New Sorillus RAT Targets European Organizations Through Tunneling Services
An important development discovered in March 2025 by Orange Cyberdefense’s Managed Threat Detection teams in Belgium was that a European client was the subject of a malicious infection chain that used the Sorillus Remote Access Trojan (RAT).
Further analysis by the Orange Cyberdefense CERT revealed a broader campaign impacting organizations across Spain, Portugal, Italy, France, Belgium, and the Netherlands.
This operation, also dubbed “Ratty RAT” by Fortinet in early May 2025, employs invoice-themed phishing emails as its initial access vector, delivering a malicious JAR file that installs the Sorillus RAT a Java-based malware first identified in 2019.
The campaign leverages legitimate services like OneDrive, MediaFire, and tunneling platforms such as Ngrok and LocaltoNet to obscure its malicious traffic and evade detection, showcasing a strategic blend of social engineering and technical sophistication.
Technical Dissection of the Infection Chain
The infection chain begins with a phishing email, often sent from compromised domains like a Spanish SME’s email address, containing a PDF attachment masquerading as an invoice titled “Facture.pdf.”
This PDF embeds a Stream Object that, when clicked, redirects victims to a OneDrive-hosted PDF with an “Open the document” button.
This button further diverts users to a malicious server via Ngrok, a distributed reverse proxy acting as a traffic distribution system (TDS).
The server performs checks on the victim’s browser and language settings, redirecting non-targeted users to benign invoices while delivering a JAR file disguised as a PNG image to suitable targets via MediaFire.
Upon execution, the JAR file establishes persistence through registry subkey modifications and connects to a command-and-control (C2) server, often hosted behind LocaltoNet or playit.gg tunnel proxies.
Decompiled by Orange Cyberdefense, the JAR file reveals obfuscated code using patterns like “[Il]{5,}” and encrypted configurations with AES ECB, supporting capabilities such as keystroke logging, webcam/audio recording, file exfiltration, and system manipulation across Windows, macOS, Linux, and even Android in its latest V7 and V8 iterations from 2024.
Historical Context
Sorillus RAT, originally sold online for as low as €19.99 by a developer known as “Tapt” on the now-defunct sorillus.com, has evolved through financially motivated campaigns since 2019.
Despite the takedown of its commercial infrastructure in January 2025 possibly linked to the FBI’s Operation Talent against SellIX cracked versions remain widely accessible on platforms like Telegram and GitHub.
Historical infection chains observed by Abnormal AI, eSentire, and Kaspersky between 2022 and 2024 mirror current tactics, often using tax or invoice lures via services like mega.nz or Firebase Hosting.
Notably, recent findings, including droppers with Brazilian Portuguese logging messages and VBS scripts embedding lyrics from the Brazilian song “Negro Drama,” strongly suggest attribution to Brazilian-speaking threat actors.
Variations in obfuscation techniques, such as Zelix KlassMaster or base64 in test samples from February 2025, and dual-payload droppers delivering both Sorillus and AsyncRAT via XOR-encrypted shellcode, further highlight the adaptability of these actors.
This campaign underscores the persistent threat of accessible malware tools to European entities, exploiting legitimate services to bypass traditional security measures with alarming efficacy.