ORPCBackdoor
ORPCBackdoor is a custom backdoor that uses the RPC protocol to communicate with its command-and-control (C2) server and execute operator-issued instructions. Reporting cited in the source material links the malware to multiple South Asian espionage clusters: it has been used by Bitter (TA397), Mysterious Elephant (APT-K-47), and Confucius. Researchers specifically noted that all three groups have used ORPCBackdoor, suggesting either a shared malware arsenal or coordination through a common development entity. Knownsec 404 Team attributed ORPCBackdoor to Mysterious Elephant and described tooling overlap involving SideWinder, Patchwork, Confucius, and Bitter. The surrounding reporting places this malware in campaigns associated with government, diplomatic, and defense targeting, including activity aligned with Indian state interests in Bitter-related investigations, while separate Knownsec reporting lists ORPCBackdoor as part of Mysterious Elephant’s broader toolkit used in operations primarily targeting Pakistani victims, with additional targeting of Bangladesh and Turkey. No specific indicators of compromise for ORPCBackdoor are provided in the content.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
ORPCBackdoor, a backdoor that uses the RPC protocol to communicate with a command-and-control (C2) server and runs operator-issued instructions
ORPCBackdoor, a backdoor that uses the RPC protocol to communicate with a command-and-control (C2) server and runs operator-issued instructions
All three groups have used a custom malware strain known as ORPCBackdoor, suggesting a shared arsenal or possible coordination under a common development entity.
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
RPC-based backdoor for C2 communications and execution of operator-issued commands; also reported by Knownsec 404 as attributed to Mysterious Elephant.
Custom backdoor/remote access malware used by multiple suspected Indian-aligned threat groups, indicating possible shared development or tool-sharing across operations.
ORPCBackdoor is a backdoor used by TA397 and other Indian state-backed threat actors for persistent access and espionage operations.
"Knownsec's report said that Asyncshell is one of several tools employed by Mysterious Elephant. The group's arsenal also includes ORPCBackdoor..."
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.