Global Phishing Campaign Installs Multiple RATs via JavaScript Droppers
Summary
Hide β²
Show βΌ
A rapidly spreading phishing campaign targets Windows users worldwide, stealing credentials and deploying various remote access trojans (RATs). The campaign uses convincing phishing pages and personalized emails to lure victims into downloading malicious JavaScript files. The attack impacts multiple sectors, including manufacturing, technology, healthcare, construction, and retail/hospitality. The campaign is notable for its complexity and the use of advanced techniques to evade detection. The attack chain begins with a small, obfuscated script that redirects victims to spoofed sites. The malware delivered includes PureHVNC, DCRat, and Babylon RAT, providing long-term access to the organization's networks. The campaign has shown rapid growth, with detection counts doubling in just two weeks. The phishing campaign targets specific countries, including Austria, Belarus, Canada, Egypt, India, and Pakistan. The attack chain begins with phishing emails using themes related to voicemail messages and purchase orders. The phishing pages display the victim's domain string and logo to reinforce authenticity. The payload is a ZIP archive containing an obfuscated JavaScript file that performs anti-analysis checks. UpCrypter is also distributed as an MSIL loader that performs anti-analysis and anti-virtual machine checks. The attack culminates with the script embedding data from a DLL loader and the payload during execution, minimizing forensic traces. Threat actors are using living-off-trusted-sites (LOTS) techniques, leveraging legitimate services like Microsoft 365 Direct Send and OneNote. Attackers use client-side evasion techniques in phishing pages, including JavaScript-based blocking and Browser-in-the-Browser (BitB) templates.
Timeline
-
25.08.2025 18:13 π° 2 articles Β· β± 22d ago
Global phishing campaign installs multiple RATs via JavaScript droppers
The phishing campaign targets specific countries, including Austria, Belarus, Canada, Egypt, India, and Pakistan. The attack chain begins with phishing emails using themes related to voicemail messages and purchase orders. The phishing pages display the victim's domain string and logo to reinforce authenticity. The payload is a ZIP archive containing an obfuscated JavaScript file that performs anti-analysis checks. UpCrypter is also distributed as an MSIL loader that performs anti-analysis and anti-virtual machine checks. The attack culminates with the script embedding data from a DLL loader and the payload during execution, minimizing forensic traces. Threat actors are using living-off-trusted-sites (LOTS) techniques, leveraging legitimate services like Microsoft 365 Direct Send and OneNote. Attackers use client-side evasion techniques in phishing pages, including JavaScript-based blocking and Browser-in-the-Browser (BitB) templates.
Show sources
- Fast-Spreading, Complex Phishing Campaign Installs RATs β www.darkreading.com β 25.08.2025 18:13
- Phishing Campaign Uses UpCrypter in Fake Voicemail Emails to Deliver RAT Payloads β thehackernews.com β 25.08.2025 19:04
Information Snippets
-
The phishing campaign targets Windows users across multiple sectors, including manufacturing, technology, healthcare, construction, and retail/hospitality.
First reported: 25.08.2025 18:13π° 2 sources, 2 articlesShow sources
- Fast-Spreading, Complex Phishing Campaign Installs RATs β www.darkreading.com β 25.08.2025 18:13
- Phishing Campaign Uses UpCrypter in Fake Voicemail Emails to Deliver RAT Payloads β thehackernews.com β 25.08.2025 19:04
-
Attackers use socially engineered scenarios and personalized phishing pages to lure victims into downloading malicious JavaScript files.
First reported: 25.08.2025 18:13π° 2 sources, 2 articlesShow sources
- Fast-Spreading, Complex Phishing Campaign Installs RATs β www.darkreading.com β 25.08.2025 18:13
- Phishing Campaign Uses UpCrypter in Fake Voicemail Emails to Deliver RAT Payloads β thehackernews.com β 25.08.2025 19:04
-
The campaign deploys UpCrypter malware, which acts as a dropper for various RATs, including PureHVNC, DCRat, and Babylon RAT.
First reported: 25.08.2025 18:13π° 2 sources, 2 articlesShow sources
- Fast-Spreading, Complex Phishing Campaign Installs RATs β www.darkreading.com β 25.08.2025 18:13
- Phishing Campaign Uses UpCrypter in Fake Voicemail Emails to Deliver RAT Payloads β thehackernews.com β 25.08.2025 19:04
-
The attack chain includes obfuscated scripts, junk code, and techniques to evade detection, such as scanning for forensic tools and virtual machine environments.
First reported: 25.08.2025 18:13π° 2 sources, 2 articlesShow sources
- Fast-Spreading, Complex Phishing Campaign Installs RATs β www.darkreading.com β 25.08.2025 18:13
- Phishing Campaign Uses UpCrypter in Fake Voicemail Emails to Deliver RAT Payloads β thehackernews.com β 25.08.2025 19:04
-
The campaign has shown rapid growth, with detection counts more than doubling in two weeks.
First reported: 25.08.2025 18:13π° 1 source, 1 articleShow sources
- Fast-Spreading, Complex Phishing Campaign Installs RATs β www.darkreading.com β 25.08.2025 18:13
-
Defenders are advised to use multi-layered defenses, including email filters, employee training, and up-to-date security tools to mitigate the threat.
First reported: 25.08.2025 18:13π° 1 source, 1 articleShow sources
- Fast-Spreading, Complex Phishing Campaign Installs RATs β www.darkreading.com β 25.08.2025 18:13
-
The phishing campaign targets specific countries, including Austria, Belarus, Canada, Egypt, India, and Pakistan.
First reported: 25.08.2025 19:04π° 1 source, 1 articleShow sources
- Phishing Campaign Uses UpCrypter in Fake Voicemail Emails to Deliver RAT Payloads β thehackernews.com β 25.08.2025 19:04
-
The attack chain begins with phishing emails using themes related to voicemail messages and purchase orders.
First reported: 25.08.2025 19:04π° 1 source, 1 articleShow sources
- Phishing Campaign Uses UpCrypter in Fake Voicemail Emails to Deliver RAT Payloads β thehackernews.com β 25.08.2025 19:04
-
The phishing pages display the victim's domain string and logo to reinforce authenticity.
First reported: 25.08.2025 19:04π° 1 source, 1 articleShow sources
- Phishing Campaign Uses UpCrypter in Fake Voicemail Emails to Deliver RAT Payloads β thehackernews.com β 25.08.2025 19:04
-
The payload is a ZIP archive containing an obfuscated JavaScript file that performs anti-analysis checks.
First reported: 25.08.2025 19:04π° 1 source, 1 articleShow sources
- Phishing Campaign Uses UpCrypter in Fake Voicemail Emails to Deliver RAT Payloads β thehackernews.com β 25.08.2025 19:04
-
UpCrypter is also distributed as an MSIL loader that performs anti-analysis and anti-virtual machine checks.
First reported: 25.08.2025 19:04π° 1 source, 1 articleShow sources
- Phishing Campaign Uses UpCrypter in Fake Voicemail Emails to Deliver RAT Payloads β thehackernews.com β 25.08.2025 19:04
-
The attack culminates with the script embedding data from a DLL loader and the payload during execution, minimizing forensic traces.
First reported: 25.08.2025 19:04π° 1 source, 1 articleShow sources
- Phishing Campaign Uses UpCrypter in Fake Voicemail Emails to Deliver RAT Payloads β thehackernews.com β 25.08.2025 19:04
-
Threat actors are using living-off-trusted-sites (LOTS) techniques, leveraging legitimate services like Microsoft 365 Direct Send and OneNote.
First reported: 25.08.2025 19:04π° 1 source, 1 articleShow sources
- Phishing Campaign Uses UpCrypter in Fake Voicemail Emails to Deliver RAT Payloads β thehackernews.com β 25.08.2025 19:04
-
Attackers use client-side evasion techniques in phishing pages, including JavaScript-based blocking and Browser-in-the-Browser (BitB) templates.
First reported: 25.08.2025 19:04π° 1 source, 1 articleShow sources
- Phishing Campaign Uses UpCrypter in Fake Voicemail Emails to Deliver RAT Payloads β thehackernews.com β 25.08.2025 19:04
Similar Happenings
SlopAds Fraud Ring Exploits 224 Android Apps to Drive 2.3 Billion Daily Ad Bids
A fraudulent ad operation, SlopAds, has been identified, exploiting 224 Android apps to generate 2.3 billion ad bids daily. The apps, collectively downloaded 38 million times across 228 countries, use steganography and hidden WebViews to create fraudulent ad impressions and clicks. The operation was disrupted after Google removed the offending apps from the Play Store. The SlopAds campaign is notable for its sophisticated tactics, including conditional fraud execution and the use of AI-themed services for command and control. The fraudulent behavior is triggered only when apps are downloaded via ad clicks, making detection more challenging. The campaign's infrastructure includes multiple domains and a complex feedback loop designed to evade security researchers. The campaign's highest concentration of ad impressions originated from the United States (30%), followed by India (10%) and Brazil (7%).
FileFix Attack Using Steganography to Deploy StealC Infostealer
A new FileFix social engineering campaign impersonates Meta account suspension warnings to trick users into installing the StealC infostealer malware. The attack uses steganography to hide malicious scripts and executables within a JPG image. The campaign targets various credentials, cryptocurrency wallets, and cloud services. The FileFix technique abuses the File Explorer address bar to execute PowerShell commands, bypassing traditional detection methods. The attack was discovered by Acronis and observed over a two-week period, with multiple variants using different payloads and domains. The StealC malware aims to steal sensitive information from infected devices, including browser credentials, messaging app data, and cryptocurrency wallets. The FileFix technique was created by red team researcher mr.d0x and has been previously used by the Interlock ransomware gang. The attack uses a multilingual phishing site to trick users into copying and pasting a malicious command into the File Explorer address bar. The campaign abuses Bitbucket repositories to host malicious components, leveraging trust in the platform to bypass detection. The FileFix campaign is the most widespread, customized, and sophisticated to date, targeting users in over 16 countries. The phishing site has been translated into at least 16 different languages. The attack chain involves a phishing email impersonating Facebook security, warning users of account suspension. The attack uses AI-generated images in the steganography process. The FileFix technique is more elegant and less suspicious than ClickFix, using File Explorer instead of the Run dialog. The FileFix attack offers a broader range of high-value targets due to its use of File Explorer. Security researcher Eliad Kimhy predicts an increase in FileFix attacks in the near future.
Supply Chain Attack Targeting npm Registry Compromises 40 Packages
A supply chain attack targeting the npm registry has compromised over 187 packages maintained by multiple developers. The attack uses a malicious script (bundle.js) to steal credentials from developer machines. The compromised packages include various npm modules used in different projects. The attack is capable of targeting both Windows and Linux systems. The malicious script scans for secrets using TruffleHog's credential scanner and transmits them to an external server controlled by the attackers. Developers are advised to audit their environments and rotate credentials if the affected packages are present.
UNC6040 and UNC6395 Target Salesforce Platforms in Data Theft Campaigns
The FBI has issued an alert about two cybercriminal groups, UNC6040 and UNC6395, targeting Salesforce platforms for data theft and extortion. UNC6395 exploited compromised OAuth tokens for the Salesloft Drift application, while UNC6040 used vishing campaigns and modified Salesforce tools to breach Salesforce instances. Both groups have been active since at least October 2024, impacting multiple organizations. UNC6040 has been linked to extortion activities, with Google attributing these to a separate cluster, UNC6240, which has claimed to be the ShinyHunters group. The ShinyHunters group, along with Scattered Spider and LAPSUS$, recently announced they are going dark, but experts warn that the threat persists. UNC6040 impersonated corporate IT support personnel to gain access to Salesforce environments and used modified versions of Salesforce's Data Loader to exfiltrate data. Salesforce re-enabled integrations with Salesloft technologies, except for the Drift app, which remains disabled.
Resurfaced ChillyHell macOS Backdoor Discovered
A new version of the ChillyHell modular backdoor malware targeting macOS has been discovered. The malware, first seen in 2022, was used in attacks against Ukrainian officials and has now resurfaced with updated capabilities. ChillyHell provides remote access, payload delivery, and password brute-forcing. The malware was notarized by Apple in 2021 and has been publicly hosted on Dropbox since then. The malware disguises itself as an executable applet and deploys as a persistent backdoor, capable of retrieving sensitive data and evading detection. It employs multiple persistence mechanisms and can communicate over different protocols. It also features timestamping to cover its tracks. Apple has revoked the notarization of the developer certificates associated with the malware after being notified. ChillyHell is written in C++ and targets Intel architectures. It is attributed to an uncategorized threat cluster dubbed UNC4487, which has been active since at least October 2022. UNC4487 is suspected to be an espionage actor targeting Ukrainian government entities.