Overview

• FortiGuard Labs says detections have doubled in roughly two weeks since early August as the operation spreads worldwide with notable activity in Austria, Belarus, Canada, Egypt, India and Pakistan.
• Voicemail and purchase‑order emails carry HTML attachments (e.g., “VN0001210000200.html,” “採購訂單.html”) that redirect to fake landing pages tailored with the recipient’s domain and logo.
• Victims are prompted to download a ZIP containing an obfuscated JavaScript dropper that invokes PowerShell, performs anti‑analysis and VM checks, and retrieves next‑stage payloads including via steganography.
• UpCrypter acts as a loader for multiple remote access tools such as PureHVNC, DCRat (DarkCrystal RAT) and Babylon RAT, enabling attackers to gain full remote control and maintain persistence in memory and the registry.
• Security teams are urged to tighten email filtering, train users, restrict unnecessary PowerShell access, apply controls like Microsoft’s Reject Direct Send or custom header stamping, and watch for in‑memory execution and registry-persistence indicators.