PDF to RAT: Inside a Targeted Email Attack

Summary

Cyble came security research published by Fortinet detailing a newly discovered email campaign. This campaign distributes a Remote Access Trojan (RAT) called RATty, specifically targeting organizations in Spain, Italy, and Portugal. It leverages the serviciodecorreo email service, which is authorized to send emails on behalf of multiple domains and passes SPF validation, helping it evade basic email security checks.

To further conceal its activity, the campaign uses advanced evasion techniques such as abusing file-sharing platforms, applying geolocation filtering, and employing Ngrok tunnels to obscure the true origin of the attacks and enhance the delivery of the malware.

Figure 1 - The Infection Chain (Source: Fortinet)

Technical Analysis

The attackers in this campaign exploit serviciodecorreo.es, a legitimate Spanish email service, to send emails that appear trustworthy. Since several domains authorize this service and pass SPF (Sender Policy Framework) checks, the emails look legitimate and are more likely to bypass security filters.

Figure 2 - Malicious email (Source: Fortinet)

The email includes a PDF attachment claiming to contain invoice details, tricking the recipient into thinking it’s important. When opened, the PDF says the file isn’t displaying correctly and prompts the user to click a button that links to Dropbox, leading to an HTML file named "Fattura" (Italian for "Invoice").

Figure 3 - Fake PDF Lures User to Download Malware (source: Fortinet)

Opening the HTML file starts with a fake “I am not a robot” check. After passing it, the user is shown a button that links to an Ngrok-generated URL. Ngrok, a tunneling service, helps attackers hide the source of the malware and generate unique, temporary URLs. These URLs behave differently based on the user’s location if someone accesses them from outside Italy, they’re redirected to a harmless Google Drive document. But if they access them from Italy, the link downloads a malicious JAR file.

Figure 4 - Fake CAPTCHA (source: Fortinet)

That JAR file, named FA-43-03-2025.jar, is hosted on MediaFire, a trusted file-sharing platform. Hosting malware on known services like Dropbox, MediaFire, and Google Drive helps the attackers avoid detection.

Figure 5 - Malicious URL Auto-Downloads RAT from MediaFire(source: Fortinet)

The JAR file contains Ratty, a Java-based Remote Access Trojan (RAT). Once executed (assuming Java is installed), Ratty allows the attacker to take control of the victim’s device, executing commands, logging keystrokes, capturing screenshots, and stealing sensitive data. The attackers also sometimes disguise the RAT in MSI (Windows installer) files to make them seem like legitimate software or updates.

To stay under the radar even further, the attackers use geo-based filtering and serve malware only to users in targeted regions, especially Italy, making it harder for global email security systems to detect the malicious behavior.

Figure 6 - Geofencing redirects non-Italian Users to a Safe Page (source: Fortinet)

Recommendations

• Implement advanced email filtering solutions that can analyze embedded links and attachments for malicious behavior, even when hosted on trusted platforms like Dropbox or Google Drive.

• Educate employees about phishing and social engineering tactics, especially those involving invoice scams and urgent requests. Regular simulations and training can reduce the likelihood of risky clicks.

• Block the execution of unverified JAR, MSI, and other executable files using application control policies. Require administrative approval or sandbox analysis for any downloaded files before they are opened.

Conclusion

This campaign demonstrates how attackers combine social engineering, trusted services, and advanced evasion techniques to successfully deliver the Ratty malware. By abusing legitimate platforms like Dropbox, MediaFire, Google Drive, and Ngrok, and implementing geolocation-based filtering, they bypass traditional email security measures.

The use of a realistic invoice and region-specific delivery increases the chances of user interaction. Ultimately, this method enables stealthy malware deployment and data theft in targeted regions.