Analysis Summary

A sophisticated, multilayered email attack campaign has recently been uncovered, leveraging weaponized PDF invoices to deliver a Java-based Remote Access Trojan (RAT) known as RATty. This campaign targets Windows systems primarily but is capable of compromising Linux and macOS devices as well, provided they have the Java Runtime Environment (JRE) installed. The attack grants threat actors complete remote control over infected systems, including abilities like command execution, keystroke logging, webcam and microphone access, and data exfiltration, making it a critical cross-platform threat with serious implications.

The attack begins with phishing emails that pass SPF (Sender Policy Framework) validation, exploiting the “serviciodecorreo.es” email service. These emails are crafted to appear as legitimate invoice communications, often using urgency as a social engineering tactic to prompt hasty actions by recipients. The attached PDFs claim to contain invoice details but instead encourage users to click on embedded buttons, initiating a multi-stage infection chain. Upon interaction, users are redirected to file-hosting services like Dropbox, where they download an HTML file named “Fattura,” which simulates a CAPTCHA (“I am not a robot”) and subsequently redirects them to a malicious URL generated via Ngrok tunneling.

According to the Researcher, this campaign apart is its advanced evasion strategies and geofencing capabilities. By using legitimate platforms such as Dropbox and MediaFire, the attackers bypass traditional security filters.

Moreover, the campaign employs geolocation filtering to deliver malicious content selectively. Users in Italy are served a Java-based malware file (“FA-43-03-2025.jar”), while users from other regions are shown a decoy PDF hosted on Google Drive. This technique undermines email security solutions, which typically scan content from generic, cloud-based IPs and are thus redirected to benign content, allowing the malware to evade detection.

The final payload is a JAR file that leverages Java’s platform independence to infect a wide range of operating systems. This file, once executed, installs RATty, a powerful and stealthy RAT that provides attackers with persistent access and comprehensive surveillance capabilities on the victim’s system. The campaign’s ability to bypass multiple layers of security using trusted services, combined with its use of geofencing and cross-platform execution, demonstrates a growing sophistication in email-based malware delivery and underlines the evolving threat landscape faced by organizations globally.

Impact

• Sensitive Information Theft
• Gain Access
• Security Bypass

Indicators of Compromise

SHA1

• 0773e49b2c0f368acc2c23ef219bbd5fb1ebe5e0
• 4e5b182b843593bd997ea17699a5b3255fe79b9b
• 2066ab4948c8a7a58bc9ae705d01858fb8c60b21
• 45780dab209478332fab23ff5ccd6802367bd98a
• 6eaefd3fcd3a47817d9cd437be037e2babdcde8b
• 79cea3a004a373c3b6a3835ca5f512a138e7caad
• cec82c8853855e781c53eca3c78cf7ca5a7e9a49

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Block and monitor access to known malicious domains and URLs, especially those using file-sharing platforms like Dropbox, MediaFire, and Ngrok URLs.
• Disable Java Runtime Environment (JRE) on endpoints where it is not explicitly required to minimize exposure to Java-based malware.
• Implement robust email security solutions that perform in-depth sandbox analysis and URL rewriting, with geolocation-aware scanning capabilities to detect location-based payload delivery.
• Conduct user awareness training focusing on phishing and invoice scam recognition, particularly highlighting red flags such as urgent requests, unexpected invoices, or CAPTCHA-style prompts in documents.
• Enforce strict attachment policies—block or heavily scrutinize PDFs with embedded scripts or links, especially those received from third-party or unverified domains.
• Apply network segmentation and least privilege principles, limiting the impact of a successful infection by restricting lateral movement and access to sensitive resources.
• Deploy endpoint detection and response (EDR) tools capable of identifying behaviors associated with RATs, such as keylogging, unauthorized access to the webcam/microphone, or command execution.
• Regularly update antivirus signatures and perform system patching, including for Java and other third-party software, to close known vulnerabilities.
• Monitor email logs for suspicious sender activity, particularly from services like serviciodecorreo.es, and consider restricting external email delivery via SPF/DKIM/DMARC configurations.