A malicious infection chain using the Sorillus Remote Access Trojan (RAT) was discovered by Orange Cyberdefense teams in Belgium. This was first found in March 2025 after a European client was targeted by this sophisticated and stealthy malware campaign. Further analysis by the Orange Cyberdefense CERT revealed a much broader campaign that is impacting organizations across several European countries. These countries include Spain, Portugal, Italy, France, Belgium, and also the Netherlands, showing a very wide operational scope for attackers. This operation, also dubbed “Ratty RAT” by Fortinet in early May 2025, employs invoice-themed phishing emails as its initial access vector.
The complex infection chain begins with a phishing email, often sent from a compromised domain like a Spanish company’s email address.
This email contains a PDF attachment that is masquerading as an official invoice, for example, a file titled “Facture.pdf”. This particular PDF file embeds a Stream Object that, when clicked by the user, redirects victims to a OneDrive-hosted PDF. This second PDF has an “Open the document” button which then further diverts users to a malicious attacker-controlled server. This server performs various checks on the victim’s browser and language settings, delivering a JAR file disguised as a PNG image.
Upon its execution, the JAR file establishes persistence.
The Sorillus RAT is a Java-based malware that was first identified by security researchers back in the year of 2019. It supports a wide range of malicious capabilities, including keystroke logging, webcam and audio recording, and also extensive file exfiltration. Its latest versions can even operate across Windows, macOS, Linux, and also the Android mobile operating system, making it very versatile. The malware was originally sold online for as low as €19.99 by a developer who was known by the alias “Tapt.” Although its commercial infrastructure was taken down in January 2025, cracked versions of the malware remain widely accessible on many online platforms.
Recent findings, including malware droppers with Brazilian Portuguese logging messages, strongly suggest attribution of this campaign to some Brazilian-speaking threat actors. Variations in obfuscation techniques and dual-payload droppers delivering both Sorillus and AsyncRAT further highlight the adaptability of these cybercriminals. This ongoing campaign clearly underscores the persistent threat of accessible malware tools to many different European entities and organizations. The attackers are exploiting legitimate services to bypass traditional security measures with what has been described as an alarming efficacy. This requires increased vigilance from all organizations that could potentially be targeted by these very sophisticated and evolving attack methods.
