Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Orcus RAT Campaign Targets Bitcoin Investors

In an attempt to benefit from the recent spike in the value of Bitcoin, the authors of a remote access Trojan have started targeting Bitcoin investors with their malicious software, Fortinet has discovered.

In an attempt to benefit from the recent spike in the value of Bitcoin, the authors of a remote access Trojan have started targeting Bitcoin investors with their malicious software, Fortinet has discovered.

The attack starts with phishing emails marketing a relatively new Bitcoin trading bot application called “Gunbot” developed by GuntherLab or Gunthy. However, the email actually delivers the Orcus RAT to the Bitcoin investors instead.

The phishing emails contain a .ZIP attachment that includes a simple VB script designed to download a binary masquerading as a JPEG image file. According to Fortinet, the attackers made no attempt in hiding their intentions, either because they didn’t want to or because they lack the technical knowledge to do so.

The downloaded executable is a Trojanized version of an open source inventory system tool named TTJ-Inventory System. A hardcoded key is used to decrypt encoded code into another .NET PE executable that is loaded and executed directly to memory.

The malware ensures it is the only instance running on the infected machine by checking for the existence of a mutex named “dgonfUsV”. 

Fortinet has discovered that a RunPE module can execute modules without writing them to the system, and can also execute them under legitimate executables by running applications in suspended mode and then replacing the process’ memory with the malicious code. The persistence watchdog keeps the malware running by repeatedly executing it.

Advertised as a Remote Administration Tool since early 2016, Orcus has all the features such an application should include, but can also load plugins and can execute C# and code on the remote machine in real-time.

“Basically, if a server component gets ‘installed’ to your system, the person on the other side is practically in front of your machine while seeing and hearing you at the same time – yes, it can activate your microphone and webcam even without you knowing,” Fortinet notes.

The threat can also disable the light indicator on webcams, meaning that it can be used to spy on users, can implement a watchdog that restarts the server component and can also trigger a Blue Screen of Death (BSOD) if the user attempts to kill its process.

The malware also includes password retrieval and key logging functionality, the same as other RATs out there. Orcus also offers a plugin that can be used to perform Distributed Denial of Service (DDoS) attacks.

During their analysis, the security researchers also noticed that the actors behind the attack made some changes to the contents of the site distributing the malware (, which attempts to imitate Bitcoin forum They also removed the aforementioned image file from the site and posted a ZIP file instead.

Fortinet’s security researchers also discovered additional websites that attempt to imitate legitimate domains by changing a single letter in the URL. Thus, they believe that the actor cycles between the websites when switching to a new campaign.

“In our investigation of Orcus RAT, we have again proven again that its capabilities go beyond the scope of a harmless administration tool. Regardless of the developer’s claim and defense, the reality is that the application is being used in cybercrime campaigns,” Fortinet concludes.

Related: New Custom RAT Hits Targets in East Asia

Related: Supply Chain Attack Spreads macOS RAT

Related: New Kedi RAT Uses Gmail to Exfiltrate Data

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.