Ddos 
The Infection Chain | Image: Fortinet
The FortiMail IR team has uncovered a highly sophisticated email campaign delivering the RATty Remote Access Trojan, exploiting legitimate services like Dropbox, MediaFire, and Ngrok to evade detection. The campaign specifically targets users in Spain, Italy, and Portugal, using invoice-themed phishing emails and geolocation filtering to selectively deliver malware.
“The campaign leverages the serviciodecorreo email service provider, which is configured as an authorized sender for various domains and successfully passes SPF validation,” the report notes.
The attack begins with an email impersonating a legitimate sender, containing a PDF attachment claiming to include two invoices. When opened, the PDF tells the recipient that it can’t be displayed properly and includes a Dropbox link to download an HTML file named Fattura (“Invoice” in Italian).
Upon clicking, the victim is led through a phony “I am not a robot” verification and redirected to an Ngrok-generated URL, which creates a secure, obfuscated tunnel to a local malicious server.
From there, victims are directed to MediaFire, which delivers a JAR file named FA-43-03-2025.jar, containing the Java-based RATty malware.
The threat actors skillfully use geo-based cloaking: users outside Italy are redirected to benign Google Drive documents, while those in Italy receive the actual malware payload.
“When the request originates from Italy, the URL changes entirely, leading to downloading a malicious JAR file,” the report explained.
This evasion method bypasses automated analysis, which typically originates from cloud infrastructure located outside the targeted geography.
“Most email security systems perform email analysis from generic or cloud-based environments… redirected to a harmless decoy page rather than the malicious file,” the report continued.
RATty, delivered as a .jar file, is a cross-platform Remote Access Trojan that grants the attacker extensive control, including:
- Remote command execution
- Keystroke logging
- Screenshot capture
- Data exfiltration
Attackers may also repackage RATty in MSI installers, further disguising the threat as a software update to increase the odds of user execution.
The RATty malware campaign represents a new evolution in phishing operations—merging technical sophistication with social engineering and exploiting legitimate infrastructure for distribution. Organizations, especially those in southern Europe, must remain vigilant and implement advanced threat detection systems capable of recognizing these nuanced attack chains.
Related Posts:
- Anonymous Italy hacked and deleted the entire 39.4 gigabytes speed camera database
- Brazilian Banking Malware Targets Spain: An Emerging Cyber Threat Landscape
- Europol Operation Dismantles Major Euro Counterfeiting Ring
- Ragnar Locker Ransomware: Key Developer Behind Bars in Major Raid
- LUMMA Malware: Cybercriminals Elevate Tactics with Fake Invoice Campaign
Donate