Cybersecurity researchers have flagged a new phishing campaign that uses fake voicemails and purchase orders to deliver a malware loader called UpCrypter, primarily targeting manufacturing, technology, healthcare, construction, and retail sectors worldwide since August 2025.
Fortinet FortiGuard Labs discovered attackers using crafted emails to deliver malicious URLs linked to convincing phishing pages. These pages entice recipients to download JavaScript files that act as droppers for UpCrypter. The campaign has infected users primarily in Austria, Belarus, Canada, Egypt, India, and Pakistan.
UpCrypter is a conduit for various remote access tools (RATs), including PureHVNC RAT, DCRat (aka DarkCrystal RAT), and Babylon RAT. These tools enable attackers to take full control of compromised hosts. The infection chain begins with phishing emails using voicemail and purchase themes to deceive recipients into clicking links that direct to fake landing pages.
The lure pages display the victim's domain string in banners and fetch the domain's logo to reinforce authenticity. Downloaded payloads contain ZIP archives with obfuscated JavaScript files that contact external servers for next-stage malware after confirming internet connectivity and scanning for forensic tools.
UpCrypter operates through multiple delivery methods. The JavaScript version contacts servers to obtain final payloads either as plain text or embedded within images. The MSIL (Microsoft Intermediate Language) loader conducts anti-analysis and anti-virtual machine checks before downloading three different payloads: an obfuscated PowerShell script, a DLL, and the main payload.
The attack ends with scripts that use data from DLL loaders and payloads while running, allowing malware to work without saving files on the system. This reduces the chances of detection. It combines layered hiding techniques and different methods of delivering Remote Access Trojans (RATs) to avoid security measures and stay active in various environments.
Fortinet FortiGuard Labs researcher Cara Lin said the campaign leverages "carefully crafted emails to deliver malicious URLs linked to convincing phishing pages." She explained that "these pages are designed to entice recipients into downloading JavaScript files that act as droppers for UpCrypter."
Lin further stated, "The lure page is designed to appear convincing by not only displaying the victim's domain string in its banner but also fetching and embedding the domain's logo within the page content to reinforce authenticity."
She concluded, "This combination of an actively maintained loader, layered obfuscation, and diverse RAT delivery demonstrates an adaptable threat delivery ecosystem capable of bypassing defenses and maintaining persistence across different environments."
Check Point reported that "attackers exploited this trust by sending fake invitations that contained unrelated commercial offers, ranging from product reselling pitches to SEO services."
UpCrypter represents a sophisticated malware loader designed to deliver Remote Access Tools (RATs) that provide attackers complete control over compromised systems. The malware employs steganography, hiding malicious code within seemingly harmless images to avoid detection. Living-off-trusted-sites (LOTS) techniques abuse legitimate services like Microsoft 365 Direct Send, OneNote, Google Classroom, and other platforms to bypass security measures by leveraging their trusted reputations.
This campaign specifically targets healthcare organizations alongside other sectors, making it relevant for HIPAA-covered entities. Healthcare organizations face unique vulnerabilities because attackers exploit the sector's reliance on digital communication for patient care coordination. The use of fake voicemail lures specifically targets healthcare workflows where voice messages often contain sensitive patient information or urgent care instructions.
Healthcare organizations must implement email security measures and employee training programs specifically addressing voicemail-themed phishing attacks. The campaign's use of domain spoofing and logo theft makes visual verification insufficient for authenticity. Organizations should establish verification procedures for unexpected voicemail notifications and purchase orders, especially those requesting downloads or containing external links.
Related: HIPAA Compliant Email: The Definitive Guide
UpCrypter is distinct in using steganography and multi-stage obfuscation to minimize forensic traces.
They exploit urgency and familiarity in workplace communication, prompting quick clicks without scrutiny.
Yes, attackers target both, as smaller firms may lack advanced defenses while larger ones yield greater payoff.