Intel Name: Multilayered email attack: how a pdf invoice and geo-fencing led to rat malware
Date of Scan: May 9, 2025
Impact: High
Summary: The IR team recently identified a new email campaign distributing a Remote Access Trojan (RAT) targeting organizations in Spain, Italy, and Portugal. The attackers use the serviciodecorreo email service, which is authorized for multiple domains and passes SPF checks. They also employ sophisticated evasion tactics, such as abusing file-sharing platforms, applying geolocation filters, and leveraging Ngrok for secure, obfuscated tunneling. These techniques obscure the campaign’s origin and enable the effective delivery of RATty malware.
