LTS Secure Warning: Orcus RAT Being Delivered To Multiple Organization In New Cyber Espionage Campaign

Active since 2016, orcus is a remote access trojan (RAT) developed by ‘Sorzus‘.  The RAT has the ability to build custom plugins and is primarily distributed via drive-by-downloads & spear phishing emails.

Orcus RAT is now being utilized by threat actors in a new mal-spam campaign, targeting sectors like IT, financial service, consultancies and Government entities.


Technical Details

The infection process starts with phishing email that implies to come from Australian Competition & Consumer Commission (ACCC), Better Business Bureau (BBB) and other regional agencies. The email contains a SendGrid URL, that once clicked, redirects the user to attacker infrastructure, where the malicious executable in zip format is being hosted. Once the user executes the executable, the RAT is loaded into memory. To achieve persistence, the loader is placed in the startup folder & a batch script is used to execute the loader every 60 seconds.



  • Logs user’s keystrokes.
  • Remote Administration.
  • Collects user & system information.
  • Records videos & takes pictures from webcam.
  • Take screenshots of desktop.
  • Manipulating registry values and keys.
  • Advanced Plugin System.


Recommended Actions

  • Never download any suspicious attachments or click on any shady-looking link. Take an effort to educate your users on how to identify a mal-spam.
  • Ensure that your devices are always up-to-date with the latest patches released.
  • Always update your anti-virus software with the latest releases.
  • Periodically run “full system scan” on your endpoints.


LTS Secure Locations
  • Florida: 407-965-5509
    Los Angeles: 323-544-5013
    Mid West: 800 689 4506

  • Chicago/Midwest– 2406 Schumacher Drive, Mishawaka, IN, 46545

    201, Tower S4, Phase II, Cybercity, Magarpatta Township, Hadapsar, Pune-411013

Leave us a messages Leave us a messages

← Prev Step

Thanks for contacting us. We'll get back to you as soon as we can.

Please provide a valid name, email, and question.

Powered by LivelyChat
Powered by LivelyChat Delete History