From c523489eae66186736d7933d722317cb95d655d4 Mon Sep 17 00:00:00 2001
From: Mar-Pic <marpic268@gmail.com>
Date: Mon, 16 Jun 2025 15:22:58 +0200
Subject: [PATCH] Create README.md

---
 sorillus/README.md | 7 +++++++
 1 file changed, 7 insertions(+)
 create mode 100644 sorillus/README.md

diff --git a/sorillus/README.md b/sorillus/README.md
new file mode 100644
index 0000000..068c9a5
--- /dev/null
+++ b/sorillus/README.md
@@ -0,0 +1,7 @@
+In March 2025, our Managed Threat Detection teams in Belgium identified a malicious infection chain leading to the delivery of a Remote Access Trojan (RAT) impacting one of our clients. Upon further analysis from Orange Cyberdefense CERT, a larger campaign impacting European organizations located in Spain, Portugal, Italy, France, Belgium and the Netherlands was discovered.  
+
+The threat actors behind this infection chain cluster relies on invoice-themed phishing for initial access and delivers a .jar file which corresponds to a version of Sorillus RAT.  
+
+The campaign was also covered in early May by Fortinet, which dubbed the malware “Ratty RAT”. Sorillus has also been previously detailed by Abnormal AI and eSentire. 
+
+Full article: https://www.orangecyberdefense.com/global/blog/cert-news/from-sambaspy-to-sorillus-dancing-through-a-multi-language-phishing-campaign-in-europe