Orz

MITRE

Malware Type:
Other

First seen:
Unknown

Last seen:
Unknown

Details:

[Orz](https://attack.mitre.org/software/S0229) is a custom JavaScript backdoor used by [Leviathan](https://attack.mitre.org/groups/G0065). It was observed being used in 2014 as well as in August 2017 when it was dropped by Microsoft Publisher files. (Citation: Proofpoint Leviathan Oct 2017) (Citation: FireEye Periscope March 2018)

Associated Techniques (13)

ID	ATT&CK	Tactics
T1016	System Network Configuration Discovery	-
T1027	Obfuscated Files or Information	-
T1055.012	Process Hollowing	-
T1057	Process Discovery	-
T1059.003	Windows Command Shell	-
T1070	Indicator Removal	-
T1082	System Information Discovery	-
T1083	File and Directory Discovery	-
T1102.002	Bidirectional Communication	-
T1105	Ingress Tool Transfer	-
T1112	Modify Registry	-
T1218.010	Regsvr32	-
T1518	Software Discovery	-

Aliases (104)

AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK AIRBREAK

Used by Actors (1)

Leviathan
Unknown

Metadata

ID:	24
Created:	13/01/2026 17:48
Updated:	06/03/2026 04:00