A new fast-spreading phishing campaign was discovered leveraging carefully crafted emails to deliver URLs packed with the UpCryptor malware linked to convincing phishing pages.These web pages are designed to entice victims into downloading JavaScript files that act as droppers for the UpCrypter malware that ultimately deploy various remote access tools (RATs), including PureHVNC, DCRat, and Babylon RAT.In an Aug. 25 blog post FortiGuard Labs researchers said the campaign operates worldwide across North and South America, Europe, Africa, South Asia, and Asia.The FortiGuard researchers said its detection count of the campaign more than doubled in the past two weeks, reflecting rapid and aggressive growth. The attackers are also targeting multiple sectors, including manufacturing, technology, healthcare, construction, and retail/hospitality.“Organizations worldwide need to be aware that the UpCrypter phishing campaign is a highly sophisticated and dangerous threat,” said Frankie Sclafani, director of cybersecurity enablement at Deepwatch. “This is a complete attack process designed to secretly install a persistent malicious payload inside a network.”Sclafani said the attackers — likely tied to a sophisticated cybercrime group — are using clever tactics to trick victims and avoid detection. The campaign uses emails that lead victims to spoofed websites personalized with their email domain, which Sclafani said enhances credibility.“The malicious code is heavily obfuscated and padded with large amounts of junk code to conceal its purpose,” said Sclafani. “The malware scans for and restarts the system if it detects forensic tools, debuggers, or virtual machine environments like any.run or Wireshark. UpCrypter uses PowerShell and .NET reflection to execute subsequent stages of the attack directly in memory without writing the final payload to the disk.”J Stephen Kowski, Field CTO SlashNext Email Security, added that this phishing campaign personalizes fake websites with the victim’s own email and company logo, making the scam look real. Kowski said the malicious files delivered are not just for stealing passwords, but for installing powerful remote access tools that give attackers long-term control.“What’s most important to understand is that this isn’t a one-time data theft — it’s a full system breach that can spread quietly inside company networks,” said Kowski. “Teams should focus on catching these threats before users click, since blocking at the email and web layer is the fastest defense. Automated detection that looks past obfuscation in scripts and phishing sites is key, because traditional filters often miss the tricks used here.”
Network Security, Malware, Phishing, Email security
Global phishing campaign lures victims to release UpCryptor malware
(Adobe Stock)
An In-Depth Guide to Network Security
Get essential knowledge and practical strategies to fortify your network security.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds