.

files_created_by_orcus_rat

Figure 3: Files created by Orcus RAT

Conclusion

Orcus RAT malware is a sophisticated trojan that offers some unusual functions on top of solid basic info-stealing capabilities. Technical complexity was complemented by an affordable price of just 40 USD. Today, interested users can download a leaked version of Orcus for free. Unfortunately, this, along with excellent support and documentation, ensured the popularity of Orcus RAT.

Since its deployment in 2016, researchers have been observing Orcus RAT campaigns, and the popularity of this malware is still on the rise. As a result, we can expect several new attacks utilizing malicious software in the future.

Researchers can analyze Orcus RAT using the ANY.RUN malware hunting service to study this malware or other RATS such as Quasar RAT or njRAT. ANY.RUN is an interactive sandbox that allows researchers to stop and correct the simulation at any point, which ensures pure research results. In addition, useful information that can be obtained from the analysis can be added to our growing database of cyber threats to help combat internet crime worldwide.

HAVE A LOOK AT

Lynx screenshot
Lynx
lynx
Lynx is a double extortion ransomware: attackers encrypt important and sensitive data and demand a ransom for decryption simultaneously threatening to publish or sell the data. Active since mid-2024. Among techniques are terminating processes and services, privilege escalation, deleting shadow copies. Distribution by phishing, malvertising, exploiting vulnerabilities.
Read More
Ransomware screenshot
Ransomware
ransomware
Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.
Read More
GootLoader screenshot
GootLoader
gootloader
GootLoader is an initial-access-as-a-service malware that operates by delivering the GootKit banking trojan and other malicious payloads. It utilizes techniques such as fileless execution and process injection to avoid detection. The malware is often distributed through SEO poisoning and compromised websites, deceiving users into downloading infected files.
Read More
Spyware screenshot
Spyware
spyware
Spyware is a stealth form of malware whose primary objective is to gather sensitive information, such as personal data, login credentials, and financial details, by monitoring user activities and exploiting system vulnerabilities. Spyware operates secretly in the background, evading detection while transmitting collected data to cybercriminals, who can then use it for malicious purposes like identity theft, financial fraud, or espionage.
Read More
Loader screenshot
Loader
loader downloader
A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.
Read More
Spynote screenshot
Spynote
spynote
SpyNote, also known as SpyMax and CypherRat, is a powerful Android malware family designed primarily for surveillance and data theft, often categorized as a Remote Access Trojan (RAT). Originally emerged in 2016, SpyNote has evolved significantly, with new variants continuing to appear as recently as 2023–2025.
Read More