---
title: "Sorillus Remote Access Tool and Phishing Attacks Exploit Google Firebase Hosting Abilities | Phish Protection"
description: "Malicious actors have become more innovative by exploiting Google Firebase Hosting service to launch Sorillus RAT and phishing attacks on unsuspecting networks."
image: "https://phishprotection.com/og/blog/sorillus-remote-access-tool-and-phishing-attacks-exploit-google-firebase-hosting-abilities.png"
canonical: "https://phishprotection.com/blog/sorillus-remote-access-tool-and-phishing-attacks-exploit-google-firebase-hosting-abilities/"
---

Quick Answer

Malicious actors have become more innovative by exploiting Google Firebase Hosting service to launch Sorillus RAT and \[phishing attacks\](/resources/7-most-common-phishing-attacks-and-learning-to-protect-against-them) on \*\*unsuspecting networks\*\*

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fphishprotection.com%2Fblog%2Fsorillus-remote-access-tool-and-phishing-attacks-exploit-google-firebase-hosting-abilities%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Sorillus%20Remote%20Access%20Tool%20and%20Phishing%20Attacks%20Exploit%20Google%20Firebase%20Hosting%20Abilities&url=https%3A%2F%2Fphishprotection.com%2Fblog%2Fsorillus-remote-access-tool-and-phishing-attacks-exploit-google-firebase-hosting-abilities%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fphishprotection.com%2Fblog%2Fsorillus-remote-access-tool-and-phishing-attacks-exploit-google-firebase-hosting-abilities%2F "Share on Facebook") [ ](https://reddit.com/submit?url=https%3A%2F%2Fphishprotection.com%2Fblog%2Fsorillus-remote-access-tool-and-phishing-attacks-exploit-google-firebase-hosting-abilities%2F&title=Sorillus%20Remote%20Access%20Tool%20and%20Phishing%20Attacks%20Exploit%20Google%20Firebase%20Hosting%20Abilities "Share on Reddit") [ ](mailto:?subject=Sorillus%20Remote%20Access%20Tool%20and%20Phishing%20Attacks%20Exploit%20Google%20Firebase%20Hosting%20Abilities&body=Check out this article: https%3A%2F%2Fphishprotection.com%2Fblog%2Fsorillus-remote-access-tool-and-phishing-attacks-exploit-google-firebase-hosting-abilities%2F "Share via Email") 

![Phish Protection blog post image](https://media.mailhop.org/phishprotection/images/2023/07/office-365-email-protection-1331.jpg) 

Malicious actors have become more innovative by exploiting Google Firebase Hosting service to launch Sorillus RAT and [phishing attacks](/resources/7-most-common-phishing-attacks-and-learning-to-protect-against-them) on **unsuspecting networks**

.

Threat actors always keep improving their tactics and strategies through innovation. In one of the most recent incidents, they have taken advantage of Google Firebase Hosting service’s features by launching malicious phishing attacks and the[Sorillus Remote Access Tool](https://www.esentire.com/blog/sorillus-rat#:~:text=Sorillus%20is%20a%20Java%2Dbased,target%20machines%20among%20other%20features.)(RAT) to compromise unsuspecting target networks and cause **data privacy violations**.

This hosting scam came to light during a routine check of[eSentire’s](https://www.infosecurity-magazine.com/directory/esentire-1-1/)SOC (Security Operations Center), revealing the running of **suspicious code** in a manufacturing customer’s network.

### What Is Sorillus RAT?

_Sorillus is a widely used **Java-based** RAT (Remote Access Tool) compatible with Windows, Mac, and Linux operating systems._ Like other remote access tools, Sorillus can collect system information, execute commands, browse crucial files, and remotely control network servers and other target machines.

[Threat actors](/phishing-awareness/threat-actors-using-malicious-onenote-attachments-to-spread-malware-via-phishing-emails) have been leveraging Sorillus as a helpful tool because of its capabilities to access and **capture data remotely**.

#### The Anatomy of the Phishing and Sorillus RAT Combo

Investigations by eSentire revealed the elaborate methods behind the attack’s execution. Cyber adversaries skillfully combined phishing emails with malicious Java payloads, enticing unsuspecting users into downloading and executing Sorillus RAT. The attackers used Firebase Hosting to smuggle HTML files and distribute their nefarious content, further complicating detection. Understanding the intricacies of this attack is vital to devising robust defense strategies.

### Why Is Sorillus RAT in the News Now?

> “Zero-day phishing URLs have an average lifespan of just 12 hours before they’re added to blocklists. During that window, traditional signature-based filters are blind. Our real-time behavioral analysis catches these threats by pattern, not by signature - which is how we detect attacks that no database has seen yet.” - **Adam Lundrigan**, CTO, DuoCircle

Investigations by the [cybersecurity](/content/cybersecurity-in-a-nutshell) services provider eSentire revealed a Sorillus RAT along with a phishing page delivered to unsuspecting targets using **HTML smuggled files** and malicious links by taking advantage of [Google Firebase Hosting Service](https://firebase.google.com/docs/hosting#:~:text=Firebase%20Hosting%20is%20production%2Dgrade,CDN%20%28content%20delivery%20network%29.).

[Cyber attackers](https://www.dnpindia.in/world/cyber-attackers-target-norwegian-government-websites/272379/) were smart enough to know about **Firebase’s legitimacy** to deliver Sorillus RAT, which facilitated remote access and compromised data privacy.

![Office 365 email protection](https://media.mailhop.org/phishprotection/images/2023/07/office-365-email-protection-1331.jpg) 

Threat actors leveraged the Google service to obscure **malicious content** and attack unsuspecting networks globally. The[new advisory](https://www.esentire.com/blog/google-firebase-hosting-abused-to-deliver-sorillus-rat-phishing-page)published by eSentire on July 13, 2023, includes more details on how cyber adversaries exploited the Google Firebase Hosting service.

The blog of eSentire details how its **SOC was alerted** regarding [malicious code](https://www.scmagazine.com/news/emerging-technology/ai-package-hallucination-malicious-code-developer-environments) written to an endpoint device’s registry in a manufacturing customer’s network.

#### Data Privacy Violations and Credential Compromises

As a consequence of this attack, data privacy violations escalated, and sensitive network systems fell prey to the Sorillus RAT’s remote access capabilities. Cyber attackers successfully compromised user credentials and other critical information assets, leading to potential financial and reputational damage for affected organizations. The aftermath of this attack serves as a stark reminder of the need for resilient cybersecurity measures.

### How Did the Attack Originate?

A significant percentage of cyberattacks start with **innocuous-looking** [phishing emails](/content/protection-from-phishing/how-to-stop-phishing-emails), and this attack was no different. Malicious actors sent phishing emails, enticing unsuspecting users to click and open a tax-themed file attachment . This attachment looked harmless but contained a malicious Java payload that downloaded and executed the Sorillus RAT on the network system.

The investigation by eSentire brought to light a concealed [phishing kit](https://thehackernews.com/2023/03/microsoft-warns-of-large-scale-use-of.html) that relied heavily on Firebase Hosting. This malicious phishing campaign also used another cloud-based service Cloudflare to design an **authentic-looking** **MS 365 login page**.

_Since these cloud platforms are credible entities, they can bypass automated scanners and security filters._ Therefore, detecting the Sorillus RAT was a challenging task. Cyberattackers made use of this aspect to access network systems using **phishing scams**.

#### Strengthening Your Defenses: eSentire’s TRU Recommendations

In the face of sophisticated cyber threats, eSentire’s Threat Response Unit (TRU) offers valuable insights and practical recommendations to fortify network systems. Upgrading phishing protection solutions, updating antivirus signatures, adopting cutting-edge anti-virus and endpoint detection and response (EDR) tools, and exercising caution when handling potentially dangerous files are some of the key strategies recommended by TRU to enhance defenses against such attacks.

### The Outcome of the Attacks

Since these emails with malicious attachments found their way into network systems undetected , the risk of [data privacy violations](https://www.insurancebusinessmag.com/us/news/cyber/data-privacy-violations-are-the-new-cyber-threats-for-insurers-437019.aspx) increased, resulting in network systems compromising user credentials and other critical information assets.

The fact that cyberattackers were able to camouflage their nefarious attempts using Google Firebase Hosting makes it one of the **most fatal** hosting scams.

### Is It Possible to Defend Yourself Against Such Attacks?

Yes. It is possible to safeguard network systems against such attacks. A potent Threat Response Unit (TRU) by eSentire provides **critical insights** and recommends strategies to defend network systems against such sophisticated [cyberattacks](https://gbhackers.com/google-blocking-employee-internet/).

![Phishing prevention](https://media.mailhop.org/phishprotection/images/2023/07/phishing-prevention-4697.jpg) 

The TRU emphasizes the importance of upgrading [phishing protection](/) solutions and updating antivirus signatures . _It also suggests adopting the latest anti-virus and EDR (endpoint detection and response) tools._ In addition, the TRU recommends **removing unnecessary Java systems** and configuring network systems to approach such potentially dangerous files cautiously.

#### Vigilance and Preparedness in the Face of Cyber Threats

The incident involving Firebase Hosting highlights the ever-evolving landscape of cyber threats. Organizations must remain vigilant and prepared to counter emerging tactics used by malicious actors. Continuous education, proactive defense strategies, and collaboration with experienced cybersecurity providers, such as eSentire, can empower businesses to stay one step ahead and safeguard their valuable assets from cybercriminals’ innovations.

### Final Words

This hosting service cyberattack shows how [malicious actors](/phishing/malicious-actors-exploit-commenting-feature-in-google-docs-to-send-phishing-emails) upgrade their knowledge and use **innovative strategies** to launch cyberattacks. It was clever of them to exploit Google Firebase Hosting service’s ability to obscure malicious content.

While users appreciate Firebase Hosting services to simplify access to network systems, this attack highlights that they **must not** take threat actors lightly and underestimate their knowledge and capability to exploit Firebase Hosting services to launch malicious phishing attacks.

## Topics

[ Phishing Awareness ](/tags/phishing-awareness/) 

![Brad Slavin](https://media.mailhop.org/phishprotection/images/authors/brad-slavin.jpg) 

[ Brad Slavin ](/authors/brad-slavin/) 

General Manager

Founder and General Manager of DuoCircle. Product strategy and commercial lead across DuoCircle's 2,000+ customer base.

[LinkedIn Profile →](https://www.linkedin.com/in/bradslavin) 

## Protect your inbox from phishing attacks

Real-time email security with 60-day free trial. No credit card required.

[Start Free Trial](https://portal.duocircle.com/cart.php?a=add&pid=101&brand=phishprotection) [View Pricing](/pricing/) 

## Related Articles

[  Foundational 5m  0ktapus, Okta Breach Helps Attackers Launch Sophisticated Supply Chain Attacks  Sep 5, 2022 ](/blog/0ktapus-okta-breach-helps-attackers-launch-sophisticated-supply-chain-attacks/)[  Foundational 14m  12 Real-World Spear Phishing Examples And The Red Flags You Missed  Feb 4, 2026 ](/blog/12-real-world-spear-phishing-examples-and-the-red-flags-you-missed/)[  Foundational 2m  8 million Android users fell prey to SpyLoan malware on Google Play Store  Dec 5, 2024 ](/blog/8-million-android-users-fell-prey-to-spyloan-malware-on-google-play-store/)[  Foundational 1m  A Big Part of the Phishing Problem is You  Sep 17, 2019 ](/blog/a-big-part-of-the-phishing-problem-is-you/)

```json
{"@context":"https://schema.org","@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://github.com/duocircle"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://phishprotection.com/contact/"},"knowsAbout":["Phishing Protection","Email Security","Anti-Phishing","Business Email Compromise","Ransomware Protection","Time of Click Protection","Office 365 Email Security","Advanced Threat Defense"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"Phish Protection","url":"https://phishprotection.com","description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","publisher":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}}
```

```json
[{"@context":"https://schema.org","@type":"BlogPosting","headline":"Sorillus Remote Access Tool and Phishing Attacks Exploit Google Firebase Hosting Abilities","description":"Malicious actors have become more innovative by exploiting Google Firebase Hosting service to launch Sorillus RAT and phishing attacks on unsuspecting networks.","url":"https://phishprotection.com/blog/sorillus-remote-access-tool-and-phishing-attacks-exploit-google-firebase-hosting-abilities/","datePublished":"2023-07-27T00:00:51.000Z","dateModified":"2026-04-17T15:43:10.000Z","dateCreated":"2023-07-27T00:00:51.000Z","author":{"@type":"Person","@id":"https://phishprotection.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://phishprotection.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin is the founder and General Manager of DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. He founded DuoCircle in 2014 and has led the company's growth to 2,000+ customers across its email security product family. Brad's focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/phishprotection/images/authors/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://github.com/duocircle"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://phishprotection.com/contact/"},"knowsAbout":["Phishing Protection","Email Security","Anti-Phishing","Business Email Compromise","Ransomware Protection","Time of Click Protection","Office 365 Email Security","Advanced Threat Defense"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://phishprotection.com/blog/sorillus-remote-access-tool-and-phishing-attacks-exploit-google-firebase-hosting-abilities/"},"articleSection":"foundational","keywords":"Phishing Awareness","wordCount":950,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/phishprotection/images/2023/07/office-365-email-protection-1331.jpg","caption":"Phish Protection blog post image","width":1200,"height":630},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}},{"@context":"https://schema.org","@type":"FAQPage","mainEntity":[{"@type":"Question","name":"What Is Sorillus RAT?","acceptedAnswer":{"@type":"Answer","text":"Sorillus is a widely used **Java-based** RAT (Remote Access Tool) compatible with Windows, Mac, and Linux operating systems._ Like other remote access tools, Sorillus can collect system information, execute commands, browse crucial files, and remotely control network servers and other target mach..."}},{"@type":"Question","name":"Why Is Sorillus RAT in the News Now?","acceptedAnswer":{"@type":"Answer","text":"> \"Zero-day phishing URLs have an average lifespan of just 12 hours before they're added to blocklists. During that window, traditional signature-based filters are blind. Our real-time behavioral analysis catches these threats by pattern, not by signature - which is how we detect attacks that no ..."}},{"@type":"Question","name":"How Did the Attack Originate?","acceptedAnswer":{"@type":"Answer","text":"A significant percentage of cyberattacks start with **innocuous-looking** [phishing emails](/content/protection-from-phishing/how-to-stop-phishing-emails), and this attack was no different. Malicious actors sent phishing emails, enticing unsuspecting users to click and open a"}},{"@type":"Question","name":"Is It Possible to Defend Yourself Against Such Attacks?","acceptedAnswer":{"@type":"Answer","text":"Yes. It is possible to safeguard network systems against such attacks. A potent Threat Response Unit (TRU) by eSentire provides **critical insights** and recommends strategies to defend network systems against such sophisticated [cyberattacks](https://gbhackers.com/google-blocking-employee-intern..."}}]}]
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://phishprotection.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://phishprotection.com/blog/"},{"@type":"ListItem","position":3,"name":"Foundational","item":"https://phishprotection.com/foundational/"},{"@type":"ListItem","position":4,"name":"Sorillus Remote Access Tool and Phishing Attacks Exploit Google Firebase Hosting Abilities","item":"https://phishprotection.com/blog/sorillus-remote-access-tool-and-phishing-attacks-exploit-google-firebase-hosting-abilities/"}]}
```