Hackers Exploit PDF Invoices to Target Windows, Linux, and macOS Systems

A recent discovery by the FortiMail Incident Response team has revealed a highly sophisticated email campaign targeting organizations in Spain, Italy, and Portugal.

This attack distributes a potent Remote Access Trojan (RAT) known as RATty, primarily affecting Windows systems, but also posing a threat to Linux and macOS environments where the Java Runtime Environment (JRE) is installed.

The campaign leverages the legitimate Spanish email service provider, serviciodecorreo.es, which is authorized to send emails on behalf of various domains, passing SPF (Sender Policy Framework) checks and bypassing email security filters with alarming ease.

This deceptive legitimacy, combined with advanced evasion tactics, enables attackers to deliver malicious payloads that grant them full control over infected systems, including the ability to execute commands, log keystrokes, access files, and even activate webcams or microphones.

Multi-Layered Evasion Tactics and Infection Chain

The infection chain begins with a seemingly innocuous email containing a PDF attachment ...