Overview

• FortiGuard Labs says detections doubled in two weeks, with activity hitting manufacturing, technology, healthcare, construction, and retail/hospitality across countries including Austria, Belarus, Canada, Egypt, India, and Pakistan.
• Phishing emails use HTML attachments or links to convincing landing pages that display the victim’s domain string and logo before prompting a ZIP download containing an obfuscated JavaScript dropper.
• The JavaScript dropper installs UpCrypter, which retrieves Remote Access Tools such as DCRat/DarkCrystal, PureHVNC, and Babylon to enable full remote control of infected hosts.
• UpCrypter is also delivered as an MSIL loader that performs anti-VM and anti-analysis checks, can fetch payloads as plain text or hidden in images, executes largely in memory, and adds registry persistence to minimize traces.
• Researchers recommend stronger email filtering, targeted user training, limiting unnecessary PowerShell access, and applying vendor mitigations as attackers expand “living off trusted sites” tactics, including Google Classroom abuse and Microsoft 365 Direct Send misuse.