* [Blog](https://origin-researchcenter.paloaltonetworks.com/blog)
* [Palo Alto Networks](https://origin-researchcenter.paloaltonetworks.com/blog/corporate/)
* [Threat Intelligence](https://origin-researchcenter.paloaltonetworks.com/blog/category/threat-intelligence/)
* 2 Minute Threat Brief: Ex...

# 2 Minute Threat Brief: Expanding Targets for New SunOrcal Malware Variant

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2F2017%2F11%2Funit42-2-minute-threat-brief-expanding-targets-new-sunorcal-malware-variant%2F)  
[](https://twitter.com/share?text=2+Minute+Threat+Brief%3A+Expanding+Targets+for+New+SunOrcal+Malware+Variant&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2F2017%2F11%2Funit42-2-minute-threat-brief-expanding-targets-new-sunorcal-malware-variant%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2F2017%2F11%2Funit42-2-minute-threat-brief-expanding-targets-new-sunorcal-malware-variant%2F&title=2+Minute+Threat+Brief%3A+Expanding+Targets+for+New+SunOrcal+Malware+Variant&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://origin-researchcenter.paloaltonetworks.com/blog/2017/11/unit42-2-minute-threat-brief-expanding-targets-new-sunorcal-malware-variant/&ts=markdown)  
\[\](mailto:?subject=2 Minute Threat Brief: Expanding Targets for New SunOrcal Malware Variant)  
Link copied  
By [Eila Shargh](https://www.paloaltonetworks.com/blog/author/eila-shargh/?ts=markdown "Posts by Eila Shargh")  
Nov 20, 2017  
2 minutes  
[Threat Intelligence](https://www.paloaltonetworks.com/blog/category/threat-intelligence/?ts=markdown)  
[Reaver](https://www.paloaltonetworks.com/blog/tag/reaver/?ts=markdown)  
[SunOrcal](https://www.paloaltonetworks.com/blog/tag/sunorcal/?ts=markdown)

Unit 42 has recently been investigating [a new malware family called Reaver](https://www.paloaltonetworks.com/blog/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/). While we have identified it as being active since late 2016, Reaver has been used sparingly, with only a small number of unique samples identified. Its targets have been movements the Chinese government consider dangerous, also known as the "Five Poisons." We found that the Reaver malware family has shared command-and-control (C2) infrastructure overlap SunOrcal malware, and that these have been used concurrently since late 2016.

While investigating Reaver we recently also discovered [a new variant of the SunOrcal malware family](https://www.paloaltonetworks.com/blog/2017/11/unit42-sunorcal-adds-github-steganography-repertoire-expands-vietnam-myanmar/). While the SunOrcal malware family has been confirmed to have been active since 2013, possibly even earlier, this new variant has been observed targeting regions outside of the typical target radius for this threat group, now expanding to include Vietnam and Myanmar.

How it Works  
Emails were sent to targets containing malicious attachments. Targeting a Vietnamese speaking audience, one of the malicious documents mentions Donald Trump and the disputed South China Sea area. This is a classic lure technique -- including something the target will find interesting or important causing them to open the file and download the malware on to the victims' system.

How to Defend Against it  
These malware attacks utilize email [phishing](https://www.paloaltonetworks.com/cyberpedia/what-is-a-phishing-attack), and relies on targets opening the malicious email attachment. Security awareness is critical to avoid falling victim to such an attack.

General email best practices:

* Make sure the sender is a trusted source. If you've never received something from them before, or the email address has typos, don't open it.
* If the sender appears to be convincing, pay close attention to the body of the email. Are there a lot of typos? Does the branding/logo look different? Does it look unprofessional?
* Never click on a link within the email or download an attachment.
* Don't respond to the email with any password or personal information.

If you are unsure of the legitimacy of the email, contact the sender directly over the phone or by typing a trusted URL directly in your browser or saved bookmark. Additionally, keeping your systems and devices updated with the most current operating system and web browser is a general security best practice, as well as enabling multi-factor authentication to prevent an attacker from abusing credentials should they successfully capture them.

*** ** * ** ***

## Related Blogs

### [Unit 42](https://unit42-dev2.paloaltonetworks.com)

[#### SunOrcal Adds GitHub and Steganography to its Repertoire, Expands to Vietnam and Myanmar](https://origin-researchcenter.paloaltonetworks.com/blog/2017/11/unit42-sunorcal-adds-github-steganography-repertoire-expands-vietnam-myanmar/)

### [Unit 42](https://unit42-dev2.paloaltonetworks.com)

[#### New Malware with Ties to SunOrcal Discovered](https://origin-researchcenter.paloaltonetworks.com/blog/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/)

### [CIO/CISO](https://www.paloaltonetworks.com/blog/category/ciociso/?ts=markdown), [Network Security](https://www.paloaltonetworks.com/blog/category/network-security/?ts=markdown), [Reports](https://www.paloaltonetworks.com/blog/category/reports/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown), [Threat Intelligence](https://www.paloaltonetworks.com/blog/category/threat-intelligence/?ts=markdown), [Threat Prevention](https://www.paloaltonetworks.com/blog/category/threat-prevention-2/?ts=markdown)

[#### How AI and Evasion Demand a Radical Shift in Network Threat Prevention](https://origin-researchcenter.paloaltonetworks.com/blog/2026/06/ai-and-evasion-demand-radical-shift-in-threat-prevention/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Threat Intelligence](https://www.paloaltonetworks.com/blog/category/threat-intelligence/?ts=markdown)

[#### Beyond the Frontier --- Expanding the Ecosystem for Autonomous Defense](https://origin-researchcenter.paloaltonetworks.com/blog/2026/05/expanding-ecosystem-autonomous-defense/)

### [CIO/CISO](https://www.paloaltonetworks.com/blog/category/ciociso/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [SD-WAN](https://www.paloaltonetworks.com/blog/sase/category/sd-wan/?ts=markdown), [Threat Intelligence](https://www.paloaltonetworks.com/blog/category/threat-intelligence/?ts=markdown)

[#### The CISO's Guide to SD-WAN Controller Security: Why Architecture is Your Top Risk](https://origin-researchcenter.paloaltonetworks.com/blog/sase/the-cisos-guide-to-sd-wan-controller-security-why-architecture-is-your-top-risk/)

### [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [Threat Intelligence](https://www.paloaltonetworks.com/blog/category/threat-intelligence/?ts=markdown), [Threat Prevention](https://www.paloaltonetworks.com/blog/category/threat-prevention-2/?ts=markdown), [Unit 42](https://unit42-dev2.paloaltonetworks.com)

[#### When Security Scanners Become the Weapon: Breaking Down the Trivy Supply Chain Attack](https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/trivy-supply-chain-attack/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://origin-researchcenter.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer} Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/ai-security?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Next-Generation Identity Security](https://www.paloaltonetworks.com/idira?ts=markdown)

* [Privileged Access Management](https://www.paloaltonetworks.com/idira/human/privileged-access-management?ts=markdown)

* [Identity and Access Management](https://www.paloaltonetworks.com/idira/human/identity-and-access-management?ts=markdown)

* [Endpoint Privilege Manager](https://www.paloaltonetworks.com/idira/human/endpoint-privilege-manager?ts=markdown)

* [Identity Governance](https://www.paloaltonetworks.com/idira/human/identity-governance?ts=markdown)

* [Workforce Password Management](https://www.paloaltonetworks.com/idira/human/workforce-password-management?ts=markdown)

* [Agentic Identities](https://www.paloaltonetworks.com/idira/agentic?ts=markdown)

* [Secrets Management](https://www.paloaltonetworks.com/idira/machine/secrets-management?ts=markdown)

* [Unified Secrets Governance](https://www.paloaltonetworks.com/idira/machine/unified-secrets-governance?ts=markdown)

* [Application Credentials Delivery](https://www.paloaltonetworks.com/idira/machine/application-credentials-delivery?ts=markdown)

* [Vendor Privileged Access](https://www.paloaltonetworks.com/idira/human/vendor-privileged-access?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)  
  Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)

* [Careers](https://jobs.paloaltonetworks.com/en/)

* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)

* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)

* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)

* [Investor Relations](https://investors.paloaltonetworks.com/)

* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)

* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)  
  Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)

* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)

* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)

* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)

* [Event Center](https://events.paloaltonetworks.com/)

* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)

* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)

* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)

* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)

* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)

* [Tech Docs](https://docs.paloaltonetworks.com/)

* [Unit 42](https://unit42.paloaltonetworks.com/)

* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)

* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)

* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)

* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)

* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language