Researchers recently uncovered a worldwide phishing scam that leverages highly convincing phishing emails to deliver a malware dropper called UpCrypter.
According to Fortinet FortiGuard Labs, the detection count has doubled within a timespan of two weeks; an alarming rate of growth.
Researcher Cara Lin observed, “This is not just about stealing email logins, but is a complete attack process that can secretly install a malicious payload inside a company’s network.”
Since the beginning of August 2025, UpCrypter has been spotted targeting sectors such as technology, manufacturing, healthcare, retail, and construction. Its broad reach throughout countries ranging from Pakistan and Belarus to Austria, Canada, Egypt, and India indicates likely ties to a sophisticated cybercrime group.
How Does the UpCrypter Attack Work?
The global scam works by utilizing tried-and-true phishing lures to get users to download JavaScript files that act as droppers for UpCrypter. Once installed, UpCrypter deploys various remote access trojans (RATs) to maintain persistence and completely take over a company’s systems.
“This isn’t a one-time data theft,” notes J. Stephen Kowski, Field CTO at SlashNext Email Security+. “It’s a full system breach that can spread quietly inside company networks.” So far, UpCrypter has been seen to deliver RATs such as DCRat, Babylon RAT, and PureHVNC.
The first step is to draw users in with carefully crafted emails. “One variant of the campaign uses a voicemail-themed lure with the subject line “Missed Phone Call – <Date>,” notes Lin. “Another variant poses as a purchase order…”
After clicking, the victims are led to spoofed phishing sites crafted to look like their own email domain, adding credibility. There, they are prompted to download a ZIP archive containing the dropper, a JavaScript file. This JavaScript code is highly obfuscated, padded with junk to avoid detection. The malicious code then scans for any debuggers, forensics tools, and sandbox environments, forcing a system restart if any are found.
Notably, UpCrypter minimizes its forensic trail by not writing the payload to disk, instead using PowerShell and .NET reflection to execute the attack directly in memory. A further evasive technique is used as the loader is delivered in two formats to evade static detection; both plaintext and in an image, known as steganography.
Finally, UpCrypter delivers its malicious payloads—a variety of RATs—which subsequently take over the victim’s systems and allow attackers to take full control. As Kowski affirms, “The malicious files delivered are not just for stealing passwords but for installing powerful remote access tools that give attackers long-term control.”
How Can Security Teams Respond?
The UpCrypter campaign spans a variety of techniques, forcing security teams to consider multiple layers of defense.
Up-to-date AntiVirus, WAF, EDR, and mail filters are essential safeguards, as the malware is successfully detected and blocked by several such tools on the market. Teaching employees to recognize the signs of a scam is also imperative, though Kowski notes it has its limitations.
“Training staff to spot lures like fake voicemails or order requests helps, but pairing that with threat detection that stops malicious downloads in real time is what really keeps attackers out,” he states. For this, use automated detection that looks past obfuscation in scripts and phishing sites, as these are blind spots traditional filters often miss.
In addition, companies need to implement the right strategic security controls. Frankie Sclafani, Director of Cybersecurity Enablement at Deepwatch, a San Francisco, Calif.-based AI+Human Cyber Resilience Platform, emphasizes the importance of “enforcing PowerShell script signing, which configures PowerShell to only run scripts that have a valid digital signature from a trusted publisher.”
This includes down-tuning to Constrained Language Mode or a more restricted execution setting, such as AllSigned or Remote Signed. As John Bambenek, President at Bambenek Consulting, points out, “Not every user needs access to PowerShell and certainly not when the chain starts from Outlook.exe.”
Ultimately, Sclafani argues that “the most effective control you can implement is Application Allowlisting.” An allowlist prevents malicious droppers and their subsequent RAT payloads from running, eliminating the threat even if clever phishing emails do manage to dupe users in the first place.
An ardent believer in personal data privacy and the technology behind it, Katrina Thompson is a freelance writer leaning into encryption, data privacy legislation, and the intersection of information technology and human rights. She has written for Bora, Venafi, Tripwire, and many other sites.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.