cert-orangecyberdefense-cti/sorillus/README.md

In March 2025, our Managed Threat Detection teams in Belgium identified a malicious infection chain leading to the delivery of a Remote Access Trojan (RAT) impacting one of our clients. Upon further analysis from Orange Cyberdefense CERT, a larger campaign impacting European organizations located in Spain, Portugal, Italy, France, Belgium and the Netherlands was discovered.

The threat actors behind this infection chain cluster relies on invoice-themed phishing for initial access and delivers a .jar file which corresponds to a version of Sorillus RAT.

The campaign was also covered in early May by Fortinet, which dubbed the malware “Ratty RAT”. Sorillus has also been previously detailed by Abnormal AI and eSentire.

Full article: https://www.orangecyberdefense.com/global/blog/cert-news/from-sambaspy-to-sorillus-dancing-through-a-multi-language-phishing-campaign-in-europe