OrcaC2
OrcaC2 is a multifunction, Go-based command-and-control framework whose source code is publicly available on GitHub. In the provided reporting, CERT-UA described OrcaC2 as an open-source C2 framework used by threat actor UAC-0239 in spearphishing campaigns targeting Ukraine’s Defence Forces, local government bodies, and, more broadly, Ukrainian institutions. Observed delivery involved phishing emails sent via services such as Ukr.net and Gmail, impersonating trusted Ukrainian entities and distributing password-protected archives or VHD files containing an executable and decoy documents. OrcaC2 was also reported as being dropped alongside the FILEMESS stealer.
Reported OrcaC2 capabilities include remote command execution, an interactive shell, system manipulation, file transfer, screenshots, keylogging, process control including memory dumps, UAC bypass, shellcode execution, multiple process-injection techniques, proxy support, SOCKS, SSH and SMB traffic tunneling, port scanning, and password brute-forcing. Reported persistence mechanisms observed or possible for OrcaC2 include scheduled tasks, Run registry entries, and services.
High-confidence association in the content links OrcaC2 to UAC-0239 activity against Ukrainian defense forces and local/state government agencies, including campaigns themed around “countering russian sabotage-reconnaissance groups.” No OrcaC2-specific file hashes, domains, IPs, or other unique indicators were provided in the content.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
"Adversaries employ OrcaC2, a multifunction Go-based C2 framework whose source code is publicly available on GitHub..."
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Open-source command-and-control framework used post-compromise for remote command execution, system manipulation, file transfer, and keylogging.
A multifunction Go-based command-and-control framework used to control compromised hosts, supporting capabilities such as remote code execution, interactive shell, file transfer, screenshots, keylogging, process control (including memory dumps), UAC bypass, shellcode execution, multiple process-injection techniques, proxy/SOCKS, traffic tunneling (SSH/SMB), port scanning, and password brute-forcing. Persistence mechanisms mentioned include scheduled tasks, Run registry entries, and services.
Command-and-control framework referenced in related CERT-UA reporting; no additional technical details provided in this content.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.