Malicious Scheme Employs UpCrypter to Install Distant Control Software
A global phishing campaign, recently identified by cybersecurity researchers, is causing concern among organisations worldwide. This is not a simple attempt to steal email credentials, but rather a sophisticated attack chain that installs malware within corporate environments.
The operation employs a custom loader called UpCrypter, which is maintained by its developer and plays a central role in the campaign. Users are urged to download a ZIP archive containing an obfuscated JavaScript file that executes PowerShell commands and evades detection tools.
Upon validation, UpCrypter downloads additional components, executes them in memory, and establishes persistence by altering registry keys. The final observed payloads include PureHVNC, DCRat, and Babylon RAT, allowing attackers to perform actions such as keylogging, file theft, and full remote control of a target's machine.
The industries most affected by this campaign include manufacturing, technology, healthcare, construction, and retail/hospitality. FortiGuard Labs reported that the campaign is expanding rapidly, with detections doubling in just two weeks.
The phishing emails, carrying HTML attachments, redirect victims to spoofed websites tailored to each recipient. Some variants of the campaign use themes such as a voicemail-themed email or a purchase order spoof written in Chinese.
UpCrypter checks for forensic tools, virtual machines, and sandboxes before running and forces a system restart if analysis is suspected to disrupt investigations. In some cases, data is hidden inside image files using steganography to avoid security scans.
Cybercriminal groups behind the campaign target companies worldwide, particularly in countries like Austria, Belarus, Canada, Egypt, India, and Pakistan. The stealth execution and anti-analysis features of UpCrypter make detection difficult.
Fortinet recommends that users and organisations take this threat seriously, use strong email filters, and ensure staff are trained to recognise and avoid these types of attacks. As shown in the August 2025 reports by cybersecurity researchers, there is a known connection between the phishing campaign and the UpCrypter loader, which is directly used in these attacks.
This is a reminder that cybersecurity remains a critical issue for businesses and individuals alike. Stay vigilant, stay safe.
