Cybersecurity researchers have flagged a new phishing campaign that’s using fake voicemails and purchase orders to deliver a malware loader called UpCrypter.
The campaign leverages “carefully crafted emails to deliver malicious URLs linked to convincing phishing pages,” Fortinet FortiGuard Labs researcher Cara Lin said. “These pages are designed to entice recipients into downloading JavaScript files that act as droppers for UpCrypter.”
Attacks propagating the malware have been primarily targeting manufacturing, technology, healthcare, construction, and retail/hospitality sectors across the world since the start of August 2025. The vast majority of the infections have been observed in Austria, Belarus, Canada, Egypt, India, and Pakistan, among others.
UpCrypter functions as a conduit for various remote access tools (RATs), such as PureHVNC RAT, DCRat (aka DarkCrystal RAT), and Babylon RAT, each of which enable an attacker to take full control of compromised hosts.
The starting point of the infection chain is a phishing email using themes related to voicemail messages and purchases to deceive recipients into clicking on links that direct to fake landing pages, from where they are prompted to download the voice message or a PDF document.
“The lure page is designed to appear convincing by not only displaying the victim’s domain string in its banner but also fetching and embedding the domain’s logo within the page content to reinforce authenticity,” Fortinet said. “Its primary purpose is to deliver a malicious download.”
The downloaded payload is a ZIP archive containing an obfuscated JavaScript file, which subsequently contacts an external server to fetch the next-stage malware, but only after confirming internet connectivity and scanning running processes for forensic tools, debuggers, or sandbox environments.
The loader, in turn, contacts the same server to obtain the final payload, either in the form of plain text or embedded within a harmless-looking image, a technique called steganography.
Fortinet said UpCrypter is also distributed as an MSIL (Microsoft Intermediate Language) loader that, like its JavaScript counterpart, conducts anti-analysis and anti-virtual machine checks, after which it downloads three different payloads: an obfuscated PowerShell script, a DLL, and the main payload.
The attack culminates with the script embedding data from the DLL loader and the payload during execution, thus allowing the malware to be run without writing it to the file system. This approach also has the advantage of minimizing forensic traces, thereby allowing the malware to fly under the radar.
“This combination of an actively maintained loader, layered obfuscation, and diverse RAT delivery demonstrates an adaptable threat delivery ecosystem capable of bypassing defenses and maintaining persistence across different environments,” Lin said.
The disclosure comes as Check Point detailed a large-scale phishing campaign abusing Google Classroom to distribute more than 115,000 phishing emails aimed at 13,500 organizations across multiple industries between August 6 and 12, 2025. The attacks target organizations in Europe, North America, the Middle East, and Asia.
“Attackers exploited this trust by sending fake invitations that contained unrelated commercial offers, ranging from product reselling pitches to SEO services,” the company said. “Each email directed recipients to contact scammers via a WhatsApp phone number, a tactic often linked to fraud schemes.”
The attack bypasses security systems because it leverages the trust and reputation of Google Classroom’s infrastructure to bypass key email authentication protocols, such as SPF, DKIM, and DMARC, and helps land the phishing emails in users’ inboxes.
These campaigns are part of a larger trend where threat actors take advantage of legitimate services like Microsoft 365 Direct Send and OneNote, not to mention abuse free artificial intelligence (AI)-powered website builder like Vercel and Flazio, as well as services such as Discord CDN, SendGrid, Zoom, ClickFunnels, Jotform, and X’s t[.]co link shortener – an approach known as living-off-trusted-sites (LOTS).
“After the threat actor gained M365 credentials of one user in an organization through a phishing attack, they created a OneNote file in the compromised user’s personal Documents folder on OneDrive, embedding the lure URL for the next phishing stage,” Varonis said in a report published last month.
The misuse of Direct Send has prompted Microsoft to introduce an option for organizations called “Reject Direct Send” to directly address the issue. Alternatively, customers can also apply custom header stamping and quarantine policies to detect emails that claim to be internal communication but, in reality, aren’t.
These developments have also been accompanied by attackers increasingly relying on client-side evasion techniques in phishing pages to stay ahead of both automated detection systems and human analysts. This includes the use of JavaScript-based blocking, Browser-in-the-Browser (BitB) templates, and hosting the pages inside virtual desktop environments using noVNC.
“A notable method growing in popularity is the use of JavaScript-based anti-analysis scripts; small but effective bits of code embedded in phishing pages, fake tech support sites, and malicious redirects,” Doppel said. “Once any such activity is identified, the site immediately redirects the user to a blank page or disables further interaction, blocking access before any deeper inspection can occur.”