Fortinet’s FortiGuard Labs latest research highlights a recently identified phishing campaign leveraging carefully crafted emails to deliver URLs linked to convincing phishing pages. These pages are designed to entice recipients into downloading JavaScript files that act as droppers for UpCrypter, malware that ultimately deploys various remote access tools (RATs).
The spoofed site is personalized with the target’s email domain, enhancing credibility. The latest research describes an infection chain using different methods to lure the victim and successfully deliver several RATs, including PureHVNC, DCRat, and Babylon RAT.
As the research demonstrates, attackers can now easily make phishing emails and fake websites using ready-made tools found online. These tools let them build a complete system to spread malware, not just deliver simple scams.
This is not just about stealing email logins, as once inside, attackers can keep control of the systems for an extended period. Users and organizations should take this threat seriously, use strong email filters, and make sure staff are trained to recognize and avoid these types of attacks.
Additional commentary from a couple of my expert sources can be found below.
Frankie Sclafani, Director of Cybersecurity Enablement at Deepwatch
"Organizations worldwide need to be aware that the UpCrypter phishing campaign is a highly sophisticated and dangerous threat. This is a complete attack process designed to secretly install a persistent malicious payload inside your network.
"The campaign is operating on a truly global scale. According to FortiGuard Labs, in just two weeks, the detection count has more than doubled, reflecting a rapid and aggressive growth pattern. The malicious code is heavily obfuscated and padded with large amounts of junk code to conceal its purpose. The malware scans for and restarts the system if it detects forensic tools, debuggers, or virtual machine environments like any.run or Wireshark.
"UpCrypter uses PowerShell and .NET reflection to execute subsequent stages of the attack directly in memory without writing the final payload to the disk. Additionally, the loader data is delivered in two formats—plain text and embedded within an image file using a form of steganography—to evade static detection. Finally, the campaign delivers various Remote Access Tools (RATs) such as PureHVNC, DCRat, and Babylon RAT, allowing attackers to gain full remote control of compromised systems.
"Employee training is crucial. Ensure your WAFs, mail filters, EDR, and AntiVirus are up-to-date, as the malware is detected and blocked by tools like FortiGuard Antivirus. Smart security teams will proactively block these attacks by using threat intelligence services and by implementing the provided Indicators of Compromise (IOCs).
"To stop malicious scripts like those used in this campaign, security teams should implement several crucial controls. These include enforcing PowerShell script signing and using Constrained Language Mode. If not required for daily operations, restrict PowerShell execution for standard users by adjusting the execution policy to a more restrictive setting, such as AllSigned or RemoteSigned.
"However, the most effective control you can implement is Application Allowlisting. By implementing an allowlist, security teams can prevent the malicious JavaScript droppers and subsequent RAT payloads from running, neutralizing the threat even if a user is tricked into downloading the file."
J Stephen Kowski, Field CTO at SlashNext Email Security+
"What’s most important to understand is that this isn’t a one-time data theft—it’s a full system breach that can spread quietly inside company networks.
"Teams should focus on catching these threats before users click, since blocking at the email and web layer is the fastest defense. Automated detection that looks past obfuscation in scripts and phishing sites is key, because traditional filters often miss the tricks used here.
"Training staff to spot lures like fake voicemails or order requests helps, but pairing that with threat detection that stops malicious downloads in real time is what really keeps attackers out."
John Bambenek, President at Bambenek Consulting
"Various fake voicemail and fake invoice phishing lures remain popular for attackers simply because they work. In this case, however, looking for the chain of events of opening an HTML attachment in email that leads to PowerShell usage provides an easy, and quick, win to detection (and hopefully prevent) this chain of events. Not every user needs access to PowerShell and certainly not when the chain starts from Outlook.exe."
