Cybersecurity experts have uncovered a global phishing campaign that is tricking victims with fraudulent voicemail and purchase order notifications to distribute a malware loader called UpCrypter. The attack, first detected in early August 2025, has already impacted multiple industries worldwide, with infections concentrated in Austria, Belarus, Canada, Egypt, India, and Pakistan.
According to Fortinet FortiGuard Labs researcher Cara Lin, the campaign relies on “carefully crafted emails to deliver malicious URLs linked to convincing phishing pages.” These phishing sites then prompt users to download JavaScript files, which act as droppers for UpCrypter. Once active, the loader serves as a gateway for remote access tools (RATs) such as PureHVNC RAT, DCRat (DarkCrystal RAT), and Babylon RAT—malware strains that allow attackers to seize full control of compromised systems.
The infection chain begins with emails disguised as voicemail alerts or purchase confirmations. Victims who click the embedded links are redirected to spoofed landing pages, where they are tricked into downloading a supposed voicemail recording or PDF file, unknowingly initiating the malware installation.
The campaign reflects a broader trend in phishing operations that exploit trust in everyday business communications. Varonis researchers, in a separate report, highlighted that attackers have even leveraged stolen Microsoft 365 credentials to host malicious files. “After the threat actor gained M365 credentials of one user in an organization through a phishing attack, they created a OneNote file in the compromised user’s personal Documents folder on OneDrive, embedding the lure URL for the next phishing stage,” the firm noted.
In response to such abuses, Microsoft recently introduced a “Reject Direct Send” feature to block fraudulent messages masquerading as internal company emails. Organizations can also deploy header stamping and quarantine policies as additional safeguards.
Meanwhile, attackers are evolving their evasion strategies to avoid detection. These include JavaScript-based blocking techniques, Browser-in-the-Browser (BitB) phishing templates, and hosting fake pages inside remote virtual desktop environments using noVNC.
Doppel, another researcher, warned of a growing reliance on anti-analysis scripts: “A notable method growing in popularity is the use of JavaScript-based anti-analysis scripts; small but effective bits of code embedded in phishing pages, fake tech support sites, and malicious redirects.” Such scripts quickly redirect users to blank pages or disable site interactions once suspicious activity is detected, preventing deeper inspection by analysts.
The findings highlight the escalating sophistication of phishing campaigns and the need for organizations to tighten email security, enforce verification policies, and educate employees about emerging threats.
