Phishing Campaign Targeting Companies via UpCrypter

    Wednesday, August 27, 2025 In: Threat Research Print

    Date: 08/27/2025

    Severity: High

    Summary

    A recent phishing campaign is targeting companies through emails containing malicious URLs that lead to spoofed websites tailored to the recipient’s email domain. These convincing sites trick users into downloading JavaScript files that act as droppers for UpCrypter malware. Once executed, UpCrypter installs multiple remote access tools (RATs), including PureHVNC, DCRat, and Babylon RAT, allowing attackers to gain control over infected systems.

    Indicators of Compromise (IOC) List

    URL/Domain

    adanaaysuntemizlik.com

    brokaflex.com

    capitalestates.es

    hacvietsherwin.com

    ktc2005.com

    maltashopping24.com

    manitouturkiye.com

    power-builders.net

    samsunbilgisayartamiri.com

    afxwd.ddns.net

    andrefelipedonascime1753562407700.0461178.meusitehostgator.com.br

    webdot.ddns.net

    www.tridevresins.com

    xtadts.ddns.net

    http://brokaflex.com/tw/w.php

    http://ktc2005.com/bu.txt

    http://ktc2005.com/bu.txt.xn--ivg

    http://manitouturkiye.com/cz/z.php

    http://power-builders.net/vn/v.php

    https://andrefelipedonascime1753562407700.0461178.meusitehostgator.com.br/sPVbqMbKYr_06/03.txt.

    https://brokaflex.com/tw/w.xn--php-9o0a

    https://maltashopping24.com/t

    https://www.tridevresins.com/_b#.

    Hash

    4b03950d0ace9559841a80367f66c1cd84ce452d774d65c8ab628495d403ad0f

    7e832ab8f15d826324a429ba01e49b452ffc163ca4af8712a6b173f40c919b43

    a5fe77344a239af14c87336c65e75e59b69a59f3420bd049da8e8fd0447af235

    c0bfa10d2739acd6ee11b8a2e2cc19263e18db0bbcab929a133eaaf1a31dc9a5

    c7b6205c411a5c0fde873085f924f6270d49d103f57e7e7ceb3deb255f3e6598

    f2633ef3030c28238727892d1f2fcb669d23a803e035a5c37fd8b07dce442f17

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 : 

    domainname like "adanaaysuntemizlik.com" or siteurl like "adanaaysuntemizlik.com" or url like "adanaaysuntemizlik.com" or domainname like "brokaflex.com" or siteurl like "brokaflex.com" or url like "brokaflex.com" or domainname like "capitalestates.es" or siteurl like "capitalestates.es" or url like "capitalestates.es" or domainname like "hacvietsherwin.com" or siteurl like "hacvietsherwin.com" or url like "hacvietsherwin.com" or domainname like "ktc2005.com" or siteurl like "ktc2005.com" or url like "ktc2005.com" or domainname like "maltashopping24.com" or siteurl like "maltashopping24.com" or url like "maltashopping24.com" or domainname like "manitouturkiye.com" or siteurl like "manitouturkiye.com" or url like "manitouturkiye.com" or domainname like "power-builders.net" or siteurl like "power-builders.net" or url like "power-builders.net" or domainname like "samsunbilgisayartamiri.com" or siteurl like "samsunbilgisayartamiri.com" or url like "samsunbilgisayartamiri.com" or domainname like "afxwd.ddns.net" or siteurl like "afxwd.ddns.net" or url like "afxwd.ddns.net" or domainname like "andrefelipedonascime1753562407700.0461178.meusitehostgator.com.br" or siteurl like "andrefelipedonascime1753562407700.0461178.meusitehostgator.com.br" or url like "andrefelipedonascime1753562407700.0461178.meusitehostgator.com.br" or domainname like "webdot.ddns.net" or siteurl like "webdot.ddns.net" or url like "webdot.ddns.net" or domainname like "www.tridevresins.com" or siteurl like "www.tridevresins.com" or url like "www.tridevresins.com" or domainname like "xtadts.ddns.net" or siteurl like "xtadts.ddns.net" or url like "xtadts.ddns.net" or domainname like "http://brokaflex.com/tw/w.php" or siteurl like "http://brokaflex.com/tw/w.php" or url like "http://brokaflex.com/tw/w.php" or domainname like "http://ktc2005.com/bu.txt" or siteurl like "http://ktc2005.com/bu.txt" or url like "http://ktc2005.com/bu.txt" or domainname like "http://ktc2005.com/bu.txt.xn--ivg" or siteurl like "http://ktc2005.com/bu.txt.xn--ivg" or url like "http://ktc2005.com/bu.txt.xn--ivg" or domainname like "http://manitouturkiye.com/cz/z.php" or siteurl like "http://manitouturkiye.com/cz/z.php" or url like "http://manitouturkiye.com/cz/z.php" or domainname like "http://power-builders.net/vn/v.php" or siteurl like "http://power-builders.net/vn/v.php" or url like "http://power-builders.net/vn/v.php" or domainname like "https://andrefelipedonascime1753562407700.0461178.meusitehostgator.com.br/sPVbqMbKYr_06/03.txt." or siteurl like "https://andrefelipedonascime1753562407700.0461178.meusitehostgator.com.br/sPVbqMbKYr_06/03.txt." or url like "https://andrefelipedonascime1753562407700.0461178.meusitehostgator.com.br/sPVbqMbKYr_06/03.txt." or domainname like "https://brokaflex.com/tw/w.xn--php-9o0a" or siteurl like "https://brokaflex.com/tw/w.xn--php-9o0a" or url like "https://brokaflex.com/tw/w.xn--php-9o0a" or domainname like "https://maltashopping24.com/t" or siteurl like "https://maltashopping24.com/t" or url like "https://maltashopping24.com/t" or domainname like "https://www.tridevresins.com/_b#." or siteurl like "https://www.tridevresins.com/_b#." or url like "https://www.tridevresins.com/_b#."

    Detection Query 2 :

    sha256hash IN ("4b03950d0ace9559841a80367f66c1cd84ce452d774d65c8ab628495d403ad0f","7e832ab8f15d826324a429ba01e49b452ffc163ca4af8712a6b173f40c919b43","a5fe77344a239af14c87336c65e75e59b69a59f3420bd049da8e8fd0447af235","c0bfa10d2739acd6ee11b8a2e2cc19263e18db0bbcab929a133eaaf1a31dc9a5","c7b6205c411a5c0fde873085f924f6270d49d103f57e7e7ceb3deb255f3e6598","f2633ef3030c28238727892d1f2fcb669d23a803e035a5c37fd8b07dce442f17")

    Reference:    

    https://www.fortinet.com/blog/threat-research/phishing-campaign-targeting-companies-via-upcrypter


    Tags

    RATPureHVNCDCRATBabylon RATMalwareUpCrypterPhishing

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.