‘Dangerous Threat’—If You See This Email, Your PC Is Under Attack

Do not open this email.

getty

Microsoft Windows users are warned to beware a “highly sophisticated and dangerous threat” with new emails that “secretly install” malware on PCs. The attack has more than doubled in just two weeks and is now “operating on a truly global scale.”

That warning comes courtesy of DeepWatch’s Frankie Sclafani in the wake of a new report from Fortinet. The security firm has flagged a new email attack “leveraging carefully crafted emails to deliver malicious URLs linked to convincing phishing pages.”

ForbesGoogle’s Unbeatable Pixel Update—Samsung’s Galaxy Falls BehindBy Zak Doffman

The emails that hit your inbox include “a small, obfuscated script that redirects victims to a spoofed site personalized with the target’s email domain.” That means it will steal your organizations’ logo and style to trick you into downloading a message. Do that and you risk one of several RATs, “including PureHVNC, DCRat, and Babylon RAT.”

That message might be a voicemail-themed lure with the subject line ‘Missed Phone Call – ’ and an attachment named ‘VN0001210000200.html’. Or it could be a “purchase order with an attachment named ‘採購訂單.html’.”

The objective is the same. “Deliver victims to a phishing page that is already personalized with their email, tag them for tracking, and use fragment-based parameter passing to keep the identifier out of network logs.”

The Zip file you download is padded with junk to hide the attack, But “finally it calls ShellExecute to run PowerShell with ‘-ExecutionPolicy bypass’ and the decoded command using a window style of 0. This stealthy execution flow allows the malware to load and run the next stage without showing any visible console or alert.”

J Stephen Kowski from email security specialists SlashNext told me “the malicious files are not just for stealing passwords but for installing powerful remote access tools that give attackers long-term control.” Put simply, “this isn’t a one-time data theft — it’s a full system breach that can spread quietly inside company networks.”

Fortinet says the campaign uses UpCrypter “as the central loader framework to stage and deploy multiple remote access tools,” and warns “this combination of an actively maintained loader, layered obfuscation, and diverse RAT delivery is an adaptable threat delivery ecosystem capable of bypassing defenses and maintaining persistence.”

Developing a threat campaign such as this is quicker than ever, especially with the use of new AI tools. “Attackers can now easily make phishing emails and fake websites using ready-made tools found online. These tools let them build a complete system to spread malware, not just deliver simple scams.”

And unlike some campaigns, this one is non-specific on the industry verticals and countries it targets. “Our telemetry indicates that this campaign is not limited to one region. Instead, it is operating on a truly global scale. In just two weeks, the detection count has more than doubled, reflecting a rapid and aggressive growth pattern.”

ForbesDo Not Use These Networks On Your Phone, TSA Warns—Here’s WhyBy Zak Doffman

Sectors hit thus far include “manufacturing, technology, healthcare, construction, and retail/hospitality. Wherever you are and whatever you do, you could be at risk.

Do not open messages or download attachments unless you know for sure where they come from. Do not follow links. And assume every website and sign-in page you see is fake, unless you are certain you accessed this the usual way.