New Sorillus RAT Actively Attacking European Organizations Via Tunneling Services

European organizations are facing a sophisticated cyber threat as the Sorillus Remote Access Trojan (RAT) emerges as a prominent weapon in a multi-language phishing campaign targeting businesses across Spain, Portugal, Italy, France, Belgium, and the Netherlands.

The malware, which has also been identified under the alias SambaSpy, represents a concerning evolution in cross-border cybercrime operations that leverage legitimate cloud services to evade traditional security measures.

The threat campaign, which gained significant momentum in March 2025, employs invoice-themed phishing emails as its primary attack vector, strategically crafted in multiple European languages to maximize its reach and effectiveness.

The sophisticated operation demonstrates a clear understanding of regional business practices, with attackers utilizing compromised domains from local small and medium enterprises to establish credibility and bypass initial security filters.

Orange Cyberdefense analysts identified this malicious cluster during routine threat monitoring activities, uncovering a complex infection chain that exploits popular tunneling services including ngrok, localto.net, and ply.gg to maintain persistent command and control communications while avoiding detection.

The research team’s investigation revealed that the threat actors behind this campaign are likely Brazilian-speaking cybercriminals who have adapted their tactics specifically for European targets.

The Sorillus RAT itself represents a mature malware-as-a-service offering that was commercially available from 2019 until January 2025, when its official infrastructure was dismantled, potentially in connection with FBI Operation Talent.

Despite this takedown, numerous cracked versions remain widely accessible through underground channels, ensuring the malware’s continued availability to threat actors of varying sophistication levels.

Sophisticated Infection Chain Leveraging Cloud Services

The infection mechanism employed by the Sorillus campaign demonstrates remarkable technical sophistication in its abuse of legitimate cloud platforms.

The attack begins with carefully crafted phishing emails containing PDF attachments masquerading as invoices, with filenames like “Facture.pdf” to match the target’s language preferences.

These PDFs contain embedded Stream Objects that, when activated, redirect victims to OneDrive-hosted content designed to appear as legitimate business documents.

The OneDrive landing page presents users with an apparent PDF document featuring a prominent “Open the document” button, which serves as the critical pivot point in the infection chain.

Upon clicking this button, victims are redirected to malicious web servers hosted behind ngrok reverse proxy services, which function as sophisticated traffic distribution systems capable of performing real-time victim profiling.

The server conducts automated checks on the victim’s browser configuration and language settings to determine whether to proceed with malware delivery or redirect to benign content, effectively filtering out security researchers and automated analysis systems.

When the verification process succeeds, the system automatically downloads a JAR file from MediaFire, often disguised with innocuous filenames such as “1741159637278.png” to evade suspicion.

The delivered JAR file contains the Sorillus RAT payload, which establishes persistence through Windows registry modifications and initiates command and control communications with servers hosted behind additional tunneling services.

The malware’s configuration, embedded as a resource named “checksum,” is decrypted using AES ECB encryption and typically contains connection details for LocaltoNet or playit.gg tunnel proxies, ensuring resilient communication channels that can rapidly adapt to takedown efforts.

Automate threat response with ANY.RUN’s TI Feeds—Enrich alerts and block malicious IPs across all endpoints -> Request full access