A new global phishing campaign delivering a malware loader called UpCrypter has been uncovered, targeting businesses across multiple industries since early August 2025.
Researchers at Fortinet FortiGuard Labs said the campaign, active since early August 2025, targets manufacturing, technology, healthcare, construction, retail, and hospitality sectors.
Most infections have been detected in Austria, Belarus, Canada, Egypt, India, and Pakistan.
Attack Method
The attack begins with phishing emails linking to fraudulent pages that display the victim’s domain and logo to appear authentic. Victims are prompted to download a ZIP file containing an obfuscated JavaScript loader.
“This page is designed to entice recipients into downloading JavaScript files that act as droppers for UpCrypter,” said Cara Lin, a Fortinet researcher.
Once executed, the loader checks for internet connectivity and scans for forensic tools or sandbox environments before downloading the next-stage payload.
Final payloads are delivered either as plain text or embedded within images using steganography. An alternative variant using Microsoft Intermediate Language (MSIL) follows similar steps and retrieves three payloads: a PowerShell script, a DLL, and the main malware.
Researchers say the malware uses in-memory execution to avoid leaving traces on the file system, making detection difficult. “This combination of an actively maintained loader, layered obfuscation, and diverse RAT delivery demonstrates an adaptable threat ecosystem capable of bypassing defenses and maintaining persistence,” Lin added.
Bottom line
“This is not just about stealing email logins, but is a complete attack process that can secretly install a malicious payload inside a company’s network. Once inside, attackers can keep control of the systems for an extended period,” notes from the Fortinet blog.
“Users and organizations should take this threat seriously, use strong email filters, and make sure staff are trained to recognize and avoid these types of attacks.”
About Author
