New Sorillus RAT Targets European Organizations Through Tunneling Services

An important development discovered in March 2025 by Orange Cyberdefense’s Managed Threat Detection teams in Belgium was that a European client was the subject of a malicious infection chain that used the Sorillus Remote Access Trojan (RAT).

Further analysis by the Orange Cyberdefense CERT revealed a broader campaign impacting organizations across Spain, Portugal, Italy, France, Belgium, and the Netherlands.

This operation, also dubbed “Ratty RAT” by Fortinet in early May 2025, employs invoice-themed phishing emails as its initial access vector, delivering a malicious JAR file that installs the Sorillus RAT a Java-based malware first identified in 2019.

The campaign leverages legitimate services like OneDrive, MediaFire, and tunneling platforms such as Ngrok and LocaltoNet to obscure its malicious traffic and evade detection, showcasing a strategic blend of social engineering and technical sophistication.

Technical Dissection of the Infection Chain

The infection chain begins with ...