Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now
36
Global rank
68 infographic chevron month
Month rank
66 infographic chevron week
Week rank
0
IOCs

Orcus is a modular Remote Access Trojan with some unusual functions. This RAT enables attackers to create plugins using a custom development library and offers a robust core feature set that makes it one of the most dangerous malicious programs in its class.

RAT
Type
Canada
Origin
1 April, 2016
First seen
6 October, 2025
Last seen
Also known as
Schnorchel

How to analyze Orcus RAT with ANY.RUN

RAT
Type
Canada
Origin
1 April, 2016
First seen
6 October, 2025
Last seen

IOCs

IP addresses
1.1.1.1
193.161.193.99
199.195.253.181
216.250.97.121
37.235.48.20
147.185.221.229
209.25.141.180
147.185.221.181
15.235.3.1
31.173.170.243
147.185.221.16
147.185.221.17
147.185.221.21
94.19.26.210
45.10.151.182
147.185.221.24
147.185.221.25
195.88.218.126
198.50.242.157
209.25.141.181
Hashes
fc142dd7af3d7ecc148674bf08c6280b4acfb0141018a19d85dae863cd0c4507
bf1518f8d72919e209a45e465809653c5daf9315531896f3cad93c6d623f2410
e5771b24c5636cb1fb998bad5020f1b375983bf6a3323dc05f03f2b9b0be87be
b7b18ece8d21a8f3dd37a348372d027432ea5dbfba2825645fb0b68b28b6925d
4ef58d34d748aae0e1143faba71238eb9910cea26cbc530d8d3c125d8c60789e
b8a12284d7610bf032280823410256abb6f323868b07551ad3cf186ff284673a
68d7531d9291dc08994198e95b12ee08e399e8ed1b2b7d3799f2d8ab9c966011
b9657cd9005b01b162ce90306ba1b7c7c3df3551fba5f008efd780086f461e72
938e2ca50da0de6f099f65592842891116f002bb7579cc2ce963f895f55e6008
0ca1e8c404083acfc334a0005069d5b8753ac4f9032e6a6c9b7f81d5a2e00ba5
f927e4109cd28b23638030715aa3af2f957a506bc7415b64600dcf1a634d3570
d57dcd1fd575a271038355026db1f78666b74d0e9dfd3099d7ef60c0fc8d568c
53e546513b804a4e6aab97714e2aeef686d98a920e259f39fa068f516a276d92
ea2e024dd864777c99304ee9eccca90987cce1d160cc77ca76b6716871efdb9a
302f195d1632ad5146db0215267f94dd275364f397cdfeefdcc80f17dd895e02
4a265e73f0e1ae00c0fc7881123829f561925ece64980ccacf7dc6993512cb98
04c15973ce0eee65074b68b2fd0bf689e6d7f5facbbb461dafebd98b072aa16a
d4f2faf145910d80e1999dbd3c12cac0a6dba17884e9f9f88c9831b2f543e88c
8c3be19a5a5168eb978a6b441787ea45ade59a985822e4ad906f59dec5db34c3
6f98d133aa221fabfb28372df165cf3de2d5c5ec01c3144b5eb29bbb0e5fab3a
Domains
0.tcp.eu.ngrok.io
4.tcp.ngrok.io
4.tcp.eu.ngrok.io
0.tcp.in.ngrok.io
0.tcp.ap.ngrok.io
6.tcp.ngrok.io
8.tcp.ngrok.io
6.tcp.eu.ngrok.io
7.tcp.eu.ngrok.io
5.tcp.eu.ngrok.io
xeirz.ddns.net
212.ip.ply.gg
229.ip.ply.gg
mehackiscool.ddns.net
dololow.ddns.net
score-deadline.at.ply.gg
yoopto.hopto.org
hi-world.duckdns.org
aid-deutsche.at.ply.gg
winsense.duckdns.org
Last Seen at

Recent blog posts

post image
Release Notes: Palo Alto Networks, Microsoft,...
watchers 1223
comments 0
post image
FunkSec’s FunkLocker: How AI Is Powering the...
watchers 2907
comments 0
post image
ANY.RUN & MS Defender: Enrich Alerts Faster,...
watchers 2883
comments 0

What is Orcus RAT?

Orcus, previously known as Schnorchel, is a Remote Access Trojan, which enables remote control of infected systems. Although Orcus RAT malware is mostly a typical member of the RAT family, it has some competitive advantages over similar malware and unique features.

In addition, Orcus RAT has a modular structure, and it gives users the ability to create custom plugins for the malware. The modularity of this trojan gives it higher than standard scalability and management, allowing it to tailor the malware to the needs of various campaigns.

The first time we heard about this malware was from a forum post by one of its authors. The post announced the development of a new RAT that was named Schnorchel at the time. Soon after the announcement, the malware became commercially available under the name “Orcus RAT” and was presented to the public as legal software for remote administration, similar to Teamviewer. Interestingly, the authors claimed that the abbreviation RAT stood for Remote Administration Tool and not Remote Access Trojan.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

General description of Orcus RAT

Apart from a few exceptions, Orcus RAT malware has a relatively standard but robust feature set for a technologically advanced Remote Access Trojan. The malware can grab screenshots and record user input, activate the webcam, steal passwords, record audio, and steal information. In addition, Orcus comes with the ability to detect if it’s being launched on a virtual machine to complicate the analysis by security researchers.

The functions described above already make this malware quite capable. However, it offers a few unusual functions that enhance its functionality. Namely, the RAT in question supports plugins, and besides offering the ability to build them, it has a whole library of already created plugins that attackers can choose from. Furthermore, Orcus RAT plugins can be written in multiple languages, including C#, C++, and VB.Net.

To make the development of extensions more streamlined, malware creators rolled out a dedicated development environment. What’s more, those who lack the skills to build plugins from scratch on their own can follow detailed tutorials and benefit from well-maintained documentation libraries.

Additionally, Orcus had a Github page where authors have published samples of created plugins.

Another relatively unique feature that the malware authors packed into this virus is real-time scripting. Real-time scripting allows Orcus to write and run code on machines that it infected.

Speaking of Orcus RAT malware authors, we know that the virus was developed by a 36-year-old John Revesz, also known as “Armada" on the underground forums. In 2019, Canadian authorities accused Revesz of operating an international malware distribution scheme.

In his defense, Revesz claimed that the RAT is, in fact, a legitimate program for remote administration, and his company “Orcus Technologies” is a legal business. However, an examination of the functionality clearly revealed that the software is intended for malicious use cases, which resulted in the arrest of Revesz.

It is believed that Revesz wasn’t working alone. Therefore, a joint development effort theory makes sense, especially considering the technological complexity of certain aspects of this malware. For example, Orcus RAT consists of multiple components, with the control panel being a separate component. In addition, the server that the malware establishes a connection with after infection does not hold an admin panel. This architecture provides several advantages to the attackers, for example, the ability to share access to infected PCs from the same server. Additionally, it allows for greater scalability or infected networks.

Orcus RAT malware analysis

A video recorded in the ANY.RUN interactive malware hunting service displays the execution process of Orcus RAT in real-time.

Read a detailed analysis of OrcusRAT in our blog.

process_graph_of_orcus_rat_execution

Figure 1: Displays the execution process of the Orcus RAT. This visualization was generated by ANY.RUN.

text_report_of_orcus_rat_execution

Figure 2: Displays a text report generated by ANY.RUN. Text reports are useful for demonstration and can be customized by a user to show necessary data.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Orcus RAT execution process

The execution process of the Orcus RAT is straightforward. This malware often disguises itself as a cheat code or crack, so it is mostly delivered to a system as an archive file with the compressed executable file inside. Since this trojan was written in C#, it often uses .NET infrastructure, available in Windows. To compile the C# source code, our sample started Visual C# compiler, which, in turn, started the Resource File To COFF Object Conversion Utility. After it was compiled, the executable file began its execution and malicious activity. Note that Orcus remote access tool does not always make its way into an infected system, as described above. In some cases, it comes as a precompiled executable file which only needs a user to double click on it to start the execution.

Orcus RAT malware distribution

Orcus RAT commonly makes its way into target machines as a downloadable attachment in malicious spam emails. Campaigns are often highly targeted and aim at organizations rather than at individuals.

Attackers use phishing and social engineering to trick victims into downloading an attachment or visiting a link that points to a server that holds the payload. In order to begin execution, Orcus does require user input. However, in most cases, it is unable to infect the system without user interaction.

How to detect Orcus RAT?

This malware creates files that allow analysts to detect it with a high degree of certainty. To identify the Orcus RAT, open the "Advanced details of process" by clicking on the "More info" button and switch events display to "Raw." This trojan often creates files with "Orcus" in the names, so all we need is to find such a file. To make it easier, type the word "Orcus" in the filename field. If such a file is found, you can be sure that Orcus RAT is in front of you.

files_created_by_orcus_rat

Figure 3: Files created by Orcus RAT

Conclusion

Orcus RAT malware is a sophisticated trojan that offers some unusual functions on top of solid basic info-stealing capabilities. Technical complexity was complemented by an affordable price of just 40 USD. Today, interested users can download a leaked version of Orcus for free. Unfortunately, this, along with excellent support and documentation, ensured the popularity of Orcus RAT.

Since its deployment in 2016, researchers have been observing Orcus RAT campaigns, and the popularity of this malware is still on the rise. As a result, we can expect several new attacks utilizing malicious software in the future.

Researchers can analyze Orcus RAT using the ANY.RUN malware hunting service to study this malware or other RATS such as Quasar RAT or njRAT. ANY.RUN is an interactive sandbox that allows researchers to stop and correct the simulation at any point, which ensures pure research results. In addition, useful information that can be obtained from the analysis can be added to our growing database of cyber threats to help combat internet crime worldwide.

HAVE A LOOK AT

DarkGate screenshot
DarkGate
darkgate
DarkGate is a loader, which possesses extensive functionality, ranging from keylogging to crypto mining. Written in Delphi, this malware is known for the use of AutoIT scripts in its infection process. Thanks to this malicious software’s versatile architecture, it is widely used by established threat actors.
Read More
NetSupport RAT screenshot
NetSupport RAT
netsupport
NetSupport RAT is a malicious adaptation of the legitimate NetSupport Manager, a remote access tool used for IT support, which cybercriminals exploit to gain unauthorized control over systems. It has gained significant traction due to its sophisticated evasion techniques, widespread distribution campaigns, and the challenge it poses to security professionals who must distinguish between legitimate and malicious uses of the underlying software.
Read More
DarkVision screenshot
DarkVision
darkvision
DarkVision RAT is a low-cost, modular Remote Access Trojan that gives attackers remote control of infected Windows hosts. Initially observed around 2020 and sold in underground marketplaces, DarkVision has become notable for its full feature set (keylogging, screen capture, file theft, remote command execution and plugin support) and for being distributed via multi-stage loaders in recent campaigns.
Read More
LokiBot screenshot
LokiBot
lokibot loader trojan
LokiBot was developed in 2015 to steal information from a variety of applications. Despite the age, this malware is still rather popular among cybercriminals.
Read More
Rootkit screenshot
Rootkit
rootkit bootkit
A rootkit is a type of malicious software designed to provide unauthorized administrative-level access to a computer or network while concealing its presence. Rootkits are tools used by cybercriminals to hide their activities, including keyloggers, spyware, and other malware, often enabling long-term system exploitation.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More