Cybersecurity researchers have uncovered a new phishing campaign using fake voicemail messages and purchase orders to spread a malware loader known as UpCrypter.
According to Fortinet FortiGuard Labs, the attackers send phishing emails that link to fake web pages, tricking users into downloading malicious JavaScript files. The files then install UpCrypter, which helps hackers deploy remote access tools (RATs) like PureHVNC, DCRat, and Babylon RAT, providing them with full control of infected computers.
The campaign has been active since early August and is targeting industries such as manufacturing, healthcare, construction, technology, and retail. Countries most affected include Austria, Belarus, Canada, Egypt, India, and Pakistan.
The phishing emails appear legitimate, often mimicking real voicemail notifications or purchase documents. The fake websites even include the victim's company logo and domain name to look more convincing. Once users download the file, it installs the malware without leaving obvious traces, making it harder for security teams to detect.