Sorillus RAT
Intelligence Profile
Sorillus is a Java-based multifunctional remote access trojan (RAT) that targets Linux, macOS, and Windows operating systems. First created in 2019, the tool gained significant attention in 2022 when various obfuscated client versions began appearing on VirusTotal starting January 18, 2022. The RAT's features were detailed on its now-defunct website (hxxps://sorillus[.]com), where it was marketed for lifetime access at 59.99€, with a discounted price of 19.99€ at the time. Payments were conveniently accepted via various cryptocurrencies.
The creator and distributor of Sorillus, a YouTube user known as "Tapt," claimed the tool could collect sensitive information from infected systems, including:
HardwareID
Username
Country
Language
Webcam footage
Headless status
Operating system details
Client version
However, Sorillus was shut down in 2025 following the FBI's Operation "Talent," which targeted alot of the Cracking infrastucture which included Sellix, the payment portal used by Sorillus for transactions. This operation disrupted the financial infrastructure supporting the RAT, leading to its cessation of operations 5 days later.
Threat Analysis
Sorillus RAT is a advanced-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of espionage.
The group's espionage-oriented operations suggest a state-sponsored or state-aligned mandate, typically focused on stealing intellectual property, government secrets, or military intelligence. Targets are usually selected for strategic value rather than financial gain.
Classified as an advanced threat actor, Sorillus RAT likely develops or acquires zero-day exploits, employs custom malware toolchains, and demonstrates long-term persistence capabilities — hallmarks of a well-resourced operation consistent with nation-state backing.