Fortinet's FortiGuard Labs has uncovered a highly-sophisticated phishing campaign targeting Microsoft Windows systems with a high-severity risk profile. The campaign uses deceptive emails, malicious JavaScript droppers, and a stealthy loader—UpCrypter—to deploy a suite of Remote Access Tools (RATs), enabling deep system compromise.
According to an August 25th blog post, the campaign kicks off with fake voicemails or purchase-order-style emails designed to appear legitimate. Recipients are lured to click on embedded URLs that lead to highly convincing phishing pages. These landing pages bolster credibility by embedding the victim's domain logo and banner—strategies aimed at bypassing user skepticism and detection systems.
Once the link is clicked, the user is prompted to download a ZIP file containing an obfuscated JavaScript dropper that serves as the first stage for deploying UpCrypter.
Upon execution, the JavaScript loader performs checks for internet connectivity and scans for forensic tools, debuggers, or sandbox environments—an anti-analysis gate to hinder detection.
The loader then fetches the final payload, often concealed using steganography—embedded within benign-looking images or delivered as plain text.
Variants also exist as MSIL (Microsoft Intermediate Language) loaders, which perform similar anti-analysis checks before retrieving a trio of payloads: an obfuscated PowerShell script, a DLL loader, and the primary RAT executable. Notably, the payload runs in-memory, avoiding disk writes and leaving minimal forensic evidence.
The final payload doles out RATs like PureHVNC, DCRat (DarkCrystal RAT), and Babylon RAT—each capable of full remote system control.
The modularity allows attackers to tailor operations post-compromise—whether for surveillance, data exfiltration, or persistence depending on the victim environment and objectives.
Fortinet and other cybersecurity watchdogs have observed attacks across multiple industries—manufacturing, technology, healthcare, construction, and retail/hospitality—since early August 2025. Geographically, targets span Austria, Belarus, Canada, Egypt, India, and Pakistan, illustrating the campaign's global reach.
Here are some key threat elements and related security concerns:
-
Phishing sophistication: Domain-specific branding increases phishing success rates.
-
Anti-Analysis and Stealth: Environmental detection blocks and in-memory payloads hinder detection.
-
Modular RAT deployment: Scalable attacks facilitate custom responses post-compromise.
-
Cross-sector targeting: Broad sector targeting demands industry-agnostic defense strategies.
Recommended defenses include:
-
Enhancing phishing detection through domain-targeted anomaly detection and employee training to spot disguised voicemails or PO lures.
-
Blocking malicious JavaScript loaders via web filtering—especially from embedded phishing pages.
-
Deploying on-device behavioral monitoring to detect script-driven load behavior, process injection, and steganographic delivery.
-
Ensuring memory-resident threat detection with EDR/XDR solutions capable of capturing in-memory-only threats.
-
Investing in RAT-specific detection signatures and threat intelligence to quickly identify and isolate RAT activity.
According to FortiGuard Labs, the UpCrypter phishing campaign represents a next-gen threat—marked by tailored phishing, layered evasion, and modular RAT distribution. Security teams must elevate their detection and response capabilities—from better phishing resistance to enhanced behavioral analysis, particularly for stealthy, in-memory threats.
We asked some SMEs from cybersecurity vendors for their thoughts on UpCrypter and similar phishing campaign threats.
Frankie Sclafani, Director of Cybersecurity Enablement at Deepwatch, said:
-
"Organizations worldwide need to be aware that the UpCrypter phishing campaign is a highly sophisticated and dangerous threat. This is a complete attack process designed to secretly install a persistent malicious payload inside your network. The campaign is operating on a truly global scale. According to FortiGuard Labs, in just two weeks, the detection count has more than doubled, reflecting a rapid and aggressive growth pattern. The campaign affects multiple industries, including technology, healthcare, manufacturing, and construction, indicating it's likely tied to a sophisticated cybercrime group."
-
"The attackers are using clever tactics to trick victims and avoid detection. The campaign uses carefully crafted emails that lead victims to spoofed websites personalized with their email domain, which enhances credibility. The malicious code is heavily obfuscated and padded with large amounts of junk code to conceal its purpose. The malware scans for and restarts the system if it detects forensic tools, debuggers, or virtual machine environments like any.run or Wireshark. UpCrypter uses PowerShell and .NET reflection to execute subsequent stages of the attack directly in memory without writing the final payload to the disk. Additionally, the loader data is delivered in two formats—plain text and embedded within an image file using a form of steganography—to evade static detection. Finally, the campaign delivers various Remote Access Tools (RATs) such as PureHVNC, DCRat, and Babylon RAT, allowing attackers to gain full remote control of compromised systems."
-
"Security teams must take this threat seriously and build a multi-layered defense. Use strong email filters to detect and block malicious emails before they reach employees' inboxes. Employee training is crucial; staff must be trained to recognize and avoid these types of attacks, which often use convincing lures like fake voicemail or purchase order notifications. Ensure your WAFs, mail filters, EDR, and AntiVirus are up-to-date, as the malware is detected and blocked by tools like FortiGuard Antivirus. Smart security teams will proactively block these attacks by using threat intelligence services and by implementing the provided Indicators of Compromise (IOCs)."
-
"To stop malicious scripts like those used in this campaign, security teams should implement several crucial controls. These include enforcing PowerShell script signing, which configures PowerShell to only run scripts that have a valid digital signature from a trusted publisher. You can also use Constrained Language Mode, which limits the functionality of PowerShell, preventing the use of sensitive cmdlets and .NET classes often leveraged by malware. If not required for daily operations, restrict PowerShell execution for standard users by adjusting the execution policy to a more restrictive setting, such as AllSigned or RemoteSigned. However, the most effective control you can implement is Application Allowlisting. By implementing an allowlist, security teams can prevent the malicious JavaScript droppers and subsequent RAT payloads from running, neutralizing the threat even if a user is tricked into downloading the file."
J Stephen Kowski, Field CTO at SlashNext Email Security+, said:
-
"This phishing campaign is tricky because it personalizes fake websites with the victim's own email and company logo, making the scam look real. The malicious files delivered are not just for stealing passwords but for installing powerful remote access tools that give attackers long-term control. What's most important to understand is that this isn't a one-time data theft—it's a full system breach that can spread quietly inside company networks."
-
"Teams should focus on catching these threats before users click, since blocking at the email and web layer is the fastest defense. Automated detection that looks past obfuscation in scripts and phishing sites is key, because traditional filters often miss the tricks used here. Training staff to spot lures like fake voicemails or order requests helps, but pairing that with threat detection that stops malicious downloads in real time is what really keeps attackers out."
John Bambenek, President at Bambenek Consulting, said:
-
"Various fake voicemail and fake invoice phishing lures remain popular for attackers simply because they work. In this case, however, looking for the chain of events of opening an HTML attachment in email that leads to PowerShell usage provides an easy, and quick, win to detection (and hopefully prevent) this chain of events. Not every user needs access to PowerShell and certainly not when the chain starts from Outlook.exe."
