- New phishing campaign uses fake voicemails and purchase orders to distribute UpCrypter Malware loader.
- The attacks target sectors like manufacturing, technology, healthcare, construction, and retail worldwide, focusing on countries such as Austria, Belarus, Canada, Egypt, India, and Pakistan.
- UpCrypter delivers remote access tools, enabling attackers to control infected devices and evade detection.
- Threat actors abuse trusted services like Google Classroom, Discord, and Microsoft 365 to improve the success of phishing attacks.
- Attackers use advanced anti-detection techniques, including script-based evasion and steganography, to hide malicious activity and avoid analysis.
A phishing campaign is spreading malware known as UpCrypter through fake voicemail and purchase order emails, according to Cybersecurity researchers. The campaign began targeting major industries in several countries in August 2025. One of its main goals is to deploy a malware loader, which installs remote access tools (RATs) on compromised systems.
Researchers at Fortinet FortiGuard Labs found that the attackers use convincing emails that direct recipients to phishing pages. These sites ask users to download JavaScript files, which act as delivery vehicles for UpCrypter. Most attacks have targeted manufacturing, technology, healthcare, construction, and retail, with infection reports mainly in Austria, Belarus, Canada, Egypt, India, and Pakistan.
According to Fortinet, UpCrypter helps attackers install a range of RATs, such as PureHVNC RAT, DCRat (also known as DarkCrystal RAT), and Babylon RAT. These allow attackers to gain full control over infected computers. The infection usually begins with a phishing message about a voicemail or a purchase, encouraging the target to visit a fraudulent site and download a ZIP archive. This file contains an obfuscated JavaScript loader, which checks for Sandbox or forensic tools before allowing the next steps.
The loader downloads the final malicious payload—sometimes hidden inside harmless images using a method called steganography—which helps avoid detection. The malware can also be distributed as an MSIL loader, which performs similar anti-analysis checks before downloading a script, dynamic link library (DLL), and the main payload. These files combine during execution, running in memory without writing them to the disk, making it difficult to track.
Similar attacks have been seen abusing Google Classroom to send over 115,000 phishing emails to 13,500 organizations in early August 2025, as reported by Check Point. Attackers used trusted technology platforms to bypass email security protocols like SPF, DKIM, and DMARC, increasing the chance that harmful messages reach users’ inboxes. Some campaigns sent fake invitations containing offers or instructions for contacting scammers, frequently via WhatsApp.
Threat actors also misuse services such as Microsoft 365 Direct Send, Discord CDN, SendGrid, and others to achieve these goals. New defense measures, like Microsoft’s “Reject Direct Send” and custom policies, aim to counter these attacks. Attackers have adapted by using client-side scripts to block automated and manual analysis and sometimes host phishing pages within virtual desktops or embed anti-analysis scripts into phishing kits.
These evolving techniques indicate an ongoing effort by threat actors to create sophisticated and hard-to-detect phishing threats. Links to further details and technical research can be found in the statements by Fortinet (here) and Check Point (here).
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Bitcoin Reaches 1.7% of Global Money Supply Amid Fed Rate Cut
- Bitcoin Core v30 Debate Heats Up as Hypothetical DoS Attack Mocked
- Football Dot Fun Surges: $25.7M Volume, 10K+ Users in Two Weeks
- Ripple’s XRP Slides 2%: Can It Deliver 5x Returns for Investors?
- Bitcoin Plunges $4,000 in Flash Crash as Whale Dumps 24,000 BTC
