Malware Profile Updated 3 months ago
Download STIX
Preview STIX
Orz is a malicious software (malware) known for its detrimental capabilities to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user, and can steal personal information, disrupt operations, or hold data hostage for ransom. The malware has been utilized by cyber actors since 2014, primarily as a backdoor for decrypting and executing another JavaScript backdoor. Some versions of the Orz backdoor contain embedded 32- and 64-bit DLLs, stored internally as base64 strings. These DLLs are used for decrypting and executing the final JavaScript backdoor “Orz”. The Orz malware communicates with its command and control (CnC) servers, allowing it to send passwords and other sensitive information back to the attackers. This communication was observed in the ETPRO TROJAN Orz JavaScript Backdoor activities, with specific identifiers being 2828317 and 2828316. In addition, a secondary C2 was identified in December 2014, further emphasizing the long-standing use of this malware. A snippet of the Orz backdoor code was also found delivered by a Microsoft Publisher document, demonstrating one of the various infiltration techniques employed. Orz is part of a larger set of tools used by TEMP.Periscope, a group suspected of Chinese origin, which includes other malware like AIRBREAK, Cobalt Strike, the SeDll JavaScript loader, and MockDll dll loader. TEMP.Periscope shares significant overlaps in targeting, tactics, techniques, and procedures (TTPs) with TEMP.Jumper, a group that also overlaps significantly with public reporting on “NanHaiShu.” In recent activities, TEMP.Periscope has leveraged a relatively large library of shared malware, including Orz, indicating a coordinated and sophisticated threat landscape.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Airbreak is a malicious software (malware) used by Advanced Persistent Threat group APT40, known for its sophisticated cyber-espionage campaigns. This JavaScript-based backdoor malware retrieves commands from hidden strings in compromised webpages and actor-controlled profiles on legitimate services
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Cobalt Strike
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
TEMP.Periscope, also known as APT40 and TEMP.Jumper among other names, is a threat actor group with a nexus to China that has been active since at least 2013. This group is known for its cyber espionage activities primarily targeting maritime-related entities across various sectors such as engineeri
TEMP.Jumper, also known as TEMP.Periscope, Leviathan, APT40, and several other aliases, is a China-nexus cyber espionage group. This threat actor has been active in the cybersecurity landscape for years, targeting government organizations, private businesses, and universities worldwide. Notably, bet
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Orz Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
a year ago
Leviathan: Espionage actor spearphishes maritime and defense targets | Proofpoint US
a year ago
Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries | Mandiant