A Global Phishing Spree: The New Campaign Spreading RATs with Fake Voicemails
In early August 2025, specialists at Fortinet FortiGuard Labs detected a large-scale phishing campaign distributing the UpCrypter loader through counterfeit emails purporting to contain voicemail notifications or order confirmations. The attackers crafted highly convincing messages with malicious links leading to fraudulent websites that closely mimicked legitimate corporate portals. On these pages, users were prompted to download what appeared to be an important file—a voicemail recording or a PDF document—that in reality concealed malicious code.
The primary objective of the campaign is the installation of the UpCrypter loader, which acts as a conduit for remote administration tools, including PureHVNC RAT, DCRat (DarkCrystal RAT), and Babylon RAT. Once a system is compromised, the attackers gain full control over the victim’s device.
The attack sequence begins with an email enticing the recipient to follow a link to a spoofed webpage. To enhance credibility, the site automatically inserts the victim’s domain into the header and loads the organization’s logo, creating a convincing façade of authenticity. From there, a ZIP archive containing an encrypted JavaScript file is delivered.
Upon execution, the script checks for an active internet connection and scans the system for debugging tools, sandboxes, or forensic utilities. Only after this verification does it connect to an external server to retrieve the next stage of the malware.
The loader is capable of fetching the final payload either in plaintext or concealed within an image using steganographic techniques. In addition to the JavaScript variant, researchers identified another version of UpCrypter written in MSIL. Functionally similar, this build conducts environment checks before downloading three separate components: an encrypted PowerShell script, a DLL library, and the primary executable module. These elements are combined at runtime, enabling the malware to execute entirely in memory without leaving traces on disk.
Fortinet emphasizes that this architecture renders the campaign particularly difficult to detect. By combining an actively maintained loader, multilayered obfuscation, and multiple remote access tools, the attackers have created a flexible delivery ecosystem capable of evading defenses and maintaining persistence across diverse environments.
This campaign underscores how even the most familiar communication channels can be weaponized into efficient vectors for distributing sophisticated threats. Today, effective defense demands not only robust technical safeguards but also a constant vigilance toward every email received.
