Invoice to Infection: Sorillus RAT Campaign Strikes European Organizations

A fresh wave of targeted cyberattacks is sweeping across Europe, leveraging invoice-themed phishing emails and weaponizing legitimate platforms like OneDrive, MediaFire, and Ngrok to deliver a potent remote access trojan: Sorillus. In a new report, Orange Cyberdefense reveals the technical underpinnings of this coordinated campaign and its likely Brazilian origin.

“Our investigation documents a threat campaign leveraging the Sorillus Remote Access Trojan to compromise European organizations through invoice-themed phishing lures,” the Orange Cyberdefense CERT stated in their June report.

First seen in 2019 and also tracked under aliases like “SambaSpy” or “Ratty RAT,” Sorillus has resurfaced in 2025 campaigns targeting victims in Spain, Portugal, Italy, France, Belgium, and the Netherlands. Its multi-platform capabilities and persistent delivery mechanisms continue to make it a popular malware-as-a-service (MaaS) tool for cybercriminals.

“Sorillus is a Java-based multifunctional remote access trojan (RAT)… previously sold online on the now-defunct website hxxps://sorillus[.]com,” the researchers wrote. Its features include keylogging, webcam access, screen recording, clipboard capture, file system access, and microphone recording — effectively granting full remote control over the infected machine.

Though its original commercial infrastructure was dismantled in early 2025—potentially due to the FBI’s Operation Talent against illicit platforms like SellIX—cracked versions remain widely available across Telegram and GitHub, fueling continued abuse.

The attack begins with a convincing phishing email crafted in French, Spanish, or other local languages. Disguised as an invoice, the email includes a PDF attachment titled Facture.pdf. When opened, it lures the recipient into clicking a OneDrive-hosted file, which eventually redirects to a malicious server exposed through Ngrok—a widely used reverse proxy tool.

If the victim passes browser and language checks, they are served a malicious .jar file posing as an image download (e.g., 1741159637278.png). When executed, this JAR file deploys the Sorillus RAT, establishes persistence via the Windows registry, and contacts a command-and-control (C2) server hosted behind LocaltoNet or playit[.]gg.

“The RAT configuration is embedded as a resource named ‘checksum’ which is decrypted using AES ECB,” the report notes, pointing to embedded C2 values like y5mr2vy7t.localto[.]net:4430.

The campaign’s stealth is enhanced by the abuse of cloud and tunneling services. OneDrive and MediaFire host malicious files, while Ngrok, LocaltoNet, and ply[.]gg act as traffic routers to bypass corporate firewalls and geofence delivery.

Orange Cyberdefense highlights the scale and diversity of the campaign: “By pivoting on the different steps of this infection chain, we uncovered a large cluster actively targeting European entities… with lures written in Spanish, French, Portuguese, Dutch or English.”

The researchers also discovered multiple campaign variants. In some cases, the malware delivery chain involves a VBS dropper containing lyrics from a Brazilian hip-hop song — “Negro Drama” — inside its comment section, further supporting attribution to Portuguese-speaking threat actors.

Additionally, the malware includes an XOR-encrypted shellcode payload that drops AsyncRAT, a secondary trojan, using code injection techniques via the open-source tool Donut.

“We assess Brazilian threat actors are behind both droppers, due to the presence of Portuguese comments,” the report concludes, though they caution that differences between variants suggest multiple operators or tool repackagers.

Sorillus has appeared in numerous campaigns over the years, often tied to tax scams or financial phishing lures. Past variants were seen abusing Google Firebase, Mega.nz, Discord, and Dropbox to host payloads. Despite being recognized under different names by different vendors, the underlying functionality and TTPs remain consistent.

“Despite the takedown of the malware’s commercial infrastructure, the wide availability of cracked Sorillus versions ensures the RAT remains an accessible and attractive tool,” Orange Cyberdefense warns.

Related Posts:

• APT29 Lures Victims with Fake BMW Ads in Latest Attack
• OneDrive Users Targeted in Sophisticated Phishing and Downloader Campaign
• Microsoft OneDrive will support file restoring feature

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy