By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
World of SoftwareWorld of SoftwareWorld of Software
  • News
  • Software
  • Mobile
  • Computing
  • Gaming
  • Videos
  • More
    • Gadget
    • Web Stories
    • Trending
    • Press Release
Search
  • Privacy
  • Terms
  • Advertise
  • Contact
Copyright © All Rights Reserved. World of Software.
Reading: Phishing Campaign Uses UpCrypter in Fake Voicemail Emails to Deliver RAT Payloads
Share
Sign In
Notification Show More
Font ResizerAa
World of SoftwareWorld of Software
Font ResizerAa
  • Software
  • Mobile
  • Computing
  • Gadget
  • Gaming
  • Videos
Search
  • News
  • Software
  • Mobile
  • Computing
  • Gaming
  • Videos
  • More
    • Gadget
    • Web Stories
    • Trending
    • Press Release
Have an existing account? Sign In
Follow US
  • Privacy
  • Terms
  • Advertise
  • Contact
Copyright © All Rights Reserved. World of Software.
World of Software > Computing > Phishing Campaign Uses UpCrypter in Fake Voicemail Emails to Deliver RAT Payloads
Computing

Phishing Campaign Uses UpCrypter in Fake Voicemail Emails to Deliver RAT Payloads

News Room
Last updated: 2025/08/25 at 1:57 PM
News Room Published 25 August 2025
Share
SHARE

Cybersecurity researchers have flagged a new phishing campaign that’s using fake voicemails and purchase orders to deliver a malware loader called UpCrypter.

The campaign leverages “carefully crafted emails to deliver malicious URLs linked to convincing phishing pages,” Fortinet FortiGuard Labs researcher Cara Lin said. “These pages are designed to entice recipients into downloading JavaScript files that act as droppers for UpCrypter.”

Attacks propagating the malware have been primarily targeting manufacturing, technology, healthcare, construction, and retail/hospitality sectors across the world since the start of August 2025. The vast majority of the infections have been observed in Austria, Belarus, Canada, Egypt, India, and Pakistan, among others.

UpCrypter functions as a conduit for various remote access tools (RATs), such as PureHVNC RAT, DCRat (aka DarkCrystal RAT), and Babylon RAT, each of which enable an attacker to take full control of compromised hosts.

The starting point of the infection chain is a phishing email using themes related to voicemail messages and purchases to deceive recipients into clicking on links that direct to fake landing pages, from where they are prompted to download the voice message or a PDF document.

Cybersecurity

“The lure page is designed to appear convincing by not only displaying the victim’s domain string in its banner but also fetching and embedding the domain’s logo within the page content to reinforce authenticity,” Fortinet said. “Its primary purpose is to deliver a malicious download.”

The downloaded payload is a ZIP archive containing an obfuscated JavaScript file, which subsequently contacts an external server to fetch the next-stage malware, but only after confirming internet connectivity and scanning running processes for forensic tools, debuggers, or sandbox environments.

The loader, in turn, contacts the same server to obtain the final payload, either in the form of plain text or embedded within a harmless-looking image, a technique called steganography.

Fortinet said UpCrypter is also distributed as an MSIL (Microsoft Intermediate Language) loader that, like its JavaScript counterpart, conducts anti-analysis and anti-virtual machine checks, after which it downloads three different payloads: an obfuscated PowerShell script, a DLL, and the main payload.

The attack culminates with the script embedding data from the DLL loader and the payload during execution, thus allowing the malware to be run without writing it to the file system. This approach also has the advantage of minimizing forensic traces, thereby allowing the malware to fly under the radar.

“This combination of an actively maintained loader, layered obfuscation, and diverse RAT delivery demonstrates an adaptable threat delivery ecosystem capable of bypassing defenses and maintaining persistence across different environments,” Lin said.

The disclosure comes as Check Point detailed a large-scale phishing campaign abusing Google Classroom to distribute more than 115,000 phishing emails aimed at 13,500 organizations across multiple industries between August 6 and 12, 2025. The attacks target organizations in Europe, North America, the Middle East, and Asia.

“Attackers exploited this trust by sending fake invitations that contained unrelated commercial offers, ranging from product reselling pitches to SEO services,” the company said. “Each email directed recipients to contact scammers via a WhatsApp phone number, a tactic often linked to fraud schemes.”

The attack bypasses security systems because it leverages the trust and reputation of Google Classroom’s infrastructure to bypass key email authentication protocols, such as SPF, DKIM, and DMARC, and helps land the phishing emails in users’ inboxes.

These campaigns are part of a larger trend where threat actors take advantage of legitimate services like Microsoft 365 Direct Send and OneNote, not to mention abuse free artificial intelligence (AI)-powered website builder like Vercel and Flazio, as well as services such as Discord CDN, SendGrid, Zoom, ClickFunnels, Jotform, and X’s t[.]co link shortener – an approach known as living-off-trusted-sites (LOTS).

Identity Security Risk Assessment

“After the threat actor gained M365 credentials of one user in an organization through a phishing attack, they created a OneNote file in the compromised user’s personal Documents folder on OneDrive, embedding the lure URL for the next phishing stage,” Varonis said in a report published last month.

The misuse of Direct Send has prompted Microsoft to introduce an option for organizations called “Reject Direct Send” to directly address the issue. Alternatively, customers can also apply custom header stamping and quarantine policies to detect emails that claim to be internal communication but, in reality, aren’t.

These developments have also been accompanied by attackers increasingly relying on client-side evasion techniques in phishing pages to stay ahead of both automated detection systems and human analysts. This includes the use of JavaScript-based blocking, Browser-in-the-Browser (BitB) templates, and hosting the pages inside virtual desktop environments using noVNC.

“A notable method growing in popularity is the use of JavaScript-based anti-analysis scripts; small but effective bits of code embedded in phishing pages, fake tech support sites, and malicious redirects,” Doppel said. “Once any such activity is identified, the site immediately redirects the user to a blank page or disables further interaction, blocking access before any deeper inspection can occur.”

Sign Up For Daily Newsletter

Be keep up! Get the latest breaking news delivered straight to your inbox.
By signing up, you agree to our Terms of Use and acknowledge the data practices in our Privacy Policy. You may unsubscribe at any time.
Share This Article
Facebook Twitter Email Print
Share
What do you think?
Love0
Sad0
Happy0
Sleepy0
Angry0
Dead0
Wink0
Previous Article Samsung is back to mocking Apple and you’re going to love its latest trolling ad
Next Article Elon Musk’s xAI is suing OpenAI and Apple
Leave a comment

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Stay Connected

248.1k Like
69.1k Follow
134k Pin
54.3k Follow

Latest News

Elon Musk accuses Apple and OpenAI of stifling AI competition in antitrust lawsuit
News
I Accidentally Gave My PIN to an AI—Here’s What Happened Next
Computing
Elon Musk’s xAI sues Apple and OpenAI over App Store drama
News
XRP Holds After Heavy Whale Distribution, But Is The Next Big Winner Found Somewhere Else? | HackerNoon
Computing

You Might also Like

Computing

I Accidentally Gave My PIN to an AI—Here’s What Happened Next

7 Min Read
Computing

XRP Holds After Heavy Whale Distribution, But Is The Next Big Winner Found Somewhere Else? | HackerNoon

8 Min Read
Computing

Alaska Airlines adds facial recognition tech at automated bag drop kiosks in Seattle and Portland

2 Min Read
Computing

Show your friends these 5 shows and they’ll finally get hooked on anime

8 Min Read
//

World of Software is your one-stop website for the latest tech news and updates, follow us now to get the news that matters to you.

Quick Link

  • Privacy Policy
  • Terms of use
  • Advertise
  • Contact

Topics

  • Computing
  • Software
  • Press Release
  • Trending

Sign Up for Our Newsletter

Subscribe to our newsletter to get our newest articles instantly!

World of SoftwareWorld of Software
Follow US
Copyright © All Rights Reserved. World of Software.
Welcome Back!

Sign in to your account

Lost your password?