{
	"id": "876515de-3603-406a-8d27-5c4b10fffa2d",
	"created_at": "2026-04-06T00:15:57.223628Z",
	"updated_at": "2026-04-10T03:21:04.852224Z",
	"deleted_at": null,
	"sha1_hash": "e8b918c91e430282129ade8862fb385ceeef004c",
	"title": "New STRRAT RAT Phishing Campaign | FortiGuard Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 622883,
	"plain_text": "New STRRAT RAT Phishing Campaign | FortiGuard Labs\r\nBy James Slaughter\r\nPublished: 2022-01-20 · Archived: 2026-04-05 17:28:22 UTC\r\nShipping is an indispensable part of modern life. It is the lifeblood of the global economy, with numerous large\r\ncompanies (and their equally large container ships) perpetually moving goods from one corner of the earth to the\r\nother to provide consumers and industries with the necessities of life.\r\nDue to the critical importance of shipping and receiving goods to most organizations, threat actors often use\r\nshipping as a lure for phishing emails—such as false invoices, changes in shipping delivery, or notices related to a\r\nfictitious purchase—to entice recipients into opening malicious attachments and inadvertently downloading\r\nmalware.\r\nFortiGuard Labs recently came across an example of such an email which was subsequently found to harbor a\r\nvariant of the STRRAT malware as an attachment.\r\nThis blog will detail the deconstruction of the phishing email and its malicious payload.\r\nAffected Platforms: Windows\r\nImpacted Users: Windows users\r\nImpact: Collects sensitive information from the compromised end point\r\nSeverity Level: Medium\r\nExamining the phishing email\r\nSTRRAT is a multi-capability Remote Access Trojan that dates to at least mid-2020. Unusually, it is Java-based\r\nand is typically delivered via phishing email to victims.\r\nLike most phishing attacks, previous STRAAT campaigns have used an intermediate dropper (e.g., a malicious\r\nExcel macro) attached to the email that downloads the final payload when opened. This sample dispenses with\r\nthat tactic and instead attaches the final payload directly to the phishing email.\r\nFigure 1. Spoofed email sender and subject\r\nAs Figure 1 shows, this sample is clearly not from Maersk Shipping. The threat actors are hoping that recipients\r\ndo not look too closely. Digging into the email headers further, the full trail of where the email has come from\r\nbecomes apparent:\r\nhttps://www.fortinet.com/blog/threat-research/new-strrat-rat-phishing-campaign\r\nPage 1 of 9\n\nFigure 2. Email headers\r\nAfter departing the sender’s local infrastructure, the message eventually routes through “acalpulps[.]com” before\r\nbeing delivered to the final recipient. This domain was only registered in August 2021, making the domain\r\nsomewhat suspicious. Additionally, the domain used in the “Reply-To” address, “ftqplc[.]in”, was also recently\r\nregistered (October 2021), making it also highly suspect.\r\nThe email body encourages the recipient to open attachments about a scheduled shipment.\r\nhttps://www.fortinet.com/blog/threat-research/new-strrat-rat-phishing-campaign\r\nPage 2 of 9\n\nFigure 3. Email body\r\nAs of the publish date of this blog, the domain “v[.]al” included in the body of the letter does not resolve. \r\nFigure 4. Email attachments\r\nAttached directly to the sample email are a PNG image and two Zip archives. “maersk.png” is just an image file,\r\nas shown in Figure 4. The two Zip archives, “SHIPMENT_DOCUMENTS_INV-PLIST01256_BL PDF[.]zip” and\r\n“SHIPMENT_DOCUMENTS_INV-PLIST01256_BL PDF (2)[.]zip”, however, contain an embedded copy of\r\nSTRRAT.\r\nExamining the STRRAT attachment\r\n“SHIPMENT_DOCUMENTS_INV-PLIST01256_BL PDF[.]zip” and “SHIPMENT_DOCUMENTS_INV-PLIST01256_BL PDF (2)[.]zip” are identical files, as can be seen through their respective SHA256 hash values.\r\nFigure 5. SHA256 hash of “SHIPMENT_DOCUMENTS_INV-PLIST01256_BL PDF[.]zip”\r\nFigure 6. SHA256 hash of “SHIPMENT_DOCUMENTS_INV-PLIST01256_BL PDF (2)[.]zip”\r\nUnzipping one of these archives presents the file “SHIPMENT_DOCUMENTS_INV-PLIST01256_BL\r\nPDF[.]jar”. However, upon opening the file in Jar Explorer, a few things become immediately apparent.\r\nhttps://www.fortinet.com/blog/threat-research/new-strrat-rat-phishing-campaign\r\nPage 3 of 9\n\nFigure 7. Initial view of “SHIPMENT_DOCUMENTS_INV-PLIST01256_BL PDF[.]jar” in Jar Explorer\r\nFirstly, a large number of Java class files are part of this package. Secondly, the class “FirstRun” strings appear to\r\nbe scrambled or encoded. Lines that are appended with “ALLATORIxDEMO” indicate the presence of the\r\nAllatori Java Obfuscator.\r\nThis can be validated by attempting to execute the jar file.\r\nFigure 8. Splash screen shown when attempting to execute “SHIPMENT_DOCUMENTS_INV-PLIST01256_BL\r\nPDF[.]jar”\r\nConfirming that this has been obfuscated using Allatori helps in the analysis process as open-source tools are\r\navailable that can roll this back and reveal the actual content inside the jar file. Java Deobfuscator\r\n(https://github.com/java-deobfuscator/deobfuscator) works particularly well against Allatori and successfully\r\nrestores the original string content, as shown below.\r\nhttps://www.fortinet.com/blog/threat-research/new-strrat-rat-phishing-campaign\r\nPage 4 of 9\n\nFigure 9. The same view of class “FirstRun” now deobfuscated\r\nIndependently encoded from the class files in STRRAT is the configuration file (config.txt). On first view, it is\r\nbase 64 encoded, as shown in Figure 10.\r\nFigure 10. Base 64 encoded “config.txt”\r\nWhen decoded, the file is unfortunately still scrambled.\r\nFigure 11. “Decoded” configuration file\r\nBy searching the code for “config.txt,” we can see that the configuration file was encrypted using AES and uses\r\nthe passphrase of “strigoi.” Decrypting the config file now becomes possible.\r\nFigure 12. Decrypted configuration file\r\nThe final item in the line in Figure 12 was of particular interest, as this sample appeared during the height of the\r\nLog4Shell event. Khonsari was the name of a ransomware variant taking advantage of that particular vulnerability.\r\nHere, though, the word functions as a software key, and there is no evidence of any link between the two pieces of\r\nmalware.\r\nMost malware strains have a requirement to maintain persistence across reboots and sessions so they can complete\r\ntasks they’ve been set. STRRAT accomplishes this by copying itself into a new directory and then adding entries\r\nto the Windows registry to run at system startup.\r\nhttps://www.fortinet.com/blog/threat-research/new-strrat-rat-phishing-campaign\r\nPage 5 of 9\n\nFigure 13. Code to modify the registry\r\nFigure 14. Modified registry\r\nSTRRAT queries the host to determine its architecture and anti-virus capability on startup. It also queries running\r\nprocesses, local storage, and network capability.\r\nIn terms of capabilities, STRRAT can log keystrokes and maintain an HTML-based log to store items of interest.\r\nFigure 15. Code to create the keyboard log file\r\nFigure 16. Keyboard log file ready to be populated\r\nSTRRAT can also facilitate the remote control of an infected system by dropping HRDP – a remote access tool.\r\nFigure 17. HRDP\r\nhttps://www.fortinet.com/blog/threat-research/new-strrat-rat-phishing-campaign\r\nPage 6 of 9\n\nAdditional capabilities include siphoning passwords from browsers, such as Chrome, Firefox, and Microsoft\r\nEdge, and email clients, like Outlook, Thunderbird, and Foxmail.\r\nOne of the more curious modules present in STRRAT is its pseudo-ransomware ability.\r\nFigure 18. Pseudo-ransomware module\r\nThe code cycles through files in the user’s home directories and appends a file extension of “.crimson” to them.\r\nNo encryption of the files is undertaken, making this only suitable as a decoy or perhaps as a scare tactic against\r\nless savvy users. A ransom note template was not found in the code.\r\nOn the network side of things, we see STRRAT looking to reach out and pull down several Java dependencies\r\nupon startup.\r\nhttps://www.fortinet.com/blog/threat-research/new-strrat-rat-phishing-campaign\r\nPage 7 of 9\n\nFigure 19. Java dependencies\r\nAs shown in Figure 12, this sample is using IP address 198[.]27.77.242 for C2 (Command and Control).\r\nExamining that traffic in Wireshark shows STRRAT being exceptionally noisy. This is likely due to the C2\r\nchannel being offline at the time of the investigation. In its effort to obtain further instructions, the sample\r\nattempts to communicate over port 1780 and 1788 at one-second intervals, if not more in some instances.\r\nFigure 20. Attempted C2 communication as shown in Wireshark\r\nFigure 12 also shows a URL containing the domain “jbfrost[.]live”. This appears to be part of the C2\r\ninfrastructure for the malware but does not appear to be used (at least not at this time). The domain does not\r\nresolve currently. \r\nConclusion\r\nThreat actors expend an enormous amount of effort to craft campaigns that take advantage of the basic day-to-day\r\noperations of companies. This includes the intake of raw materials and the output of finished goods via shipping\r\nand transportation networks. Threats of this nature are only set to increase in the coming months and years and\r\norganizations need to be on guard for attempts to subvert their operations in this manner.  \r\nThis campaign is one such attempt. STRRAT doesn’t garner as much attention as some of the more widely seen\r\ntrojans in the malware ecosystem, but it is a capable and resilient threat where encountered.\r\nFortinet Protections and Mitigations\r\nFortiGuard Labs provides the following AV coverage against the files used in this attack:\r\nJava/Agent.X!tr\r\nFortiMail protects Fortinet customers by blocking phishing emails and applying FortiGuard’s Web Filtering,\r\nAntiVirus, and CDR (content disarm and reconstruction) technologies.\r\nAll network IOCs are blocked by the WebFiltering client.\r\nFortiEDR detects the malicious files based on reputation and behavior.\r\nIOCs\r\nE-mail \r\nAddresses\r\nshipping@acalpulps.com\r\nhttps://www.fortinet.com/blog/threat-research/new-strrat-rat-phishing-campaign\r\nPage 8 of 9\n\nexports@ftqplc.in\r\nTrojan\r\nSHA256 Hash\r\n409ad1b62b478477ce945791e15e06b508e5bb156c4981263946cc232df89996\r\n(SHIPMENT_DOCUMENTS_INV-PLIST01256_BL PDF[.]zip)\r\n3380d42b418582b6f23cfd749f3f0851d9bffc66b51b338885f8aa7559479054 (SHIPMENT_DOCUMENTS_INV-PLIST01256_BL PDF[.]jar)\r\nURL\r\nhXXp://jbfrost[.]live/strigoi/server/?hwid=1\u0026lid=m\u0026ht=5\r\nIP Address\r\n198[.]27.77.242 (C2)\r\nLearn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard\r\nSecurity Subscriptions and Services portfolio.\r\nSource: https://www.fortinet.com/blog/threat-research/new-strrat-rat-phishing-campaign\r\nhttps://www.fortinet.com/blog/threat-research/new-strrat-rat-phishing-campaign\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/new-strrat-rat-phishing-campaign"
	],
	"report_names": [
		"new-strrat-rat-phishing-campaign"
	],
	"threat_actors": [],
	"ts_created_at": 1775434557,
	"ts_updated_at": 1775791264,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e8b918c91e430282129ade8862fb385ceeef004c.pdf",
		"text": "https://archive.orkl.eu/e8b918c91e430282129ade8862fb385ceeef004c.txt",
		"img": "https://archive.orkl.eu/e8b918c91e430282129ade8862fb385ceeef004c.jpg"
	}
}