Cybersecurity experts have uncovered a phishing campaign using fake voicemails and purchase orders to spread a malware loader called UpCrypter. According to Fortinet, attackers send deceptive emails with links to phishing pages that prompt users to download JavaScript files acting as malware droppers.
The campaign has targeted industries like manufacturing, healthcare, technology, and retail since early August 2025, with infections reported in countries including Austria, Canada, India, and Pakistan.
UpCrypter serves as a gateway for remote access tools such as PureHVNC RAT, DCRat, and Babylon RAT, allowing attackers full control of infected systems. The phishing emails lead to convincing landing pages that mimic the victim's domain and logo, encouraging downloads of ZIP files containing obfuscated JavaScript. These files check for internet access and scan for forensic tools before fetching the next malware stage, sometimes hidden within images using steganography.
The malware also appears as an MSIL loader that performs anti-analysis checks and downloads additional payloads including PowerShell scripts and DLLs. These are executed in memory to avoid detection and leave minimal forensic traces.
Fortinet describes the campaign as a sophisticated ecosystem capable of evading defenses and maintaining persistence.
Google Classroom Abuse and LOTS Tactics
Separately, Check Point reported a phishing wave that used Google Classroom to send over 115,000 emails to 13,500 organizations globally. These emails contained fake invitations and commercial offers, directing victims to scammers via WhatsApp.
The attack bypassed email security by exploiting Google Classroom’s trusted infrastructure, avoiding SPF, DKIM, and DMARC checks.
This trend reflects broader tactics known as living-off-trusted-sites (LOTS), where attackers misuse legitimate platforms like Microsoft 365, OneNote, Discord CDN, and AI-powered site builders. In one case, stolen M365 credentials were used to embed phishing links in a OneNote file stored on OneDrive.
Microsoft has responded by offering a "Reject Direct Send" option and recommending custom headers and quarantine policies to detect spoofed internal emails.
Advanced Evasion Techniques
Phishing pages now use client-side evasion methods to avoid detection. These include JavaScript-based blocking, Browser-in-the-Browser templates, and virtual desktop hosting via noVNC. Scripts can detect analysis attempts and redirect users to blank pages, cutting off further inspection.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
