A new UpCrypter phishing campaign hides remote access Trojans in fake voicemail emails, using steganography and stealth techniques to bypass security filters.
Cybercriminals often disguise threats in everyday communications. For example, a new global phishing campaign discovered in August 2025 uses fake voicemail and purchase-order emails to deliver a loader named “UpCrypter” that installs remote-access Trojans (RATs) on victim systems. This multi-stage attack has spread across multiple industries—including manufacturing, healthcare, and retail—worldwide, demonstrating how attackers continually refine email-based tactics to bypass security filters. The introduction of UpCrypter gives adversaries a flexible loader that can deploy various RATs for full system control (e.g. PureHVNC, DCRat, Babylon).
Campaign Overview
The attack begins with a seemingly ordinary email. Messages often mimic voicemails or purchase orders, tricking recipients into clicking a link or opening an attachment. That link leads to a spoofed landing page that even displays the victim’s real company domain and logo to appear legitimate. On this page, the user is prompted to download what looks like a voice recording or a PDF document. Instead, they receive a ZIP archive containing a malicious JavaScript dropper. This script verifies internet connectivity and scans for debugging or sandbox tools before proceeding. If the coast is clear, the dropper fetches the next-stage payload from the attacker’s server. That payload is often hidden inside a seemingly harmless image using steganography, making it even harder to detect.
Advanced Evasion Techniques
The UpCrypter campaign uses multiple layers of obfuscation to stay undetected. Besides the JavaScript dropper, attackers also distribute a .NET (MSIL) variant of UpCrypter, which performs similar anti-analysis and anti-virtualization checks. After passing these checks, the MSIL loader downloads three components: an obfuscated PowerShell script, a DLL loader, and the main payload. The PowerShell script then injects the DLL and payload into memory during execution, so the malicious code never touches the file system. This “fileless” execution leaves minimal forensic evidence, allowing the malware to fly under the radar. Fortinet notes that this layered obfuscation and use of diverse RATs makes the campaign highly adaptable and persistent.
Affected Industries and Global Reach
Fortinet’s analysis shows the campaign has targeted organizations in manufacturing, technology, healthcare, construction, and retail/hospitality sectors. The bulk of infections have been observed in Austria, Belarus, Canada, Egypt, India, and Pakistan. In practice, any industry that relies on email for critical communications is at risk. Once UpCrypter installs its RATs (such as PureHVNC, DCRat, and Babylon RAT), attackers can remotely control the compromised systems. This broad targeting underscores that no sector is immune and highlights the potential for large-scale data breaches or espionage.
Emerging Trends
This UpCrypter campaign exemplifies a broader trend of leveraging trusted platforms to evade defenses. For instance, a recent Check Point report detailed another phishing scheme abusing Google Classroom to send over 115,000 emails to more than 13,000 organizations worldwide. By exploiting the reputation of Google’s infrastructure, attackers bypassed email authentication and landed their lures in user inboxes. Researchers call this “living off trusted sites,” where criminals host phishing pages or send malware through legitimate services like Microsoft 365, OneNote, or cloud-based tools. These tactics allow malefactors to scale their attacks while staying under the radar of traditional email filters.
