The attackers implement a particularly effective geofencing technique that serves different content based on the victim’s location-users accessing from Italy receive the malicious JAR file, while those from other countries see a seemingly legitimate Google Drive document containing a benign invoice from Medinova Health Group. A sophisticated multilayered email attack campaign has emerged, utilizing weaponized PDF invoices as the initial vector to deliver remote access trojan (RAT) malware across multiple platforms. The multi-stage infection process begins when victims interact with the malicious PDF, which displays a message claiming improper rendering and directs users to click a button that leads to a Dropbox link containing an HTML file named “Fattura” (Italian for “Invoice”). This cross-platform campaign grants attackers full remote control over compromised systems, enabling command execution, keystroke logging, file access, and webcam/microphone activation. When these security systems access the embedded URLs, they’re redirected to harmless decoy pages rather than malicious content, allowing the attack to remain undetected. The final payload, disguised with neutral-looking filenames like “FA-43-03-2025.jar,” exploits Java’s cross-platform nature to deliver the RAT malware that establishes persistent remote access for the attackers. The high-severity threat provides attackers with comprehensive control over infected systems, creating significant risk for affected organizations and highlighting the increasing sophistication of modern malware attack methodologies. Fortinet researchers identified that the campaign employs advanced evasion strategies, including the abuse of legitimate file-sharing platforms like Dropbox and MediaFire, sophisticated geolocation filtering, and Ngrok tunneling to mask malicious activities. Once executed, the malware delivers RATty, a Java-based Remote Access Trojan capable of executing remote commands, logging keystrokes, capturing screenshots, and exfiltrating sensitive data. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. The attack begins with seemingly legitimate invoice emails that pass SPF validation by exploiting the serviciodecorreo.es email service, which is configured as an authorized sender for various domains. This geofencing approach specifically targets email security systems, which typically perform analysis from generic or cloud-based environments not tied to specific geographic locations. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. The attackers have clearly conducted prior research to identify vulnerable domains and maximize their chances of bypassing critical security measures. Tushar is a Cyber security content editor with a passion for creating captivating and informative content.
This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 09 May 2025 11:10:07 +0000