Cybersecurity experts are sounding the alarm over a notable increase in phishing emails specifically targeting Microsoft Windows devices. According to Fortinet’s FortiGuard Labs, this uptick is linked to UpCrypter, a sophisticated loader that facilitates the installation of various remote access tools (RATs), allowing cybercriminals to maintain long-term access to compromised systems.
The phishing emails cleverly masquerade as missed voicemails or purchase orders, luring unsuspecting victims into clicking on attachments. Those who engage with these emails are redirected to convincingly designed counterfeit websites, often adorned with familiar company logos to foster a sense of trust.
Fortinet reports that these deceptive pages encourage users to download a ZIP file containing a JavaScript dropper, artfully disguised to evade detection. Upon execution, this script initiates PowerShell commands that connect to servers controlled by the attackers, marking the beginning of a more extensive malware deployment.
UpCrypter’s role in the attack chain
Once activated, UpCrypter conducts a thorough scan of the system to determine if it is under scrutiny by security analysts or forensic tools. If any monitoring is detected, the loader triggers a reboot to disrupt the investigation. In the absence of such obstacles, the malware advances to download and execute additional payloads.
Attackers often employ steganography to conceal these files within images, a tactic that significantly enhances their chances of evading antivirus detection. The final malware payloads include:
- PureHVNC: This tool provides hidden remote desktop access.
- DCRat (DarkCrystal RAT): A multifunctional tool designed for spying and data theft.
- Babylon RAT: This malware grants attackers complete control over the infected device.
Fortinet researchers have observed that attackers utilize a variety of techniques to obscure malicious code, including string obfuscation, modifying registry settings for persistence, and executing code in-memory to avoid leaving traces on the disk.
This phishing campaign, which has been active since early August 2025, has demonstrated a broad international reach, with significant activity reported in countries such as Austria, Belarus, Canada, Egypt, India, and Pakistan. The sectors most affected include manufacturing, technology, healthcare, construction, and retail/hospitality. Alarmingly, detections of this malware have doubled within just two weeks, highlighting the rapid escalation of this operation.
Beyond merely stealing usernames and passwords, this attack orchestrates a complex chain of malware designed to remain stealthy within corporate environments for extended durations. As Fortinet emphasizes, organizations must take this threat seriously, implement robust email filtering systems, and ensure that employees are well-trained to recognize and avoid such attacks.
For further insights, explore our comprehensive analysis of Check Point’s report on the rising tide of cyberattacks and strategies for safeguarding against these evolving security challenges.
