Fake Voicemails & Purchase Orders Used to Spread UpCrypter Malware Loader

Fake Voicemails & Purchase Orders Used to Spread UpCrypter Malware Loader

Fortinet’s FortiGuard Labs, a cybersecurity research team, has identified a widespread phishing campaign that spreads UpCrypter. This sneaky malware loader is used to install Remote Access Trojans (RATs), such as PureHVNC, DCRat (DarkCrystal), and Babylon RAT.

🔍 How the attack works:

1. Phishing emails mimic voicemail alerts and purchase orders.
2. Links lead to convincing landing pages that embed the victim’s company logo.
3. Victims are prompted to download a ZIP file containing an obfuscated JavaScript dropper.
4. The loader checks for debuggers/sandboxes and uses steganography to fetch payloads hidden in images.
5. Final payloads include PowerShell scripts, DLLs, and RATs that run filelessly, leaving minimal forensic traces.

📌 Why it matters

• Active since August 2025, hitting manufacturing, technology, healthcare, construction, and retail/hospitality sectors.
• Heavy infection clusters in Austria, Belarus, Canada, Egypt, India, and Pakistan.
• Demonstrates living-off-trusted-sites (LOTS) by abusing Google Classroom, OneNote, Microsoft 365 Direct Send, Zoom, and others to bypass email security.

🛡 Defensive steps:

• Educate employees about phishing emails with voicemail or invoice lures.
• Block downloads of JavaScript files via email.
• Monitor for suspicious outbound connections and steganographic payloads.
• Apply Microsoft’s “Reject Direct Send” or custom email filtering rules.

➡️ This campaign highlights how threat actors are combining trusted platforms, obfuscation, and advanced evasion techniques to stay ahead of defenses.

At Alcaeus Services, we help organizations build layered defenses, detect phishing early, and secure endpoints against evolving loader-based attacks.