Hackers Use PDF Invoices to Launch Attacks on Windows, Linux, and macOS Systems

Cybercriminals are leveraging seemingly authentic PDF invoices to distribute the Ratty Remote Access Trojan (RAT) to systems running Windows, Linux, and macOS equipped with the Java Runtime Environment (JRE).

Security researchers from Fortinet’s FortiMail Incident Response (IR) team have identified this campaign targeting users in Spain, Italy, and Portugal, using a combination of social engineering and advanced evasion techniques to bypass conventional email security mechanisms.

Multi-Stage Attack Chain Exploits Email

At the core of the attack is the abuse of the legitimate Spanish email service provider serviciodecorreo.es, which is permitted to send messages as an authorized sender for multiple domains.

This setup ensures malicious emails pass Sender Policy Framework (SPF) checks, significantly increasing the chances that they reach users’ inboxes without detection.

The attackers employ social engineering, sending emails with PDF attachments described as urgent invoices.

These attachments contain instructions to download files, taking advantage of human trust and a sense of urgency typically associated with business invoices.

Upon opening the PDF, victims are prompted to download an HTML file via a Dropbox link.

This HTML document features an “I am not a robot” check and further instructions, ultimately redirecting users to a dynamically generated Ngrok URL.

Ngrok, a tunneling tool commonly used for legitimate development, is here exploited to create temporary, hard-to-detect phishing links.

The attackers employ geolocation filtering: users outside targeted regions (such as Italy) are shown benign Google Drive documents, while those within are forwarded to a MediaFire URL hosting the malicious JAR payload (e.g., “FA-43-03-2025.jar”).

RATty Malware Deployed via Java Payloads

This cross-platform Java archive contains Ratty RAT-a Java-based malware capable of executing arbitrary commands, logging keystrokes, capturing screenshots, accessing files, and even activating a system’s webcam or microphone.

Its use of Java ensures the attack is not constrained to Windows, but also effective against Linux and macOS devices wherever JRE is present.

In some instances, the actors have disguised Ratty in an MSI installer to further evade detection by mimicking legitimate software updates.

The campaign’s sophistication is evident in its multi-layered obfuscation. Attackers abuse trusted file-sharing services like Dropbox, MediaFire, and Google Drive for payload delivery, compounding the challenge for security filters to distinguish malicious from legitimate content.

They also employ geo-fencing to precisely target victims and avoid early detection by automated security systems that may analyze emails from outside the intended region.

To counteract such threats, Fortinet has implemented multiple detection layers, including real-time AV scanning, web filtering, and advanced phishing protections across FortiGate, FortiClient, and FortiMail solutions.

These services are capable of identifying the associated JAR payloads, phishing links, and suspicious sending patterns.

According to the Report, Fortinet also recommends organizations deploy regular security awareness training and phishing simulations to reinforce user vigilance.

The campaign underlines the growing technical sophistication among threat actors, as they exploit trusted platforms, social engineering, and advanced cloaking mechanisms to deliver malware.

Organizations are advised to update endpoint protection, configure robust email security policies, and maintain heightened awareness among employees who handle business-related emails and attachments.

Indicators of Compromise (IOCs)

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates