Phishing Campaign Employs UpCrypter in Fraudulent Voicemail Emails to Distribute RAT Payloads

ByAdmin

Cybersecurity researchers have identified a new phishing campaign that employs fake voicemails and purchase orders to distribute a malware loader known as UpCrypter. The campaign utilises “carefully crafted emails to deliver malicious URLs linked to convincing phishing pages,” according to Fortinet FortiGuard Labs researcher Cara Lin. These phishing pages are designed to entice recipients into downloading JavaScript files that serve as droppers for UpCrypter. Since the beginning of August 2025, the attacks have primarily targeted sectors such as manufacturing, technology, healthcare, construction, and retail/hospitality worldwide. The majority of infections have been reported in countries including Austria, Belarus, Canada, Egypt, India, and Pakistan.

UpCrypter acts as a conduit for various Remote Access Tools (RATs), including PureHVNC RAT, DCRat (also known as DarkCrystal RAT), and Babylon RAT, which enable attackers to gain full control over compromised hosts. The infection chain begins with a phishing email that uses themes related to voicemail messages and purchases to deceive recipients into clicking links that lead to fake landing pages. From these pages, victims are prompted to download either a voice message or a PDF document. The lure page is crafted to appear authentic by displaying the victim’s domain string in its banner and embedding the domain’s logo within the content. Its primary purpose is to facilitate a malicious download.

The downloaded payload is a ZIP archive containing an obfuscated JavaScript file, which subsequently contacts an external server to retrieve the next-stage malware. This occurs only after confirming internet connectivity and scanning for forensic tools, debuggers, or sandbox environments. The loader then contacts the same server to obtain the final payload, which may be delivered as plain text or embedded within a seemingly harmless image, a technique known as steganography. Fortinet also noted that UpCrypter is distributed as an MSIL (Microsoft Intermediate Language) loader, which, like its JavaScript counterpart, performs anti-analysis and anti-virtual machine checks. Following this, it downloads three different payloads: an obfuscated PowerShell script, a DLL, and the main payload. The attack culminates with the script embedding data from the DLL loader and the payload during execution, allowing the malware to run without being written to the file system. This method minimises forensic traces, enabling the malware to evade detection. Lin emphasised that this combination of an actively maintained loader, layered obfuscation, and diverse RAT delivery illustrates an adaptable threat delivery ecosystem capable of bypassing defences and maintaining persistence across various environments. 

Categories: Phishing Campaigns, Malware Distribution, Remote Access Tools 

Tags: Phishing, Malware, UpCrypter, JavaScript, RATs, Manufacturing, Healthcare, Steganography, Obfuscation, Cybersecurity 

Leave a Reply

Your email address will not be published. Required fields are marked *