Attackers not only steal credentials but also can maintain long-term, persistent access to corporate networks through the global campaign.

A rapidly growing phishing campaign targeting Windows users across the globe is not only stealing credentials for future attacks but also spreading various remote access trojans (RATs) via malicious scripts.

Researchers at Fortinet Labs detected the campaign, which is operating on what they call a "truly global scale" to target organizations across various sectors, with manufacturing, technology, healthcare, construction, and retail/hospitality taking the brunt of the attacks, according to a blog post published today.

The campaign involves attackers using various socially engineered scenarios to lure people to "convincing phishing pages" via emails related to purported voicemails for missed phone calls, purchase orders, and other topics that require their immediate attention, Cara Lin, Fortinet's manager of antivirus analysis, wrote in the post. Attackers personalize the pages with the victim's own email and their company's logo to make them seem even more legitimate, she wrote.

"These pages are designed to entice recipients into downloading JavaScript files that act as droppers for UpCrypter, malware that ultimately deploys various remote access tools (RATs)," Lin wrote in the post.

In this way, the campaign is more dangerous than typical phishing attacks in that not only do attackers steal credentials that can be wielded for future malicious activity, but the attacks are also aimed at giving them long-term access to the organization's networks.

"The malicious files delivered are not just for stealing passwords but for installing powerful remote access tools that give attackers long-term control," observed J Stephen Kowski, field CTO at SlashNext Email Security+, in a statement. "What's most important to understand is that this isn't a one-time data theft — it's a full system breach that can spread quietly inside company networks."

Serious Threat Spreading Rapidly

The attack chain begins with a small, obfuscated script that redirects victims to a spoofed site personalized with the target's email domain, according to Fortinet. The infection chain uses different methods to lure the victim and eventually delivers several RATs, including PureHVNC, DCRat, and Babylon RAT.

In addition to the typical use of urgent social-engineering tactics to try to convince users they need to open emails and files contained within quickly, attackers also use coding and tooling techniques under the hood of the attack chain to make it more difficult to detect, according to Fortinet.

This includes concealing the malware with both heavily obfuscated and junk code to hide its purpose; the use of scans and restarts if the malware detects forensic tools, debuggers, or virtual machine environments like any.run and Wireshark; and the use of the UpCrypter malware to execute subsequent stages of the attack directly in memory without writing the final payload to the disk.

Fortinet attributes the complexity of the campaign in part to the widespread availability of ready-made tools and phishing kits on underground hacker sites that "let them build a complete system to spread malware, not just deliver simple scams," Lin wrote.

The campaign can have lasting effects on organizations it targets and also is spreading across the globe with remarkable speed, according to Fortinet. In just the two weeks since it was discovered, the detection count has more than doubled, "reflecting a rapid and aggressive growth pattern," Lin wrote.    

Defending Against Complex Phishing Attacks

Given the growing prevalence of turnkey phishing kits to help even the least-skilled malicious actors build and spread sophisticated attack vectors quickly, defenders must respond with similar security firepower to keep their networks safe, according to security experts.

"Security teams must take this threat seriously and build a multi-layered defense," Frankie Sclafani, director of cybersecurity enablement at security firm Deepwatch, noted in a statement. This includes the use of strong email filters to detect and block malicious emails before they reach employees' inboxes; employee training to spot the latest tactics and lures; and ensuring that Web application firewalls, mail filters, endpoint detection and response, and antivirus tools are all up-to-date, he said.

"Smart security teams will proactively block these attacks by using threat intelligence services and by implementing the provided indicators of compromise (IoCs)," Sclafani said.

Defenders also can use various controls to stop the malicious PowerShell scripts like the ones used in the campaign from execution, he noted. These controls include: enforcing PowerShell script signing, which configures PowerShell only to run scripts that have a valid digital signature from a trusted publisher; using Constrained Language Mode, which limits the functionality of PowerShell; and preventing the use of sensitive cmdlets and .NET classes often leveraged by malware, Sclafani said.

To further block the script, "looking for the chain of events of opening an HTML attachment in email that leads to PowerShell usage provides an easy, and quick, win to detection (and hopefully prevent) this chain of events," another security expert, John Bambenek, president at Bambenek Consulting, observed in an emailed statement. "Not every user needs access to PowerShell and certainly not when the chain starts from Outlook.exe," he noted.

That’s why businesses must adopt proactive cybersecurity strategies that address:

• Password Security & Identity Management – Prevent unauthorized access to cloud tenants.
• Incident Response & Recovery – Rapid containment of breaches before damage escalates.
• Cybersecurity Solutions for Businesses & Individuals – Tailored protections for different risk levels.
• Security Audits & Vulnerability Assessments – Identifying weaknesses before attackers do.
• Managed Security Services – Continuous monitoring for suspicious activity.
• Penetration Testing – Simulating real-world intrusions to test resilience.
• Compliance & Regulatory Services – Ensuring adherence to frameworks like ISO, NDPR, and NIST.
• Cybersecurity Recruitment & Training – Building strong in-house expertise via our Cyber Protection Academy.

At CyberTech Nexus, we provide end-to-end cybersecurity services, from IT & Cybersecurity Consultancy to Incident Response, Managed Security, and Cyber Protection Training, to help organizations anticipate, prevent, and respond to such threats.