
"The campaign leverages "carefully crafted emails to deliver malicious URLs linked to convincing phishing pages," Fortinet FortiGuard Labs researcher Cara Lin said. "These pages are designed to entice recipients into downloading JavaScript files that act as droppers for UpCrypter." Attacks propagating the malware have been primarily targeting manufacturing, technology, healthcare, construction, and retail/hospitality sectors across the world since the start of August 2025. The vast majority of the infections have been observed in Austria, Belarus, Canada, Egypt, India, and Pakistan, among others."
"UpCrypter functions as a conduit for various remote access tools (RATs), such as PureHVNC RAT, DCRat (aka DarkCrystal RAT), and Babylon RAT, each of which enable an attacker to take full control of compromised hosts. The starting point of the infection chain is a phishing email using themes related to voicemail messages and purchases to deceive recipients into clicking on links that direct to fake landing pages, from where they are prompted to download the voice message or a PDF document."
""The lure page is designed to appear convincing by not only displaying the victim's domain string in its banner but also fetching and embedding the domain's logo within the page content to reinforce authenticity," Fortinet said. "Its primary purpose is to deliver a malicious download." The downloaded payload is a ZIP archive containing an obfuscated JavaScript file, which subsequently contacts an external server to fetch the next-stage malware, but only after confirming internet connectivity and scanning running processes for forensic tools, debuggers, or sandbox environments."
A phishing campaign uses fake voicemails and purchase orders to deliver a malware loader named UpCrypter. Carefully crafted emails direct recipients to convincing phishing pages that prompt downloads of JavaScript droppers. Target sectors include manufacturing, technology, healthcare, construction, and retail/hospitality, with most infections observed in Austria, Belarus, Canada, Egypt, India, and Pakistan since August 2025. UpCrypter delivers remote access tools such as PureHVNC, DCRat (DarkCrystal), and Babylon, enabling full remote control of infected machines. Lure pages display the victim domain and embedded logos to appear authentic. Downloaded ZIP archives contain obfuscated JavaScript that checks connectivity and scans for forensic tools before fetching final payloads.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]