OctoRAT Commands

February 6, 2026
Fuad Aliyev

System & Client Management

  1. "ping" - sends the ping result (ms) to server
  2. "update_client" - updates client malware.
  3. "uninstall_client" - malware cleans itself, cleans startup etc. and kills itself

Persistence & Startup

  1. "add_startup", "add_to_startup" - Using AddStartupItem (custom function), adds binary to startup using name and path value in packet json. (path is added to "Software\Microsoft\Windows\CurrentVersion\Run")
  2. "get_startup" - shows startup list
  3. "check_startup" - checks if "name" is in startup
  4. "remove_startup" - removes startup from "Software\Microsoft\Windows\CurrentVersion\Run" key by name

Privilege Escalation & Security Bypass

  1. "disable_uac" - sets "EnableLUA" key to 0 in "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"
  2. "disable_firewall" - profiles are set to off using Process.Start("netsh", "advfirewall set allprofiles state off");

File & Drive Operations

  1. "list_dir" - sends back directory result (files, name, isdir, size, modified)
  2. "get_drives" - sends drive informations (letter, type, total, free)
  3. "upload_file" - uploads file from server to victim and saves at "path" json value
  4. "execute_file" - executes the file in victim (path is given in json by server)
  5. "download_file" - server downloads the file from victim by path
  6. "execute_script" - executes script in "data" after doing changes over special characters like "\n, \t and \r"
  7. "upload_file_chunk" - uploads "chunk" to "path"

Process & Service Management

  1. "get_services" - sends all services information (isAdmin, services, name, displayName, status)
  2. "stop_service" - stops service
  3. "kill_process" - kills process by pid
  4. "get_processes" - shows running processes
  5. "start_service" - starts the specific service
  6. "suspend_process" - suspends the process by pid

Registry

  1. "list_registry" - gets whole registry data
  2. "set_registry_value" - sets registry value by given "path, name, value, valueType" in json data

Remote Desktop & Input Control

  1. "rd_key_up" - ups the ctrl, shift or alt key (according to packet)
  2. "rd_key_down" - downs the ctrl, shift or alt key
  3. "rd_mouse_up" - ups the button of mouse (extracted from json) at x,y position (which is also extracted from json)
  4. "rd_mouse_down" - downs the button of mouse
  5. "rd_mouse_move" - moves mouse (x,y)
  6. "rd_mouse_wheel" - moves wheel by "delta" value at x,y position
  7. "start_desktop" - starts taking screenshots of victim's pc (sets to true)
  8. "stop_desktop" - stops taking screenshots of victim's pc (sets to false)
  9. "change_quality" - changes width and height of screen
  10. "take_screenshot" - takes the screenshot of screen (unlike start_desktop which is set to true to periodically take screenshot and send to server, it takes 1 time screenshot)
  11. "rd_enable_input" - enables input from remote desktop (server)
  12. "rd_disable_input" - disables input from remote desktop (server)

Surveillance & Data Theft

  1. "start_keylogger" - sets keylogger to true
  2. "stop_keylogger" - sets keylogger to false
  3. "get_autofill_data" - gets the data used for autofill by "browser"
  4. "get_browser_history" - gets history of the "browser"
  5. "start_clipboard_monitor" - periodically gets changes in clipboard and sends to server
  6. "stop_clipboard_monitor" - stops clipboard monitor

Wallet Theft

  1. "scan_wallets" - scans available wallets: Wallets
  2. "grab_wallets" - grabs available wallets and sends as "AllWallets.zip" to server
  3. "grab_single_wallet" - gets single wallet by "path" and "name"

Network

  1. "get_network_info" - sends network info (name, description, type, status, ip, mac, speed, gateway, dns) and wifi network info (ssid, password, security)

Harassment / "Fun" Commands

  1. "fun_message" - shows message in victim's pc
  2. "open_webpage" - opens url in victim pc
  3. "fun_spam_disk" - spam opens "drive" using explorer.exe by "count" (json values provided by server)
  4. "fun_play_sound" - plays the sound at "path" location
  5. "fun_swap_mouse" - swaps mouse buttons
  6. "fun_bock_input" - uses BlockInput api from user32.dll to block keyboard and mouse input
  7. "fun_flip_screen" - flips the screen
  8. "fun_lock_screen" - locks the screen using LockWorkStation api in user32.dll
  9. "fun_hide_taskbar" - hides taskbar using ShowWindow api in user32.dll
  10. "fun_show_taskbar" - shows taskbar
  11. "fun_open_cd_tray" - sends "set CDAudio door open" string to MCI device using mciSendString api in winmm.dll
  12. "fun_open_website" - opens website by url
  13. "fun_minimize_all" - minimizes all windows
  14. "fun_open_notepad" - opens notepad and writes "text" given by server
  15. "fun_shake_windows" - shakes windows by "intensity" for a "duration"
  16. "fun_unblock_input" - unblocks the keyboard and mouse input for victim
  17. "fun_close_cd_tray" - closes cd tray using same function as fun_open_cd_tray
  18. "fun_restore_screen" - rolls back display resolution to one before modified
  19. "fun_open_calculator" - just opens calculator
  20. "fun_change_wallpaper" - changes wallpaper to image in "path"