Hackers are employing sophisticated phishing tactics to deploy a malware loader known as UpCrypter, granting them long-term control over Windows devices worldwide. Disguised as voicemails or purchase order messages, these phishing emails redirect recipients to highly personalised spoofed sites. Those who download the attachments are compromised through a multi-stage infection chain that ultimately installs powerful Remote Access Trojans.

Fortinet's FortiGuard Labs has tracked the campaign, observing how HTML attachments like“Missed Phone Call” or invoice-themed files launch users to counterfeit landing pages. These pages display the victim's own domain and company logo, bolstering credibility before prompting the download of a ZIP archive containing an obfuscated JavaScript dropper for UpCrypter.

Once the dropper is executed, PowerShell commands run stealthily to contact attacker-controlled servers. The dropper performs checks for sandboxing or forensic tools and may trigger a system reboot if such tools are detected, effectively evading analysis.

Following these checks, UpCrypter downloads additional malicious payloads-frequently concealed within image files using steganography-or delivered as plain text meant for in-memory execution. Among the RATs deployed are PureHVNC, DCRat, and Babylon RAT. These tools enable attackers to maintain persistent remote access and execute spying or data exfiltration operations.

Security researchers describe the campaign as dynamic and dangerously adaptive. Detection counts have reportedly more than doubled within a fortnight, reflecting a rapid spread across sectors including manufacturing, healthcare, technology, construction, retail, and hospitality. Geographic hotspots include Austria, Belarus, Canada, Egypt, India, and Pakistan.

This operation marks a notable shift from credential-harvesting phishing to full-blown network infiltration. As J Stephen Kowski, Field CTO at SlashNext Email Security, stresses,“this isn't a one‐time data theft-it's a full system breach that can spread quietly inside company networks.” Frankie Sclafani, Director of Cybersecurity Enablement at Deepwatch, similarly termed the campaign“a highly sophisticated and dangerous threat”, urging adoption of layered defences.

MENAFN27082025000152002308ID1109984389