Ethical Hacking News
EncryptHub has targeted Web3 developers with fake AI platforms to deploy Fickle Stealer malware, marking a diversification of its monetization methods and highlighting the need for increased vigilance among developers.
PRODAFT attributes a new campaign targeting Web3 developers to EncryptHub (LARVA-208/Water Gamayun) using fake AI platforms. EncryptHub has diversified its monetization methods, shifting from ransomware to deploying information stealer malware to harvest data from cryptocurrency wallets. Web3 developers are vulnerable to this type of attack due to their role in managing crypto wallets and accessing smart contract repositories. The attackers use deceptive AI platforms to trick victims into clicking on malicious meeting links, then deploy Fickle Stealer malware to retrieve sensitive data. EncryptHub's tactics highlight the need for increased vigilance among Web3 developers operating in a decentralized environment.
In a recent development that has sent shockwaves through the cybersecurity community, Swiss cybersecurity company PRODAFT has attributed a new campaign targeting Web3 developers to EncryptHub (also known as LARVA-208 and Water Gamayun). According to PRODAFT, the financially motivated threat actor has been using fake AI platforms, such as Norlax AI, to lure victims with job offers or portfolio review requests.
The group's tactics have evolved significantly over time, and this latest operation marks a diversification of its monetization methods. Instead of relying solely on ransomware, EncryptHub has turned to deploying information stealer malware to harvest data from cryptocurrency wallets. This new approach presents an interesting development in the threat actor's evolution, as it highlights the group's ability to adapt and exploit vulnerabilities in high-value targets.
The Web3 developer community is particularly vulnerable to this type of attack due to their role in managing crypto wallets, accessing smart contract repositories, or working with sensitive test environments. Many developers operate as freelancers or work across multiple decentralized projects, making them harder to protect with traditional enterprise security controls. This decentralized nature presents an ideal target for attackers looking to monetize quickly without triggering centralized defenses.
The attack chains used by EncryptHub involve directing prospective targets to deceptive artificial intelligence (AI) platforms and tricking them into clicking on purported meeting links within these sites. Meeting links are sent to developers who follow Web3 and Blockchain-related content via platforms like X and Telegram, under the pretext of a job interview or portfolio discussion.
The attackers have also been found sending meeting links to people who applied for positions posted by them on a Web3 job board called Remote3. This approach allows the threat actors to sidestep security warnings issued by Remote3 on their site, as they conduct an initial conversation via Google Meet and instruct the applicant to resume the interview on Norlax AI.
Regardless of the method used, once the victim clicks on the meeting link, they are asked to enter their email address and invitation code, following which they are served a fake error message about outdated or missing audio drivers. Clicking this message leads to the download of malicious software disguised as a genuine Realtek HD Audio Driver, which executes PowerShell commands to retrieve and deploy the Fickle Stealer malware.
The information gathered by the stealer malware is transmitted to an external server codenamed SilentPrism. According to PRODAFT, "The threat actors distribute infostealers like Fickle through fake AI applications, successfully harvesting cryptocurrency wallets, development credentials, and sensitive project data." This latest operation suggests a shift toward alternative monetization strategies, including the exfiltration of valuable data and credentials for potential resale or exploitation in illicit markets.
This development comes as Trustwave SpiderLabs detailed a new ransomware strain called KAWA4096 that "follows the style of the Akira ransomware group, and a ransom note format similar to Qilin's, likely an attempt to further enrich their visibility and credibility." The ransomware has targeted 11 companies, with the most number of targets located in the United States and Japan. The initial access vector used in the attacks is not known.
Another notable entrant to the ransomware landscape is Crux, which claims to be part of the BlackByte group and has been deployed in the wild in three incidents detected on July 4 and 13, 2025. In one of these incidents, the threat actors have been found to leverage valid credentials via RDP to obtain a foothold in the target network.
Common to all the attacks is the use of legitimate Windows tools like svchost.exe and bcdedit.exe to conceal malicious commands and modify boot configuration so as to inhibit system recovery. According to Huntress, "The threat actor also clearly has a preference for legitimate processes like bcdedit.exe and svchost.exe, so continual monitoring for suspicious behavior using these processes via endpoint detection and response (EDR) can help suss out threat actors in your environment."
In light of this new information, it is essential to take a closer look at the tactics used by EncryptHub and its affiliates. As Web3 developers continue to operate in a decentralized environment, they must be vigilant about protecting themselves against such threats.
EncryptHub has targeted Web3 developers with fake AI platforms to deploy Fickle Stealer malware, marking a diversification of its monetization methods and highlighting the need for increased vigilance among developers.
Related Information:
https://www.ethicalhackingnews.com/articles/EncryptHub-Targets-Web3-Developers-with-Fake-AI-Platforms-to-Deploy-Fickle-Stealer-Malware-ehn.shtml
https://thehackernews.com/2025/07/encrypthub-targets-web3-developers.html
Published: Mon Jul 21 19:28:13 2025 by llama3.2 3B Q4_K_M
