News

Malicious Email Attacks Employ UpCrypter to Install Spyware for Control

Worldwide Phishing Initiative Detected: Emails Personalized and Bogus Sites Employed to Distribute Malware via UpCrypter

, and Administrator

2025 September 8 . 6:55 PM

2 min read

Cyber Crime: Utilization of UpCrypter in a Phishing Scam to Install Distant Control Software

Malicious Email Attacks Employ UpCrypter to Install Spyware for Control

Global Phishing Campaign Targets Corporate Environments with Sophisticated Malware

A widespread phishing campaign has been identified by cybersecurity researchers, targeting various companies and organizations worldwide. This campaign is not just a simple credential theft scheme, but a comprehensive attack chain that installs sophisticated malware within corporate environments.

The operation employs a custom loader called UpCrypter to install remote access tools (RATs). The phishing emails in the campaign redirect victims to spoofed websites tailored to each recipient, mimicking personalised communications to increase the likelihood of a successful attack.

Once a victim clicks on a malicious link, they are directed to download a ZIP archive containing an obfuscated JavaScript file. This JavaScript file executes PowerShell commands and evades detection tools. In some cases, data is hidden inside image files using steganography to avoid detection.

UpCrypter, a loader showcased on YouTube, is central to the phishing campaign. It checks for forensic tools, virtual machines, and sandboxes before running, ensuring it operates undetected in a legitimate environment. If analysis is suspected, UpCrypter forces a system restart to disrupt investigations.

The final payloads observed include PureHVNC, DCRat, and Babylon RAT. These tools allow attackers to perform actions such as keylogging, file theft, and full remote control of a target's machine.

The industries most affected include manufacturing, technology, healthcare, construction, and retail/hospitality. Financial institutions, government agencies, and large multinational corporations have also been targeted.

To protect against this phishing campaign, users and organizations are advised to use strong email filters and train staff to recognise and avoid these types of attacks. It is crucial to be vigilant and cautious when opening emails and clicking on links, especially those that seem unexpected or suspicious.

The phishing campaign is expanding rapidly, with detections doubling in just two weeks. It is important for everyone to stay informed and take necessary precautions to safeguard their digital assets.