309/68 Wednesday, August 27, 2025
FortiGuard Labs, the threat intelligence division of Fortinet, has issued a global cybersecurity alert regarding a rapidly spreading phishing campaign. The attack leverages deceptive emails titled “Missed Phone Call” or “Voicemail Message”, as well as fake purchase orders, to trick Windows users into downloading malicious files that silently install the UpCrypter malware on their systems.
UpCrypter grants attackers full remote control over infected machines and has seen a sharp surge in detections-doubling in just two weeks. The campaign is impacting a broad range of industries, including technology, manufacturing, healthcare, construction, retail, and services.
Attack Details
The phishing emails typically contain malicious HTML attachments with filenames such as “VN0001210000200.html” or “採購訂單.html”. When opened, the HTML file redirects the victim to spoofed websites that mimic corporate email portals using the victim organization’s logo and domain name for added credibility. These fake sites prompt the user to download a secondary file-a JavaScript dropper-which then installs the UpCrypter malware.
Once executed, UpCrypter proceeds to download Remote Access Tools (RATs) such as DCRat, PureHVNC, and Babylon RAT, allowing attackers to access, monitor, and control the compromised system stealthily. The malware can also persist within the victim’s network for extended periods without detection.
Advanced Evasion Capabilities
Security researchers highlighted that UpCrypter is equipped with anti-analysis features. It can detect whether it’s running in a sandbox, virtual machine, or being monitored by tools like Wireshark, and may automatically halt or restart to evade detection. Additionally, it can hide malicious code within JPG image files and create registry keys for persistence-ensuring it continues to run even after a system reboot.
Mitigation Recommendations
FortiGuard Labs urges organizations to enforce strict email filtering policies and conduct regular phishing awareness training for employees. Experts recommend that if an HTML attachment opens via Outlook and leads to PowerShell execution, it should be treated as a high-risk red flag and immediately blocked to prevent the success of the campaign.
Source https://hackread.com/fake-voicemail-emails-install-upcrypter-malware-windows/
