Phishing Campaign Targeting Companies via UpCrypter
Summary:
FortiGuard Labs recently identified a high-severity phishing campaign aimed at Microsoft Windows users that demonstrates a highly organized and sophisticated delivery system for malware. The attackers are leveraging carefully crafted phishing emails that appear credible and often mimic voicemail notifications or purchase orders. These emails carry malicious HTML attachments that, once opened, use obfuscated scripts to redirect victims to spoofed websites customized with the target’s own email domain and even embedded corporate logos. This personalization adds to the illusion of legitimacy and increases the likelihood of user interaction. The phishing sites then prompt the user to download files, ultimately delivering UpCrypter, a loader that serves as the central tool in this campaign.
The downloaded files contain heavily obfuscated JavaScript code designed to hide its malicious intent. Once executed, these scripts silently call PowerShell commands with execution bypass policies to stage the next payload. The malware employs multiple layers of evasion, including anti-automation checks to detect whether it is running in controlled environments, anti-analysis routines to terminate when monitoring tools are present, and even the use of steganography to conceal payloads inside image files. Such tactics ensure that the infection chain can proceed while minimizing detection by security software or analysts. UpCrypter itself acts as a multi-stage loader that checks system directories, establishes persistence in the registry, and executes payloads directly in memory to avoid leaving artifacts on disk. It masquerades as legitimate activity, using outdated Internet Explorer headers and routine network pings to appear normal. Once operational, it downloads and deploys remote access tools such as PureHVNC, DCRat, and Babylon RAT, each enabling full remote control of the compromised system. These RATs allow attackers to steal credentials, monitor user activity, and establish long-term footholds within corporate environments.
Security Officer Comments:
The scale and adaptability of this campaign make it particularly dangerous. Telemetry shows that detections have doubled within just two weeks, reflecting a rapid global spread across industries such as manufacturing, technology, healthcare, construction, and retail/hospitality. Unlike older phishing campaigns that focused mainly on credential theft, this operation delivers a complete end-to-end attack chain, from initial phishing lure to full system compromise, persistence, and exfiltration of sensitive information. The stolen data can then be reused in follow-up attacks, adding to the long-term risk for victims.
Suggested Corrections:
https://www.fortinet.com/blog/threat-research/phishing-campaign-targeting-companies-via-upcrypter
FortiGuard Labs recently identified a high-severity phishing campaign aimed at Microsoft Windows users that demonstrates a highly organized and sophisticated delivery system for malware. The attackers are leveraging carefully crafted phishing emails that appear credible and often mimic voicemail notifications or purchase orders. These emails carry malicious HTML attachments that, once opened, use obfuscated scripts to redirect victims to spoofed websites customized with the target’s own email domain and even embedded corporate logos. This personalization adds to the illusion of legitimacy and increases the likelihood of user interaction. The phishing sites then prompt the user to download files, ultimately delivering UpCrypter, a loader that serves as the central tool in this campaign.
The downloaded files contain heavily obfuscated JavaScript code designed to hide its malicious intent. Once executed, these scripts silently call PowerShell commands with execution bypass policies to stage the next payload. The malware employs multiple layers of evasion, including anti-automation checks to detect whether it is running in controlled environments, anti-analysis routines to terminate when monitoring tools are present, and even the use of steganography to conceal payloads inside image files. Such tactics ensure that the infection chain can proceed while minimizing detection by security software or analysts. UpCrypter itself acts as a multi-stage loader that checks system directories, establishes persistence in the registry, and executes payloads directly in memory to avoid leaving artifacts on disk. It masquerades as legitimate activity, using outdated Internet Explorer headers and routine network pings to appear normal. Once operational, it downloads and deploys remote access tools such as PureHVNC, DCRat, and Babylon RAT, each enabling full remote control of the compromised system. These RATs allow attackers to steal credentials, monitor user activity, and establish long-term footholds within corporate environments.
Security Officer Comments:
The scale and adaptability of this campaign make it particularly dangerous. Telemetry shows that detections have doubled within just two weeks, reflecting a rapid global spread across industries such as manufacturing, technology, healthcare, construction, and retail/hospitality. Unlike older phishing campaigns that focused mainly on credential theft, this operation delivers a complete end-to-end attack chain, from initial phishing lure to full system compromise, persistence, and exfiltration of sensitive information. The stolen data can then be reused in follow-up attacks, adding to the long-term risk for victims.
Suggested Corrections:
- Email Security: Block HTML/ZIP/JS attachments at the gateway, enable sandboxing, and enforce DMARC/DKIM/SPF to reduce spoofing.
- Endpoint Hardening: Restrict PowerShell execution (Constrained Language Mode), disable Windows Script Host where possible, and monitor for obfuscated script activity.
- Network Controls: Block known malicious domains, and hunt for suspicious redirects, legacy IE User-Agents, or steganographic payload delivery.
- User Awareness: Train staff to recognize voicemail/purchase order phishing lures and avoid opening unexpected HTML attachments.
https://www.fortinet.com/blog/threat-research/phishing-campaign-targeting-companies-via-upcrypter