Multilayered Email Attack: How a PDF Invoice and Geo-Fencing Led to RAT Malware

    Date: 05/09/2025

    Severity: High 

    Summary

    The IR team recently identified a new email campaign distributing a Remote Access Trojan (RAT) targeting organizations in Spain, Italy, and Portugal. The attackers use the serviciodecorreo email service, which is authorized for multiple domains and passes SPF checks. They also employ sophisticated evasion tactics, such as abusing file-sharing platforms, applying geolocation filters, and leveraging Ngrok for secure, obfuscated tunneling. These techniques obscure the campaign’s origin and enable the effective delivery of RATty malware.

    Indicators of Compromise (IOC) List

    Domains \ Urls :

    jw8ndw9ev.localto.net

    l5ugb6qxh.localto.net

    IP Address : 

    143.47.53.106

    130.51.20.126

    199.232.214.172

    199.232.210.172

    Hash : 

    a1c2861a68b2a4d62b6fbfc7534f498cefe5f92f720466d24ae1b66ebc9f5731

    d20d14792c91107f53318ff7df83b9cd98acd3c394959a74e72278682822b600

    9184ff2cdd05fcaf111db23123479c845b2ece2fedccc2524b2de592f9980876

    5f897fec78e2fd812eb3bc451222e64480a9d5bc97b746cc0468698a63470880

    6153c80b17cb990caad1d80cac72c867d4ecfa1a84b7ab286b7373cd4168794e

    469b8911fd1ae2ded8532a50e9e66b8d54820c18ccdba49d7a38850d6af54475

    af8b6ac45918bc87d2a164fae888dab6e623327cba7c2409e4d0ef1dde8d1793

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection 

    Domains\Urls : 

    domainname like "jw8ndw9ev.localto.net" or url like "jw8ndw9ev.localto.net" or siteurl like "jw8ndw9ev.localto.net" or domainname like "l5ugb6qxh.localto.net" or url like "l5ugb6qxh.localto.net" or siteurl like "l5ugb6qxh.localto.net"

    IP Address : 

    dstipaddress IN ("130.51.20.126","143.47.53.106","199.232.214.172","199.232.210.172") or srcipaddress IN ("130.51.20.126","143.47.53.106","199.232.214.172","199.232.210.172")

    Hash :

    sha256hash IN ("9184ff2cdd05fcaf111db23123479c845b2ece2fedccc2524b2de592f9980876","5f897fec78e2fd812eb3bc451222e64480a9d5bc97b746cc0468698a63470880","a1c2861a68b2a4d62b6fbfc7534f498cefe5f92f720466d24ae1b66ebc9f5731","af8b6ac45918bc87d2a164fae888dab6e623327cba7c2409e4d0ef1dde8d1793","d20d14792c91107f53318ff7df83b9cd98acd3c394959a74e72278682822b600","6153c80b17cb990caad1d80cac72c867d4ecfa1a84b7ab286b7373cd4168794e","469b8911fd1ae2ded8532a50e9e66b8d54820c18ccdba49d7a38850d6af54475")

    Reference:    

    https://www.fortinet.com/blog/threat-research/multilayered-email-attack-how-a-pdf-invoice-and-geofencing-led-to-rat-malware


    Tags

    RATtyGeo-FencingRATSpainItalyPortugalMalware

    « Previous Article

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags