Cybersecurity researchers have identified a surge of phishing emails targeting Microsoft Windows devices. Fortinet’s FortiGuard Labs tracks activity related to UpCrypter, a loader designed to install multiple types of remote access tools (RATs) that enable attackers to maintain prolonged access to compromised machines.
The phishing emails arrive disguised as missed voicemails or purchase orders. Victims who click on the attachments are redirected to fake websites, designed to appear convincing, often featuring company logos to increase trust.
According to Fortinet, these phishing pages prompt users to download a ZIP file containing a heavily disguised JavaScript dropper. Once opened, the script triggers PowerShell commands in the background that connect to attacker-controlled servers for the next stage of malware.
“These pages are designed to entice recipients into downloading JavaScript files that act as droppers for UpCrypter,” said Cara Lin, a Fortinet FortiGuard Labs researcher.
UpCrypter’s role in the attack chain
Once executed, UpCrypter scans the system to see if it is being analyzed in a sandbox or by forensic tools. If such monitoring is detected, the loader forces a reboot to break the investigation.
If no obstacles are found, the malware proceeds to download and run further payloads. In some cases, attackers conceal these files inside images through steganography, a tactic that helps bypass antivirus software detection.
The final malware deployed includes:
- PureHVNC, which allows hidden remote desktop access.
- DCRat (DarkCrystal RAT), a multifunction tool for spying and data theft.
- Babylon RAT, which enables attackers to control a device fully.
Fortinet researchers noted that the attackers employ multiple methods to disguise malicious code, including string obfuscation, altering registry settings for persistence, and running code in-memory to prevent leaving traces on the disk.
Global spread and affected sectors
The phishing campaign has been active since early August 2025 and has shown international reach, with high activity observed in Austria, Belarus, Canada, Egypt, India, and Pakistan.
The sectors hit hardest so far include manufacturing, technology, healthcare, construction, and retail/hospitality. Fortinet researchers also observed that detections doubled in just two weeks, demonstrating the rapid expansion of the operation.
This attack goes beyond stealing usernames and passwords; instead, it delivers a chain of malware designed to remain hidden within corporate systems for extended periods.
As Fortinet concluded, “Users and organizations should take this threat seriously, use strong email filters, and make sure staff are trained to recognize and avoid these types of attacks.”
Learn more from our detailed breakdown of Check Point’s report on escalating cyberattacks and how to stay protected in this shifting security climate.
