Cybersecurity researchers are flagging new phishing campaigns using fake voicemail and purchase orders to deliver malware loaders called Upcryptors.
The campaign “creates carefully crafted emails to deliver malicious URLs linked to persuasive phishing pages,” said Cara Lin, a researcher at Fortinet Fortiguard Labs. “These pages are designed to tempt you to download JavaScript files where Recipient acts as a dropper for Upcrypter.”
Malware propagation attacks have primarily targeted the manufacturing, technology, healthcare, construction, and retail/hospitality sectors around the world since their inception in August 2025. The majority of infections have been observed in Austria, Belarus, Canada, Egypt, India, Pakistan and others.
Upcrypter serves as a conduit for a variety of remote access tools (rats), including PureHVNC rats, DCRAT (aka DarkCrystal Rat), and Babylon rats.
The starting point for the infection chain is phishing emails using voicemail messages and themes related to purchases. Click on the link where the recipient faces a fake landing page directly and then click on the link where they are asked to download the voice message or PDF document.
“The lure page is designed to look convincing by not only displaying the victim’s domain string in the banner, but also by retrieving and embedding the domain’s logo within the page content to enhance reliability,” Fortinet says. “Its main purpose is to provide malicious downloads.”
The downloaded payload is a ZIP archive containing obfuscated JavaScript files, then contacting an external server to get the next stage of malware, but checking your internet connection and scanning the process of running your forensic tools, debuggers, or sandbox environment.
The loader contacts the same server to get the final payload either in plain text form or in a technique called steganography embedded in harmlessly-looking images.
Fortinet said Upcrypter is also being distributed as a Microsoft Intermediate Language (MSIL) Loader. It performs anti-analysis and prevention machine checks, similar to the JavaScript counterpart, then downloads three different payloads.
The attack embeds data from the DLL loader and embeds the payload while it is running, allowing malware to run without writing to the file system. This approach also has the advantage of minimizing forensic traces, which allows malware to fly under the radar.
“This combination of aggressively maintained loaders, layered obfuscation, and diverse rat delivery demonstrates an adaptive threat delivery ecosystem that can bypass defenses and maintain sustainability in a variety of environments,” Lynn said.
This disclosure comes as we detail a large-scale phishing campaign that has abused Google Classroom to distribute over 115,000 phishing emails between August 6th and 12th, 2025, targeting 13,500 organizations across multiple industries.
“The attackers misused this trust by sending fake invitations containing unrelated commercial offers, ranging from product resale pitches to SEO services,” the company said. “Each email instructed recipients to contact scammers via WhatsApp phone numbers, a tactic that is often linked to scam schemes.”
Attacks bypass the security system. This helps you bypass key email authentication protocols such as SPF, DKIM, DMARC, and place phishing emails in your user’s inbox by leveraging the trust and reputation of Google Classroom’s infrastructure.
These campaigns are part of a major trend in threat actors using legal services such as Microsoft 365 Direct Send and Onenote.[.]Co Link Shorter – An approach known as a life-long site (lot).
“After the threat actors acquired M365 qualification for one user in their organization through a phishing attack, they created a OneNote file in the Personal Documents folder of the compromised user on Onedrive, and embed the lure URL for the next phishing stage.”
The misuse of Direct Send has encouraged organizations called “Reject Direct Send” to introduce options to address issues directly. Alternatively, customers could apply custom header stamping and quarantine policies to detect emails that they claim to be internal communication, but in reality they are not.
These developments involve attackers who are increasingly relying on client-side evasion techniques for phishing pages to stay ahead of both auto-detection systems and human analysts. This includes JavaScript-based blocking, using Browser in the Browser (BITB) templates, and hosting pages in a virtual desktop environment using NOVNC.
“A notable way of becoming more popular is the use of JavaScript-based anti-analysis scripts: small but effective bits of code embedded in phishing pages, fake tech support sites, and malicious redirects,” Doppel said. “When such activity is identified, the site will immediately redirect users to blank pages, or disable further interactions, blocking access before deeper inspections occur.”
Source link
