FortiGuard Labs Uncovers Global Phishing Campaign Using UpCrypter to Deploy RATs

FortiGuard Labs has uncovered a rapidly spreading phishing campaign that leverages carefully crafted emails and fake websites to deliver UpCrypter, a sophisticated loader that installs multiple remote access tools (RATs), including PureHVNC, DCRat, and Babylon RAT.

According to the researchers, “These pages are designed to entice recipients into downloading JavaScript files that act as droppers for UpCrypter, malware that ultimately deploys various remote access tools (RATs).”

The campaign uses multiple lures to trick victims:

• Voicemail-Themed Emails – Subject lines like “Missed Phone Call – <Date>” arrive with attachments such as VN0001210000200.html. The embedded script obfuscates URLs and redirects victims to phishing pages while using anti-automation checks to evade analysis.
• Purchase Order Emails – Attachments like 採購訂單.html concatenate Base64 fragments to construct malicious URLs, redirecting users within milliseconds to fake sites personalized with their email domain and logo.

FortiGuard Labs observed that, “although the two phishing mail attachments use slightly different obfuscation, their operational goal is the same: deliver victims to a phishing page that is already personalized with their email, tag them for tracking, and use fragment-based parameter passing to keep the identifier out of network logs.”

Once victims interact with these phishing pages, they are prompted to download a ZIP archive containing a heavily obfuscated JavaScript file. This file uses junk code padding and stealthy PowerShell execution to launch the next stage without visible alerts.

Researchers explained: “The downloaded ZIP archive contains a heavily obfuscated JavaScript file… Finally, it calls ShellExecute to run PowerShell with ‘-ExecutionPolicy bypass’ and the decoded command using a window style of 0.”

UpCrypter then:

• Verifies connectivity (e.g., pinging Google).
• Conducts anti-analysis checks, restarting the system if sandbox or forensic tools are detected.
• Downloads and executes an MSIL loader, sometimes embedded in images using steganography.

This MSIL loader ensures persistence, mimics outdated Internet Explorer headers for downloads, and decodes further payloads for in-memory execution.

The ultimate goal is deploying RATs capable of giving attackers full control over compromised systems. FortiGuard confirmed: “In this campaign, UpCrypter is used as the central loader framework to stage and deploy multiple remote access tools. The observed payloads include PureHVNC, DCRat, and Babylon RAT. Each enables full remote control of compromised systems.”

These RATs provide capabilities ranging from surveillance and credential theft to command execution and lateral movement, making them highly valuable for cybercriminals.

FortiGuard warns that this is not a localized campaign. “Our telemetry indicates that this campaign is not limited to one region. Instead, it is operating on a truly global scale. In just two weeks, the detection count has more than doubled, reflecting a rapid and aggressive growth pattern.”

The impact spans across industries including manufacturing, technology, healthcare, construction, and retail/hospitality, underscoring the broad targeting strategy.

Related Posts:

• New Agent Tesla Spyware Variant was spread via Microsoft Word documents
• Suspected Nation-State Adversary Exploits Ivanti CSA in a Series of Sophisticated Attacks
• Malicious NPM Packages Target PayPal Users to Steal Sensitive Data
• New Agent Tesla Campaign Targets Spanish-Speaking Users
• Malicious Go Packages Target Developers with Hidden Loader Malware on Linux and macOS