Cybercriminals are evolving, and so are their methods. A new multilayered email attack campaign is exploiting the trust users place in invoice communications to distribute Remote Access Trojans (RATs) that work across multiple platforms. With legitimate-looking PDF invoices as bait, attackers are targeting organizations through a sophisticated infection chain designed to evade detection and establish persistent control over victim systems.
This campaign primarily targets Windows environments but also impacts Linux and macOS systems with Java Runtime Environment (JRE) installed, significantly broadening the attack surface. The malicious payload — a Java-based RAT known as RATty — is capable of executing commands, logging keystrokes, accessing files, and even activating webcams and microphones.
How the Attack Works
The campaign begins with emails that appear legitimate and often pass SPF validation. This is achieved by exploiting the serviciodecorreo.es email service, which is listed as an authorized sender across various domains. Attached to these emails are PDF files disguised as invoices.
When opened, these PDFs don’t display an actual invoice. Instead, they contain instructions urging the recipient to click a button due to a supposed rendering issue. This button leads to a Dropbox link housing an HTML file named “Fattura” (Italian for “Invoice”).
Once users open this HTML file, they encounter a basic human verification page and are then redirected to a Ngrok URL, which acts as a gateway for more sophisticated location-based filtering.
A Targeted and Stealthy Infection Chain
The attackers deploy a powerful geofencing mechanism to serve different payloads based on the user’s geolocation. For instance:
- Users in Italy are delivered a malicious .JAR file.
This geographic targeting ensures that automated security scanners — which often operate from cloud-based or non-regional IP addresses — receive benign content, helping the malicious payload evade detection.
Once the victim downloads and executes the .JAR file, the malware installs RATty. This Java-based trojan grants attackers extensive control over the infected system, enabling surveillance, data theft, and lateral movement within networks.
Why This Matters
The campaign is a textbook example of how threat actors blend social engineering with technical sophistication. They manipulate urgency through false invoice claims, leverage trusted file-sharing platforms like Dropbox and MediaFire, and hide behind cloud tunneling and geofencing to bypass even the most advanced security tools.
This approach isn’t just technically impressive — it’s dangerous. Organizations in industries such as financial services, healthcare, retail, manufacturing, and government are particularly vulnerable, given their heavy reliance on invoice-based workflows and diverse IT environments.
Conclusion
The evolving nature of this threat reinforces the critical importance of proactive cybersecurity measures. Traditional perimeter defenses and signature-based detection are no longer sufficient. Organizations must embrace multilayered security strategies that include behavioral analysis, email security awareness, and robust endpoint monitoring.
At COE Security, we help businesses across critical sectors fortify their defenses against such advanced threats. From real-time monitoring to secure AI integration, our cybersecurity solutions are designed to not only detect but also prevent sophisticated attacks like this one.
About COE Security
COE Security partners with organizations in financial services, healthcare, retail, manufacturing, and government to secure AI-powered systems and ensure compliance. Our offerings include:
- AI-enhanced threat detection and real-time monitoring
- Data governance aligned with GDPR, HIPAA, and PCI DSS
- Secure model validation to guard against adversarial attacks
- Customized training to embed AI security best practices
- Penetration Testing (Mobile, Web, AI, Product, IoT, Network & Cloud)
- Secure Software Development Consulting (SSDLC)
Through our work, we help organizations detect and neutralize complex threats like Java-based RATs, improve email security awareness, implement secure development life cycles, and remain fully compliant with critical cybersecurity standards.