{
	"id": "e876f5da-229e-43ac-b687-16bb67bdd7d4",
	"created_at": "2026-04-06T00:14:13.991711Z",
	"updated_at": "2026-04-10T03:20:54.911835Z",
	"deleted_at": null,
	"sha1_hash": "e11e02f542d5c81d10e8cbe4784a132603d432c1",
	"title": "Multilayered Email Attack: How a PDF Invoice and Geo-Fencing Led to RAT Malware | FortiGuard Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 54530,
	"plain_text": "Multilayered Email Attack: How a PDF Invoice and Geo-Fencing\r\nLed to RAT Malware | FortiGuard Labs\r\nBy Ran Mizrahi\r\nPublished: 2025-05-08 · Archived: 2026-04-05 19:27:33 UTC\r\nAffected platforms: Windows (primarily), Linux \u0026 macOS (if Java is installed)\r\nImpacted parties: Users on systems with Java Runtime Environment (JRE) installed\r\nImpact: Grants remote access to attackers, enabling them to execute commands, log keystrokes, access files,\r\nactivate webcam/microphone, and fully control the infected system\r\nSeverity level: High\r\nThe FortiMail IR team recently uncovered a new email campaign distributing a Remote Access Trojan (RAT)\r\nusing multiple evasion techniques to target organizations in Spain, Italy, and Portugal. The campaign leverages the\r\nserviciodecorreo email service provider, which is configured as an authorized sender for various domains and\r\nsuccessfully passes SPF validation.\r\nAdditionally, it employs advanced evasion strategies, including the abuse of two file-sharing platforms,\r\ngeolocation filtering, and Ngrok to create secure, obfuscated tunnels. These tactics further complicate detection\r\nand effectively mask the attack's true origin, ultimately facilitating the distribution of RATty malware.\r\nThis campaign highlights the increasing sophistication of malware attack methodologies, leveraging the legitimate\r\nfunctionalities of remote administration tools for malicious purposes.\r\nOverview\r\nThe Email\r\nThe attacker exploits serviciodecorreo.es, a legitimate Spanish email service authorized to send emails on behalf\r\nof various domains. Since the SPF record for these domains designates serviciodecorreo.es as a valid sender, the\r\nmalicious emails successfully pass SPF checks, creating the illusion of legitimacy.\r\nConsequently, these emails are more likely to bypass security filters, making it easier for them to be accepted by\r\nthe recipient's mail server. This increases the likelihood of a successful attack, as the deceptive nature of the\r\nemails goes unnoticed.\r\nThe sender attaches a PDF file asking the recipient to review two new invoices. This makes the recipient believe\r\nthis email is important, which may influence them to check the attached files and details. This is basic social\r\nengineering to tempt the recipient into acting with less caution and under pressure.\r\nThe PDF File Attachment\r\nhttps://www.fortinet.com/blog/threat-research/multilayered-email-attack-how-a-pdf-invoice-and-geofencing-led-to-rat-malware\r\nPage 1 of 5\n\nThe attached PDF file displays a message indicating that the file is not being shown correctly and instructs the\r\nrecipient to click a button to download the file locally. The button contains a Dropbox (file-sharing platform) link\r\nto download an HTML file named \"Fattura\" (Translation: “Invoice”). The choice of this file name plays into the\r\nsocial engineering tactic, aiming to persuade the recipient to click and view the information, ultimately leading to\r\nthe delivery of a malicious payload.\r\nThe HTML File\r\nThe HTML file contains a basic validation step with an \"I am not a robot\" prompt.\r\nAfter completing the verification, a simple HTML page is displayed with instructions to click a button to view the\r\ndocument. The button redirects the user to a link generated by Ngrok, a tunneling tool that allows users to expose\r\nlocal servers to the internet through secure, temporary URLs.\r\nThe following URL abuses the MediaFire file-sharing platform by automatically downloading the JAR file (FA-43-03-2025.jar) when accessed.\r\nhxxps://download1528[.]mediafire[.]com/35ougpab4uhgHgb3Pmqh8niQ0hzS9b-TtTro5oPV5iUIULfNckqgXvjXQ6aTp-NF-k8EflSnFWC--\r\nFfh4aX1NlYrzaPzgFlyxHVe0fKkLE1p3u5cntfU25orm92QdoQmXE9-\r\ngyI4hRgSYpaNcd3o12kJnPRbJhD3aqbl1Qx3vqbUtk8/ayp0ikmndrdseht/FA-43-03-2025.jar\r\nUsing a legitimate file-sharing service helps attackers further evade detection, as security filters are less likely to\r\nflag downloads from trusted platforms. This tactic makes detection and blocking more difficult for security\r\ncompanies since automated analysis systems, sandbox environments, and security researchers often inspect URLs\r\nfrom locations outside the targeted region. By selectively delivering the malware only to specific geolocations,\r\nattackers reduce the risk of early detection and increase the likelihood of a successful attack.\r\nBelow, we can see how this evasion leads to a Google Drive link containing a legitimate file:\r\nBypassing Email Security Filters with Ngrok\r\nNgrok is primarily used to test webhooks, develop locally hosted applications, and bypass NAT/firewall\r\nrestrictions. However, as in this case, threat actors can misuse Ngrok to create dynamic, hard-to-detect phishing\r\nlinks that evade traditional security filters.\r\nAttackers use Ngrok to dynamically generate URLs that help them evade email security filtering mechanisms.\r\nOne key technique they employ is geo-based cloaking, which serves different content depending on the user's\r\nlocation.\r\nIn this case, when users access the Ngrok-generated URL from any country except Italy, they are redirected to a\r\nseemingly legitimate Google Drive document, making it harder for email security solutions to classify the URL as\r\nmalicious.\r\nThe attached fake invoice is identical for all targeted organizations. It is a purported invoice from the global health\r\norganization Medinova Health Group, and it has been designed to bypass most email security mechanisms.\r\nhttps://www.fortinet.com/blog/threat-research/multilayered-email-attack-how-a-pdf-invoice-and-geofencing-led-to-rat-malware\r\nPage 2 of 5\n\nThe seemingly legitimate invoice, shared via Google Drive, is unlikely to raise suspicion during email scanning\r\nand is intended to slip past email security engines without triggering any suspicion of malicious intent.\r\nHowever, when the request originates from Italy, the URL changes entirely, leading to downloading a malicious\r\nJAR file.\r\nMost email security systems perform email analysis from generic or cloud-based environments, not tied to a\r\nspecific geographic location. As a result, when these systems access the embedded URL, they are redirected to a\r\nharmless decoy page rather than the malicious file. This geofencing technique ensures that only users in the\r\ntargeted regions -in this case, Italy - can reach the actual malicious content.\r\nThe JAR File\r\nThe .jar file contains a type of Ratty malware.  The file name, \"FA-43-03-2025.jar,\" resembles a neutral reference\r\nnumber. While such naming conventions are not unusual, this name was probably specifically chosen to prompt\r\nthe end user to click and execute the file, assuming it is related to a payment document, thus encouraging hasty\r\nand careless action.\r\nRatty RAT: A Java-Based Remote Access Trojan\r\nRatty RAT is a Java-based Remote Access Trojan (RAT) typically distributed as a .jar file. Since Java is a cross-platform language, Ratty RAT can run on various operating systems as long as the Java Runtime Environment\r\n(JRE) is installed.\r\nThreat actors use Ratty RAT to execute remote commands, log keystrokes, capture screenshots, and steal sensitive\r\ndata, often as part of email-based social engineering campaigns with malicious attachments.\r\nWhile it is commonly delivered as a .jar file, attackers may also package it as an MSI (Microsoft Installer) file to\r\nincrease its legitimacy and evade detection. By bundling the RAT inside an MSI, they can disguise it as legitimate\r\nsoftware or an update, making it easier to trick users into executing the malware.\r\nWhat Makes This Email Campaign Particularly Sophisticated\r\nWhat makes this email campaign particularly sophisticated is its combination of multiple tactics designed to evade\r\ndetection and exploit trusted platforms. Its multi-layered strategy uses social engineering techniques to manipulate\r\nrecipients into clicking on malicious links.\r\nThe initial email, disguised as an invoice and sent from a sender who appears legitimate, serves as the entry point.\r\nThe attacker clearly conducted prior research, identifying which domains allow the use of the specific email\r\nservice for sending emails, thereby bypassing some critical security measures.\r\nThe attackers also abuse file-sharing platforms like Dropbox and MediaFire to deliver their malicious payload\r\nwhile leveraging geolocation techniques to tailor the attack based on the recipient's location. Additionally, the use\r\nof Ngrok complicates detection by creating secure, obfuscated tunnels that mask the true origin of the attack.\r\nhttps://www.fortinet.com/blog/threat-research/multilayered-email-attack-how-a-pdf-invoice-and-geofencing-led-to-rat-malware\r\nPage 3 of 5\n\nTogether, these elements create a highly advanced and effective method of distributing malware, including RATty\r\n(Remote Access Trojan), which is challenging for traditional security systems to detect and block.\r\nFortinet Protections\r\nFortinet provides multiple layers of protection against this threat. FortiGate and FortiClient detect and block the\r\nmalicious JAR file using the latest antivirus (AV) signatures. Customers are advised to ensure their systems are\r\nregularly updated with the most recent AV database.\r\nFortinet customers are also already protected from this campaign with FortiGuard’s AntiSPAM, Web Filtering,\r\nIPS, and AntiVirus services. FortiMail recognizes the phishing email as “virus detected,” and the FortiMail\r\nContent Disarm and Reconstruction (CDR) function automatically detects and mitigates this threat.\r\nIn addition, FortiSandbox, embedded in Fortinet’s FortiMail, web filtering, and antivirus solutions, provides real-time anti-phishing protection against known and unknown phishing attempts.\r\nPerception Point Email Security, now part of Fortinet FortiMail, also proactively detects and blocks emails\r\ncontaining malicious geo-fenced URLs used to deliver malware and phishing content and the RATty JAR file\r\nitself. This is achieved through advanced dynamic scanning and static analysis techniques.\r\nCombined, these detection capabilities ensure threats are mitigated during delivery, through malicious emails and\r\nlinks, and upon download, delivering end-to-end protection across the entire attack chain.\r\nIn addition to technical defenses, organizations should adopt Security Awareness Training (SATs) programs and\r\nconduct regular phishing simulations. Fortinet’s free NSE training: NSE 1 – Information Security Awareness\r\nmodule on Internet threats is designed to help end users learn how to identify and protect themselves from\r\nphishing attacks.\r\nThe FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness\r\nand vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted\r\nphishing attacks. By empowering users to recognize and respond to suspicious content, these initiatives\r\nsignificantly lower the risk of successful phishing or malware attacks.\r\nIf you believe this or any other cybersecurity threat has impacted your organization, please contact our Global\r\nFortiGuard Incident Response Team.\r\nYou can also sign up to receive future alerts to stay informed of new and emerging threats.\r\nIOCs\r\nIPs\r\n143.47.53.106\r\n130.51.20.126\r\n199.232.214.172\r\n199.232.210.172\r\nhttps://www.fortinet.com/blog/threat-research/multilayered-email-attack-how-a-pdf-invoice-and-geofencing-led-to-rat-malware\r\nPage 4 of 5\n\nDomains:\r\njw8ndw9ev[.]localto[.]net\r\nl5ugb6qxh[.]localto[.]net\r\nHash (sha256):\r\na1c2861a68b2a4d62b6fbfc7534f498cefe5f92f720466d24ae1b66ebc9f5731\r\nd20d14792c91107f53318ff7df83b9cd98acd3c394959a74e72278682822b600\r\n9184ff2cdd05fcaf111db23123479c845b2ece2fedccc2524b2de592f9980876\r\n5f897fec78e2fd812eb3bc451222e64480a9d5bc97b746cc0468698a63470880\r\n6153c80b17cb990caad1d80cac72c867d4ecfa1a84b7ab286b7373cd4168794e\r\n469b8911fd1ae2ded8532a50e9e66b8d54820c18ccdba49d7a38850d6af54475\r\naf8b6ac45918bc87d2a164fae888dab6e623327cba7c2409e4d0ef1dde8d1793\r\nSource: https://www.fortinet.com/blog/threat-research/multilayered-email-attack-how-a-pdf-invoice-and-geofencing-led-to-rat-malware\r\nhttps://www.fortinet.com/blog/threat-research/multilayered-email-attack-how-a-pdf-invoice-and-geofencing-led-to-rat-malware\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/multilayered-email-attack-how-a-pdf-invoice-and-geofencing-led-to-rat-malware"
	],
	"report_names": [
		"multilayered-email-attack-how-a-pdf-invoice-and-geofencing-led-to-rat-malware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434453,
	"ts_updated_at": 1775791254,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e11e02f542d5c81d10e8cbe4784a132603d432c1.pdf",
		"text": "https://archive.orkl.eu/e11e02f542d5c81d10e8cbe4784a132603d432c1.txt",
		"img": "https://archive.orkl.eu/e11e02f542d5c81d10e8cbe4784a132603d432c1.jpg"
	}
}