Phishing Campaign Targeting Companies via UpCrypter

Fortinet FortiGuard Labs identified a global phishing campaign that uses obfuscated HTML/JavaScript lures to redirect recipients to personalized phishing pages which deliver a ZIP containing an obfuscated JavaScript loader (UpCrypter). UpCrypter decodes and executes a .NET loader in memory, performs anti-analysis and anti-VM checks, establishes persistence via HKCU Run, and stages multiple remote access tools (PureHVNC, DCRat, Babylon RAT); the report includes network and file IOCs and mitigation guidance.