A sophisticated multilayered email attack campaign has emerged, utilizing weaponized PDF invoices as the initial vector to deliver remote access trojan (RAT) malware across multiple platforms.
The attack primarily targets Windows systems but can also affect Linux and macOS devices with Java Runtime Environment (JRE) installed.
This cross-platform campaign grants attackers full remote control over compromised systems, enabling command execution, keystroke logging, file access, and webcam/microphone activation.
The attack begins with seemingly legitimate invoice emails that pass SPF validation by exploiting the serviciodecorreo.es email service, which is configured as an authorized sender for various domains.
These deceptive communications contain PDF attachments that claim to contain invoice information but instead instruct recipients to click buttons that initiate a complex infection chain.
.webp)
The social engineering tactics employed create a sense of urgency, pressuring recipients to act with reduced caution.
Fortinet researchers identified that the campaign employs advanced evasion strategies, including the abuse of legitimate file-sharing platforms like Dropbox and MediaFire, sophisticated geolocation filtering, and Ngrok tunneling to mask malicious activities.
.webp)
The attackers have clearly conducted prior research to identify vulnerable domains and maximize their chances of bypassing critical security measures.
Once executed, the malware delivers RATty, a Java-based Remote Access Trojan capable of executing remote commands, logging keystrokes, capturing screenshots, and exfiltrating sensitive data.
The high-severity threat provides attackers with comprehensive control over infected systems, creating significant risk for affected organizations and highlighting the increasing sophistication of modern malware attack methodologies.
Sophisticated Infection Chain Analysis
The multi-stage infection process begins when victims interact with the malicious PDF, which displays a message claiming improper rendering and directs users to click a button that leads to a Dropbox link containing an HTML file named “Fattura” (Italian for “Invoice”).
This HTML file presents victims with a basic “I am not a robot” validation prompt before redirecting them to a Ngrok-generated URL.
The attackers implement a particularly effective geofencing technique that serves different content based on the victim’s location-users accessing from Italy receive the malicious JAR file, while those from other countries see a seemingly legitimate Google Drive document containing a benign invoice from Medinova Health Group.
Sono un essere umano
Verifica
This geofencing approach specifically targets email security systems, which typically perform analysis from generic or cloud-based environments not tied to specific geographic locations.
When these security systems access the embedded URLs, they’re redirected to harmless decoy pages rather than malicious content, allowing the attack to remain undetected.
The final payload, disguised with neutral-looking filenames like “FA-43-03-2025.jar,” exploits Java’s cross-platform nature to deliver the RAT malware that establishes persistent remote access for the attackers.
Are you from the SOC and DFIR Teams? – Analyse Real time Malware Incidents with ANY.RUN -> Start Now for Free.