{"id":1458,"date":"2025-08-26T19:55:08","date_gmt":"2025-08-26T19:55:08","guid":{"rendered":"https:\/\/www.techrepublic.com\/?p=4324044"},"modified":"2025-08-26T19:55:08","modified_gmt":"2025-08-26T19:55:08","slug":"warning-for-windows-users-global-upcrypter-phishing-attack-is-expanding","status":"publish","type":"post","link":"https:\/\/blog.tecnoartesanos.com\/index.php\/2025\/08\/26\/warning-for-windows-users-global-upcrypter-phishing-attack-is-expanding\/","title":{"rendered":"Warning for Windows Users: Global UpCrypter Phishing Attack is Expanding"},"content":{"rendered":"
\"A<\/picture>
Image: James Thew\/Adobe Stock<\/figcaption><\/figure>\n

<\/p>\n

Cybersecurity researchers have identified a surge of phishing emails targeting Microsoft Windows devices. Fortinet\u2019s FortiGuard Labs tracks activity related to UpCrypter, a loader designed to install multiple types of remote access tools (RATs) that enable attackers to maintain prolonged access to compromised machines.<\/p>\n

The phishing emails arrive disguised as missed voicemails or purchase orders. Victims who click on the attachments are redirected to fake websites, designed to appear convincing, often featuring company logos to increase trust.<\/p>\n

According to Fortinet, these phishing pages prompt users to download a ZIP file containing a heavily disguised JavaScript dropper. Once opened, the script triggers PowerShell commands in the background that connect to attacker-controlled servers for the next stage of malware.<\/p>\n

\u201cThese pages are designed to entice recipients into downloading JavaScript files that act as droppers for UpCrypter,\u201d said Cara Lin<\/a>, a Fortinet FortiGuard Labs researcher.<\/p>\n

<\/p>\n

<\/span>UpCrypter\u2019s role in the attack chain<\/span><\/h2>\n

Once executed, UpCrypter scans the system to see if it is being analyzed in a sandbox or by forensic tools. If such monitoring is detected, the loader forces a reboot to break the investigation.<\/p>\n

If no obstacles are found, the malware proceeds to download and run further payloads. In some cases, attackers conceal these files inside images through steganography, a tactic that helps bypass antivirus software<\/a> detection.<\/p>\n

The final malware deployed includes:<\/p>\n