Ethical Hacking News
A new phishing campaign has been discovered that utilizes fake voicemail messages and purchase orders to deliver a malware loader called UpCrypter. This malware is used to infect various sectors across the globe and provides attackers with remote access tools (RATs) to control compromised hosts. The attack leverages trusted infrastructure, such as Google Classroom, to bypass security systems and trick users into downloading malicious software.
A new phishing campaign is using fake voicemails and purchase orders to deliver a malware loader called UpCrypter.The campaign primarily targets manufacturing, technology, healthcare, construction, and retail/hospitality sectors globally since August 2025.UpCrypter functions as a conduit for various remote access tools (RATs), such as PureHVNC RAT, DCRat, and Babylon RAT.The infection chain starts with phishing emails using themes related to voicemail messages and purchases to deceive recipients into clicking on links that direct to fake landing pages.
Phishing Campaign Uses UpCrypter in Fake Voicemail Emails to Deliver RAT Payloads
#1 Trusted Cybersecurity News Platform
Followed by 5.20+ million
Subscribe – Get Latest News
Home
Data Breaches
Cyber Attacks
Vulnerabilities
Webinars
Expert Insights
Contact
Resources
Webinars
Free eBooks
About Site
About THN
Jobs
Advertise with us
Contact/Tip Us
Reach out to get featured—contact us to send your exclusive story idea, research, hacks, or ask us a question or leave a comment/feedback!
Follow Us On Social Media
RSS Feeds
Email Alerts
Phishing Campaign Uses UpCrypter in Fake Voicemail Emails to Deliver RAT Payloads
Aug 25, 2025Ravie LakshmananMalware / Cloud Security
Cybersecurity researchers have flagged a new phishing campaign that's using fake voicemails and purchase orders to deliver a malware loader called UpCrypter.
The campaign leverages "carefully crafted emails to deliver malicious URLs linked to convincing phishing pages," Fortinet FortiGuard Labs researcher Cara Lin said. "These pages are designed to entice recipients into downloading JavaScript files that act as droppers for UpCrypter."
Attacks propagating the malware have been primarily targeting manufacturing, technology, healthcare, construction, and retail/hospitality sectors across the world since the start of August 2025. The vast majority of the infections have been observed in Austria, Belarus, Canada, Egypt, India, and Pakistan, among others.
UpCrypter functions as a conduit for various remote access tools (RATs), such as PureHVNC RAT, DCRat (aka DarkCrystal RAT), and Babylon RAT, each of which enable an attacker to take full control of compromised hosts.
The starting point of the infection chain is a phishing email using themes related to voicemail messages and purchases to deceive recipients into clicking on links that direct to fake landing pages, from where they are prompted to download the voice message or a PDF document.
Latest News
Cybersecurity Resources
FREE GRC Maturity Assessment in 15 Minutes Unlock Your GRC Maturity Score. Get Expert Insights and Peer Benchmark Report.
Cyber Training That Pays Off — In Speed and Savings SANS-trained teams detect threats 4.2x faster and save millions.
A Practical Guide to Maturing Your PAM ProgramTake a PAM Maturity Test and gain expert guidance for your journey to reduce risk.
Discover How to Make CTEM a Reality in 2025: Download Your Guide Now!Ensure CTEM success! Download our ebook for practical tips on using XM Cyber to implement your exposure management strategy.
Expert Insights Articles
Videos
ShinyHunters Data Breach vs. SaaS: Why Dynamic Security Matters
August 25, 2025
Read ➝
The New Mindset: Platforms Over Products
August 25, 2025
Read ➝
AI's Hidden Security Debt
August 18, 2025
Read ➝
Why Traditional Approaches to Patch Management Fail in the Era of SaaS Sprawl and BYOD
August 18, 2025
Read ➝
Get Latest News in Your Inbox
Get the latest news, expert insights, exclusive resources, and strategies from industry leaders – all for free.
Email
Connect with us!
926,500 Followers
655,000 Followers
23,500 Subscribers
142,000 Followers
1,890,500 Followers
7,500 Followers
Company
About THN
Advertise with us
Contact
Pages
Webinars
Privacy Policy
RSS Feeds
Contact Us
copyright The Hacker News, 2025. All Rights Reserved.
Related Information:
https://www.ethicalhackingnews.com/articles/A-New-Phishing-Campaign-Exploits-Trusted-Infrastructure-to-Deliver-UpCrypter-Infused-RAT-Payloads-ehn.shtml
https://thehackernews.com/2025/08/phishing-campaign-uses-upcrypter-in.html
Published: Mon Aug 25 13:21:51 2025 by llama3.2 3B Q4_K_M
