UpCrypter phishing campaign using fake voicemails and purchase orders
Campaign
Summary
Hide ▲
Show ▼
UpCrypter is being pushed through a new phishing campaign that uses fake voicemails and purchase orders to lure recipients into downloading malicious content. The operation relies on carefully crafted emails and convincing phishing pages that deliver JavaScript droppers for the loader. It has targeted manufacturing, technology, healthcare, construction, and retail/hospitality organizations worldwide since August 2025. UpCrypter matters because it stages PureHVNC RAT, DCRat, and Babylon RAT, enabling full control of compromised hosts.
Related Happenings
Silver Fox South Asia phishing campaign
Campaign
First: 24.03.2026 18:00
Last: 24.03.2026 18:00
Sources 1
About this happening:
The **Silver Fox** campaign now includes **BYOVD** abuse of a previously unknown **WatchDog Anti-malware** driver, **amsdk.sys (version 1.0.600)**, to disable security tools on co...
Silver Fox South Asia phishing campaign
CampaignAbout this happening: The **Silver Fox** campaign now includes **BYOVD** abuse of a previously unknown **WatchDog Anti-malware** driver, **amsdk.sys (version 1.0.600)**, to disable security tools on co...
PurpleBravo Contagious Interview campaign
Campaign
First: 21.01.2026 19:17
Last: 21.01.2026 19:17
Sources 1
About this happening:
The **North Korea-linked Contagious Interview** campaign is refining its malware stack, with **Cisco Talos** reporting that **BeaverTail** and **OtterCookie** are being merged mor...
PurpleBravo Contagious Interview campaign
CampaignAbout this happening: The **North Korea-linked Contagious Interview** campaign is refining its malware stack, with **Cisco Talos** reporting that **BeaverTail** and **OtterCookie** are being merged mor...
Latest development: 22.04.2026 17:48
North Korean actor Void Dokkaebi, aka Famous Chollima, pushed the Contagious Interview fake-job campaign into a self-propagating software supply chain operation by abusing compromised developer repositories, malicious Visual Studio (VS) Code tasks, and injected code that can run during normal development activity to spread malware and steal cryptocurrency wallet credentials, signing keys, and access to CI/CD pipelines and production infrastructure. Trend Micro said the campaign also stages payloads on Tron, Aptos, and Binance Smart Chain, and in March it found more than 750 infected code repositories, more than 500 malicious VS Code task configurations, and 101 instances of the commit-tampering tool.
PureRAT ClickFix malware delivery chain targeting hotel systems
Malware Activity
First: 10.11.2025 11:11
Last: 10.11.2025 11:11
Sources 1
About this happening:
A **PureRAT** infection chain is actively targeting **hotel systems**, enabling **credential theft**, **remote access**, and **command execution**. The malware is delivered throug...
PureRAT ClickFix malware delivery chain targeting hotel systems
Malware ActivityAbout this happening: A **PureRAT** infection chain is actively targeting **hotel systems**, enabling **credential theft**, **remote access**, and **command execution**. The malware is delivered throug...
Booking.com partner-account phishing campaign using ClickFix and PureRAT
Campaign
First: 06.11.2025 18:00
Last: 06.11.2025 18:00
Sources 1
About this happening:
A **phishing campaign** abusing **Booking.com partner accounts** is stealing credentials and helping fraudsters pressure hotel guests, creating risk for **hospitality businesses**...
Booking.com partner-account phishing campaign using ClickFix and PureRAT
CampaignAbout this happening: A **phishing campaign** abusing **Booking.com partner accounts** is stealing credentials and helping fraudsters pressure hotel guests, creating risk for **hospitality businesses**...
Zendesk anonymous support-request email-bomb campaign
Campaign
First: 17.10.2025 14:26
Last: 17.10.2025 14:26
Sources 1
About this happening:
**Cybercriminals** are running a **Zendesk abuse campaign** that floods targeted inboxes with threatening ticket notifications, turning a legitimate support workflow into an email...
Zendesk anonymous support-request email-bomb campaign
CampaignAbout this happening: **Cybercriminals** are running a **Zendesk abuse campaign** that floods targeted inboxes with threatening ticket notifications, turning a legitimate support workflow into an email...
Timeline
-
25.08.2025 19:04 1 articles · 9mo ago
UpCrypter phishing campaign disclosed
Initial DisclosureFortinet researchers described a phishing campaign using fake voicemail and purchase-order lures to deliver UpCrypter through malicious URLs and convincing phishing pages that prompt victims to download JavaScript droppers or ZIP archives. UpCrypter uses anti-analysis checks, can fetch payloads as plain text or via steganography, and stages PureHVNC RAT, DCRat (DarkCrystal RAT), and Babylon RAT for remote control of compromised hosts. The activity has targeted manufacturing, technology, healthcare, construction, and retail/hospitality organizations worldwide since the start of August 2025, with infections observed in Austria, Belarus, Canada, Egypt, India, and Pakistan.
Show sources
- Phishing Campaign Uses UpCrypter in Fake Voicemail Emails to Deliver RAT Payloads — thehackernews.com — 25.08.2025 19:04