{
	"id": "02570cf9-2134-465a-8891-b45821711556",
	"created_at": "2026-04-06T00:21:03.524815Z",
	"updated_at": "2026-04-10T03:20:49.284538Z",
	"deleted_at": null,
	"sha1_hash": "cf901c065ab53e523f9a3c13be28248da0bfae70",
	"title": "Tax Customer Campaign Infects Targets with RAT",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3147537,
	"plain_text": "Tax Customer Campaign Infects Targets with RAT\r\nPublished: 2022-04-06 · Archived: 2026-04-02 10:57:20 UTC\r\nWith the US tax deadline looming, inboxes everywhere are awash in a sea of messages advising their users to\r\nexercise caution and due diligence to prevent fraud and identity theft.\r\nIf receiving and downloading files is necessary for business functions, it becomes difficult to avoid downloading a\r\nmalicious file. Some measure of risk is unavoidable, especially if data must be received early in the process of\r\nestablishing a new client relationship—as is the case for CPAs and tax preparation service providers.\r\nThe threat intelligence team at Abnormal Security recently observed a timely campaign targeting accounting and\r\ntax professionals.\r\nBetween February 24, 2022, and March 4, 2022, we identified more than 130 emails from threat actors posing as\r\npotential clients. The emails claimed the sender was attempting to locate a CPA ahead of April’s deadline and\r\nobtain individual or business tax filing services for this year. However, each email delivered not the promised tax\r\ndocuments but instead an obfuscated version of the remote access tool (RAT) Sorillus.\r\nInitial contact by bad actors with potential victim\r\nAfter initial contact with the service provider was made, the actors sent follow-up messages containing a\r\nmega[.]nz file share link to Sorillus RAT. The link was hiding underneath the text, pretending to be a simple PDF\r\nfile attachment.\r\nhttps://abnormalsecurity.com/blog/tax-customers-sorillus-rat\r\nPage 1 of 10\n\nEmail with “DAVE_AN1040.PDF” text hiding suspicious mega[.]nz file-sharing link\r\nEmails were sent from 10 different addresses but were easily identifiable because the subject lines of the emails\r\nfollowed a similar pattern. Each referenced business and individual tax documents appropriate for the service\r\nsupposedly being offered.\r\nThreat Analysis\r\nMega[.]nz was used to send the malicious file as an anti-detection technique, and upon visiting the supplied link, a\r\nfile masquerading as a PDF named “DAVE_AN1040.PDF” was downloaded. In reality, though, the file was a .ZIP\r\narchive containing a .JAR file.\r\nMalicious .JAR file inside ZIP archive posing as a PDF\r\nThe .JAR file had two packages, obfuscated with what appears to be the Zelix obfuscator.\r\nhttps://abnormalsecurity.com/blog/tax-customers-sorillus-rat\r\nPage 2 of 10\n\nEven with the obfuscation, the name of the first package is in clear text, com.sorillus.client. Sorillus is a RAT that\r\nruns in Windows, Linux, and Mac OS, as we can see after some deobfuscation.\r\nJava class identifying different compatible operating systems\r\nThe tool is able to collect the victim’s system information including hardware ID, username, language, webcam,\r\nand OS.\r\nhttps://abnormalsecurity.com/blog/tax-customers-sorillus-rat\r\nPage 3 of 10\n\nJava class with the parameters to collect\r\nWhen deployed against a victim, Sorillus establishes the connection with its command and control (C2). In this\r\ncase, the IP address was 78[.]142[.]18[.]37. The purpose of this C2 connection is to give the threat actor full\r\ncontrol of the victim’s operating system.\r\nhttps://abnormalsecurity.com/blog/tax-customers-sorillus-rat\r\nPage 4 of 10\n\nAccording to VirusTotal, the C2 IP address is associated with HostSlick, a web hosting company based in\r\nGermany, and has previously been linked to five other malicious samples similar to the Sorillus RAT we analyzed.\r\nCurrently, the domain justinblairinc[.]com, which may be impersonating a US-based manufacturer and distributor\r\nof shoe store supplies, is also hosted on this IP address.\r\nSorillus RAT connection to C2 IP address\r\nExample of network traffic\r\nOnce the malware has successfully connected to the C2, remote access is established and the threat actor is able to\r\nstart stealing information. Stolen information is encrypted and stored in the victim’s Temp directory until it is\r\nextracted by the attacker.\r\nhttps://abnormalsecurity.com/blog/tax-customers-sorillus-rat\r\nPage 5 of 10\n\nStolen information stored in the Temp directory\r\nExample of encrypted stolen information\r\nWhat Is the Sorillus RAT?\r\nhttps://abnormalsecurity.com/blog/tax-customers-sorillus-rat\r\nPage 6 of 10\n\nSorillus is a paid remote access tool (RAT) that offers obfuscation and encryption capabilities. While it was first\r\ncreated in 2019, interest in the tool has increased considerably in the last six months since the previous update.\r\nBeginning on January 18, 2022, different obfuscated client versions of the tool started to be uploaded to\r\nVirusTotal. Sorillus’ features are described in detail on its website. The tool’s creator and distributor, a YouTube\r\nuser known as “Tapt”, asserts that the tool is able to collect the following information from its target:\r\nHardwareID\r\nUsername\r\nCountry\r\nLanguage\r\nWebcam\r\nHeadless\r\nOperating system\r\nClient Version\r\nActive on YouTube since April 2015, all of Tapt’s recent posts are exclusively videos describing Sorillus RAT and\r\nits functions. Overall, their channel has received almost 75K views, and the timing of their videos is consistent\r\nwith updates made to the tool.\r\nhttps://abnormalsecurity.com/blog/tax-customers-sorillus-rat\r\nPage 7 of 10\n\nThe recently-identified malicious activities associated with this RAT are related mainly to information stealing.\r\nHowever, due to Sorillus’ ability to bundle its client code with any other java code, the range of malicious actions\r\nthe tool can take is broad.\r\nhttps://abnormalsecurity.com/blog/tax-customers-sorillus-rat\r\nPage 8 of 10\n\nScreenshot showing three different Sorillus tool interfaces\r\nThe tool supposedly costs 49.99€ for lifetime access but is currently available at a discounted 19.99€.\r\nConveniently, the Sorillus can be purchased via a variety of cryptocurrencies.\r\nPayment methods for Sorillus\r\nProtecting Yourself From the Sorillus RAT\r\nFor accounting and tax professionals, digital file sharing is a necessity. If you primarily receive documents via\r\nemail (as opposed to having clients upload them to a secure portal), you must take precautions to reduce your risk\r\nof downloading malicious files.\r\nOne simple step is to avoid opening any attachments or links in emails sent from new or prospective clients until\r\nyou (or a member of your staff) have spoken with the client directly.\r\nIndicators of Compromise (IOCs)\r\nhttps://abnormalsecurity.com/blog/tax-customers-sorillus-rat\r\nPage 9 of 10\n\n1c7e5f54c879637967ec6937dee9f18afe33a7be71449d4ecdca8c8903e2a97b jar\r\n70a8cdbf0aacd885ec30d3c7632cf7fd4f4fe5814504c0dc7da92feb9ee37861 zip\r\n78[.]142[.]18[.]37 C2\r\nililililililiilililili string\r\ndavidans1[@]delveroiin[.]com email\r\nrayjames1101[@]gmail[.]com email\r\ndexatri[.]com domain\r\nbegrino[.]com domain\r\ndelveroiin[.]com domain\r\nSource: https://abnormalsecurity.com/blog/tax-customers-sorillus-rat\r\nhttps://abnormalsecurity.com/blog/tax-customers-sorillus-rat\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://abnormalsecurity.com/blog/tax-customers-sorillus-rat"
	],
	"report_names": [
		"tax-customers-sorillus-rat"
	],
	"threat_actors": [],
	"ts_created_at": 1775434863,
	"ts_updated_at": 1775791249,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/cf901c065ab53e523f9a3c13be28248da0bfae70.pdf",
		"text": "https://archive.orkl.eu/cf901c065ab53e523f9a3c13be28248da0bfae70.txt",
		"img": "https://archive.orkl.eu/cf901c065ab53e523f9a3c13be28248da0bfae70.jpg"
	}
}