Listen to this blog post below


Malicious actors have become more innovative by exploiting Google Firebase Hosting service to launch Sorillus RAT and phishing attacks on unsuspecting networks.

Threat actors always keep improving their tactics and strategies through innovation. In one of the most recent incidents, they have taken advantage of Google Firebase Hosting service’s features by launching malicious phishing attacks and the Sorillus Remote Access Tool (RAT) to compromise unsuspecting target networks and cause data privacy violations.

This hosting scam came to light during a routine check of eSentire’s SOC (Security Operations Center), revealing the running of suspicious code in a manufacturing customer’s network.


What Is Sorillus RAT?

Sorillus is a widely used Java-based RAT (Remote Access Tool) compatible with Windows, Mac, and Linux operating systems. Like other remote access tools, Sorillus can collect system information, execute commands, browse crucial files, and remotely control network servers and other target machines.

Threat actors have been leveraging Sorillus as a helpful tool because of its capabilities to access and capture data remotely.


The Anatomy of the Phishing and Sorillus RAT Combo

Investigations by eSentire revealed the elaborate methods behind the attack’s execution. Cyber adversaries skillfully combined phishing emails with malicious Java payloads, enticing unsuspecting users into downloading and executing Sorillus RAT. The attackers used Firebase Hosting to smuggle HTML files and distribute their nefarious content, further complicating detection. Understanding the intricacies of this attack is vital to devising robust defense strategies.


Why Is Sorillus RAT in the News Now?

Investigations by the cybersecurity services provider eSentire revealed a Sorillus RAT along with a phishing page delivered to unsuspecting targets using HTML smuggled files and malicious links by taking advantage of Google Firebase Hosting Service.

Cyber attackers were smart enough to know about Firebase’s legitimacy to deliver Sorillus RAT, which facilitated remote access and compromised data privacy.


phishing emails

Image sourced from


Threat actors leveraged the Google service to obscure malicious content and attack unsuspecting networks globally. The new advisory published by eSentire on July 13, 2023, includes more details on how cyber adversaries exploited the Google Firebase Hosting service.

The blog of eSentire details how its SOC was alerted regarding malicious code written to an endpoint device’s registry in a manufacturing customer’s network.


Data Privacy Violations and Credential Compromises

As a consequence of this attack, data privacy violations escalated, and sensitive network systems fell prey to the Sorillus RAT’s remote access capabilities. Cyber attackers successfully compromised user credentials and other critical information assets, leading to potential financial and reputational damage for affected organizations. The aftermath of this attack serves as a stark reminder of the need for resilient cybersecurity measures.


How Did the Attack Originate?

A significant percentage of cyberattacks start with innocuous-looking phishing emails, and this attack was no different. Malicious actors sent phishing emails, enticing unsuspecting users to click and open a tax-themed file attachment. This attachment looked harmless but contained a malicious Java payload that downloaded and executed the Sorillus RAT on the network system.

The investigation by eSentire brought to light a concealed phishing kit that relied heavily on Firebase Hosting. This malicious phishing campaign also used another cloud-based service Cloudflare to design an authentic-looking MS 365 login page.

Since these cloud platforms are credible entities, they can bypass automated scanners and security filters. Therefore, detecting the Sorillus RAT was a challenging task. Cyberattackers made use of this aspect to access network systems using phishing scams.


Strengthening Your Defenses: eSentire’s TRU Recommendations

In the face of sophisticated cyber threats, eSentire’s Threat Response Unit (TRU) offers valuable insights and practical recommendations to fortify network systems. Upgrading phishing protection solutions, updating antivirus signatures, adopting cutting-edge anti-virus and endpoint detection and response (EDR) tools, and exercising caution when handling potentially dangerous files are some of the key strategies recommended by TRU to enhance defenses against such attacks.


The Outcome of the Attacks

Since these emails with malicious attachments found their way into network systems undetected, the risk of data privacy violations increased, resulting in network systems compromising user credentials and other critical information assets.



The fact that cyberattackers were able to camouflage their nefarious attempts using Google Firebase Hosting makes it one of the most fatal hosting scams.


Is It Possible to Defend Yourself Against Such Attacks?

Yes. It is possible to safeguard network systems against such attacks. A potent Threat Response Unit (TRU) by eSentire provides critical insights and recommends strategies to defend network systems against such sophisticated cyberattacks.

The TRU emphasizes the importance of upgrading phishing protection solutions and updating antivirus signatures. It also suggests adopting the latest anti-virus and EDR (endpoint detection and response) tools. In addition, the TRU recommends removing unnecessary Java systems and configuring network systems to approach such potentially dangerous files cautiously.


Vigilance and Preparedness in the Face of Cyber Threats

The incident involving Firebase Hosting highlights the ever-evolving landscape of cyber threats. Organizations must remain vigilant and prepared to counter emerging tactics used by malicious actors. Continuous education, proactive defense strategies, and collaboration with experienced cybersecurity providers, such as eSentire, can empower businesses to stay one step ahead and safeguard their valuable assets from cybercriminals’ innovations.


Final Words

This hosting service cyberattack shows how malicious actors upgrade their knowledge and use innovative strategies to launch cyberattacks. It was clever of them to exploit Google Firebase Hosting service’s ability to obscure malicious content.




While users appreciate Firebase Hosting services to simplify access to network systems, this attack highlights that they must not take threat actors lightly and underestimate their knowledge and capability to exploit Firebase Hosting services to launch malicious phishing attacks.