Security researchers have identified a sophisticated campaign targeting organizations across Europe with a new variant of the Sorillus Remote Access Trojan (RAT).
Managed Threat Detection teams first detected this campaign in March 2025, and subsequent analysis revealed widespread targeting of entities in Spain, Portugal, Italy, France, Belgium, and the Netherlands.
The operation leverages multi-stage delivery tactics, exploiting legitimate services and advanced tunneling platforms to evade detection and maximize infection rates.
Phishing Campaigns Leverage Legitimate File Sharing
The attack begins with highly targeted phishing emails, distributed from compromised business domains and typically written in the recipient’s native language.
According to Orange Cyberdefense CERT Report, these emails are themed around invoices, enticing users to open a malicious PDF attachment.
The PDF leverages embedded stream objects to launch a OneDrive-hosted document, which further directs victims to a malicious web server exposed via the ngrok reverse proxy service.
This traffic distribution mechanism adds a layer of obfuscation, allowing the attackers to perform granular victim profiling by analyzing browser and language settings before progressing with malware delivery.
If the victim passes these environmental checks, a disguised Java Archive (JAR) file is downloaded from MediaFire, masquerading as a PNG image.
When executed, the JAR file deploys the Sorillus RAT, establishing persistence in the system by modifying the Windows registry to ensure its code is launched at startup using javaw.exe.
Reverse engineering of these payloads revealed significant code obfuscation, employing a mix of blowfish, DES, and XOR encryption, with configuration data protected via AES-ECB and embedded under resource labels such as “checksum.”
Brazilian Threat Actors Suspected
The Sorillus RAT, first observed in 2019, is a cross-platform malware capable of targeting Windows, Linux, and macOS environments.
Developed and once sold by a cybercriminal known as “Tapt,” this RAT boasts extensive functionality: remote command execution, file system manipulation, process management, keylogging, clipboard hijacking, webcam and audio recording, and data exfiltration.
Its configuration either directly points to a command-and-control (C2) server hosted behind anonymous tunnels like LocaltoNet or Playit.gg, or dynamically retrieves C2 details from Pastebin links.
The malware’s use of commercial and open-source obfuscators, including Zelix KlassMaster and Skidfuscator, further complicates detection and forensic analysis.
The threat campaign’s infection techniques continue to evolve. Campaign variants have used alternatives to OneDrive including Dropbox, Discord, or GitHub to host malicious content, and in some instances insert intermediary loaders written in obfuscated VBScript.
Notably, some versions of the dropper exhibit characteristics and comments in Brazilian Portuguese, and in certain cases embed references to Brazilian pop culture, reinforcing attribution to Brazilian-affiliated threat actors.
Historical analysis shows that Sorillus has been favored in financially motivated email campaigns since its inception, consistently leveraging phishing lures and legitimate cloud storage providers.
While the official distribution channels were dismantled following law enforcement actions against underground marketplaces in early 2025, cracked versions of Sorillus persist on Telegram and GitHub, allowing continued proliferation by low to mid-sophistication cybercriminals.
This campaign underscores a growing trend among threat actors: the blending of legitimate, trustworthy services with advanced tunneling and obfuscation tactics, enabling persistent and evasive infections within European organizations.
As attackers continue to innovate and leverage accessible malware-as-a-service tools, defenders must remain vigilant and continuously adapt their detection and response strategies to counter evolving threats.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
