UpCrypter JavaScript dropper delivering RATs
Malware Activity
Summary
Hide ▲
Show ▼
The UpCrypter malware chain is delivering RATs to Windows victims through a global phishing operation, creating long-term remote-access risk. Attackers lure targets into downloading JavaScript dropper files that install payloads including PureHVNC, DCRat, and Babylon RAT. The chain uses obfuscation, in-memory execution, and anti-analysis checks to evade detection.
Related Happenings
ClickFix variants delivering LummaC2 and Rhadamanthys
Malware Activity
First: 24.11.2025 22:42
Last: 24.11.2025 22:42
Sources 1
About this happening:
Since **October 1**, **ClickFix** variants have been using a **fake Windows Update** screen and **human verification** lures to trick Windows users into pasting commands that exec...
ClickFix variants delivering LummaC2 and Rhadamanthys
Malware ActivityAbout this happening: Since **October 1**, **ClickFix** variants have been using a **fake Windows Update** screen and **human verification** lures to trick Windows users into pasting commands that exec...
Winos 4.0 and HoldingHands RAT malware activity expanding targeting to Japan and Malaysia
Malware Activity
First: 18.10.2025 09:51
Last: 18.10.2025 09:51
Sources 1
About this happening:
The **Winos 4.0** malware operation has expanded its target footprint to **Japan** and **Malaysia** through **HoldingHands RAT**, increasing the reach of a multi-stage phishing de...
Winos 4.0 and HoldingHands RAT malware activity expanding targeting to Japan and Malaysia
Malware ActivityAbout this happening: The **Winos 4.0** malware operation has expanded its target footprint to **Japan** and **Malaysia** through **HoldingHands RAT**, increasing the reach of a multi-stage phishing de...
Stealit malware activity abusing Node.js SEA and counterfeit installers
Malware Activity
First: 10.10.2025 17:25
Last: 10.10.2025 17:25
Sources 1
About this happening:
**Stealit** is an active malware activity that uses **Node.js Single Executable Application (SEA)** and some **Electron** builds to spread standalone payloads through counterfeit...
Stealit malware activity abusing Node.js SEA and counterfeit installers
Malware ActivityAbout this happening: **Stealit** is an active malware activity that uses **Node.js Single Executable Application (SEA)** and some **Electron** builds to spread standalone payloads through counterfeit...
MostereRAT phishing-delivered RAT activity against Japanese Windows users
Malware Activity
First: 08.09.2025 23:49
Last: 08.09.2025 23:49
Sources 1
About this happening:
The **MostereRAT** malware activity is using **phishing** to place a staged **RAT** on **Microsoft Windows** systems in **Japan**, giving attackers durable remote access and raisi...
MostereRAT phishing-delivered RAT activity against Japanese Windows users
Malware ActivityAbout this happening: The **MostereRAT** malware activity is using **phishing** to place a staged **RAT** on **Microsoft Windows** systems in **Japan**, giving attackers durable remote access and raisi...
Timeline
-
25.08.2025 18:13 1 articles · 9mo ago
Fortinet detects global Windows phishing campaign delivering UpCrypter RAT droppers
Initial DisclosureFortinet Labs detected a rapidly growing Windows phishing campaign operating at a truly global scale and targeting organizations across manufacturing, technology, healthcare, construction, and retail/hospitality. The campaign uses socially engineered emails and personalized phishing pages to induce victims to download JavaScript files that act as droppers for UpCrypter, which then deploys RATs including PureHVNC, DCRat, and Babylon RAT while using obfuscation, junk code, in-memory execution, and anti-analysis checks to reduce detection.
Show sources
- Fast-Spreading, Complex Phishing Campaign Installs RATs — www.darkreading.com — 25.08.2025 18:13