A global phishing campaign using personalized emails and fake websites to deliver malicious downloads has been identified by cybersecurity researchers.
According to a new advisory by FortiGuard Labs, the operation employs a custom loader called UpCrypter to install a range of remote access tools (RATs), giving attackers prolonged control of compromised systems.
How the Attack Works
The campaign begins with phishing emails carrying HTML attachments that redirect victims to spoofed websites. These sites are tailored to each recipient by embedding their email address and even fetching their company logo, increasing the illusion of legitimacy.
Variants of the campaign use themes such as:
-
A voicemail-themed email claiming the recipient missed a call, with an HTML attachment that silently redirects the browser to a phishing site
-
A purchase order spoof written in Chinese, carrying an HTML attachment that builds a malicious URL and steers the victim to a counterfeit page
Once redirected, users are urged to download a ZIP archive containing an obfuscated JavaScript file. This script executes PowerShell commands, evades detection tools and retrieves the next payload from attacker-controlled servers.
In some cases, data is hidden inside image files using steganography to avoid security scans.
Read more on phishing campaigns: 752,000 Browser Phishing Attacks Mark 140% Increase YoY
UpCrypter as a Delivery Hub
UpCrypter, a loader maintained by its developer and showcased on YouTube, plays a central role in the observed campaign. It checks for forensic tools, virtual machines and sandboxes before running.
If analysis is suspected, the malware forces a system restart to disrupt investigations. Once validated, it downloads additional components, executes them in memory and establishes persistence by altering registry keys.
The final payloads observed include PureHVNC, DCRat and Babylon RAT. These tools allow attackers to perform actions such as keylogging, file theft and full remote control of a target’s machine.
Growing Global Reach
FortiGuard Labs noted that the campaign is expanding quickly, with detections doubling in just two weeks. The industries most affected include manufacturing, technology, healthcare, construction and retail/hospitality.
Researchers emphasized that this is not a straightforward phishing scheme to steal email credentials, but rather a comprehensive attack chain that installs sophisticated malware within corporate environments.
“Users and organizations should take this threat seriously, use strong email filters and make sure staff are trained to recognize and avoid these types of attacks,” Fortinet concluded.
