Listen to this Post
A Growing Threat Spanning Europe
In one of the most advanced cyber espionage campaigns of 2025, European institutions have become targets of a newly evolved variant of the Sorillus Remote Access Trojan (RAT). Security analysts and threat intelligence units across the continent are on high alert following coordinated attacks that have breached organizations in Spain, Portugal, France, Italy, Belgium, and the Netherlands. These attacks, first detected in March, are characterized by their multi-layered delivery techniques, use of legitimate cloud services, and stealthy distribution methods designed to evade modern defenses. As the malware spreads, indicators point toward the involvement of Brazilian-affiliated cybercriminal groups, raising concerns about the global proliferation of cyber weapons and the increasing professionalization of cybercrime networks.
Summary of the Attack Campaign
The Sorillus RAT campaign begins with precision phishing operations. Emails are sent from hijacked business domains and are customized in the target’s native language, greatly increasing their success rate. Most of these messages appear to be standard invoice communications but contain weaponized PDFs. These PDFs embed stream objects that open a OneDrive-hosted file. Victims are then silently redirected to malicious servers through ngrok, a reverse proxy platform that hides the real location of the threat infrastructure.
This complex traffic flow helps attackers evaluate the
Reverse engineering has revealed sophisticated code obfuscation methods including Blowfish, DES, XOR, and AES encryption layers. These measures make forensic analysis extremely difficult and shield key configuration data.
The Sorillus RAT itself, which first surfaced in 2019, is a versatile cross-platform malware capable of infiltrating Windows, Linux, and macOS environments. It offers a robust toolkit: file theft, keylogging, webcam and mic access, clipboard monitoring, remote shell access, and dynamic command retrieval from services like Pastebin or tunneled backends like LocaltoNet. Although official distribution channels for Sorillus were disrupted in early 2025, cracked versions still circulate on platforms like GitHub and Telegram.
Evidence including embedded Portuguese comments and references to Brazilian pop culture strongly suggests Brazilian cybercrime groups are behind the current wave. The attackers have diversified their hosting methods by also using Dropbox, Discord, and GitHub, sometimes inserting additional VBScript loaders to deepen infection chains. The campaign demonstrates the continuing evolution of phishing-based malware delivery, blending legitimate tools with high-level obfuscation to exploit trust and stay ahead of traditional defenses.
What Undercode Say:
Targeted Social Engineering Tactics
What makes this campaign particularly insidious is its personalized phishing strategy. By crafting emails in local languages and using real business addresses, attackers eliminate common red flags that might warn users. This level of localization reflects not only linguistic skill but also access to compromised CRM systems or stolen mailing lists.
Use of Trusted Services as Trojan Horses
Attackers cleverly exploit platforms like OneDrive, MediaFire, Dropbox, and Discord — all commonly used and widely trusted. When malware is hosted on familiar platforms, it bypasses many email filters and user suspicions. Even seasoned IT professionals may inadvertently download files from these sources if no immediate red flags appear.
Dynamic Victim Profiling with ngrok
The use of ngrok for reverse proxying demonstrates a significant advancement in threat actor methodology. It allows for precise victim profiling — checking operating systems, browser types, and language settings — which increases payload delivery success rates while avoiding detection by sandboxing environments or non-targeted users.
Obfuscation and Encryption at Every Step
Encryption layers like Blowfish, DES, XOR, and AES-ECB aren’t just overkill — they’re deliberate hurdles against security researchers. By embedding configuration under misnamed resource labels like “checksum,” attackers force defenders to invest more time and expertise in reverse engineering efforts.
Malware-as-a-Service Resilience
Despite the crackdown on underground marketplaces, the resilience of malware ecosystems is evident. Sorillus persists through cracked releases on GitHub and Telegram, which lowers the barrier of entry for low-level cybercriminals. The democratization of malware-as-a-service ensures that even small-time operators can execute complex operations.
Attribution to Brazilian Actors
Multiple indicators — including language, cultural references, and prior threat group behavior — support attribution to Brazilian cybercriminals. Brazil has a rich history of banking malware and financially motivated campaigns, and this campaign’s focus on Western Europe aligns with prior regional targeting by Brazilian actors.
Cross-Platform Capability Expands Attack Surface
By supporting Windows, macOS, and Linux, Sorillus broadens its infection potential. This is critical in a Europe where diverse operating systems are used in both enterprise and public sectors. This trait also shows the malware’s adaptability and future-proof design.
Real-World Damage and Future Concerns
The fusion of legitimate tools with multi-stage malware infrastructure represents a real threat to supply chains and critical infrastructure. From finance to healthcare and government services, any organization relying on cloud-based document sharing could be compromised.
Lessons for Cyber Defenders
Cybersecurity professionals must now factor in the legitimacy of cloud providers when threat modeling. Content from OneDrive or Dropbox should not automatically be considered safe. Organizations must also implement behavior-based detection and improve phishing awareness training.
Ongoing Adaptation by Threat Actors
The consistent evolution of this campaign, including the switch to new file hosts and the use of intermediate loaders, proves that threat actors are not static. They refine techniques in response to detection and continue experimenting with methods that slip through defenses.
🔍 Fact Checker Results:
✅ Verified phishing tactics use real business domains and native-language targeting
✅ Use of legitimate cloud platforms like OneDrive, MediaFire, and Dropbox confirmed
✅ Strong indicators suggest Brazilian cybercrime actors are behind the campaign
📊 Prediction:
Expect an increase in phishing campaigns leveraging file-sharing platforms to deliver stealthy RATs like Sorillus. With the tools readily available on public repositories and social platforms, more cybercriminals — not just advanced actors — will replicate this strategy across sectors. European organizations, especially mid-sized businesses with minimal threat detection, are at high risk in the coming months. 🚨👨💻
References:
Reported By: cyberpress.org
Extra Source Hub:
https://www.reddit.com/r/AskReddit
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
