SunOrcal is a trojan malware family whose activity dates back to at least 2013. A version discovered in November 2017 incorporates steganography techniques and can collect C2 information via GitHub, obscuring its C2 infrastructure and evading detection using the legitimate site for its first beacon. The threat actors have targeted users in the Vietnam area, spreading phishing emails containing malicious documents purportedly regarding South China Sea disputes. The new SunOrcal version has also been used with the recently discovered Reaver trojan and the original SunOrcal version. Some of the recent activity also incorporates the use of the Surtr malware.


  • November 2017: SunOrcal adds GitHub and Steganography to its repertoire, expands to Vietnam and Myanmar. (Palo Alto Networks)

Technical Details

  • PWC provides technical analysis of the SunOrcal trojan here.