Ethical Hacking News
Recently, the financially motivated threat actor known as EncryptHub has been observed orchestrating sophisticated phishing campaigns to deploy information stealers and ransomware. This article delves into the tactics employed by EncryptHub, a threat actor linked to other groups including RansomHub and Blacksuit ransomware.
EncryptHub is a highly sophisticated threat actor that has been linked to complex phishing campaigns, information stealers, and ransomware. The group's tactics have been described as ruthless, with operational security errors and exploitation of popular security flaws. EncryptHub uses advanced social engineering tactics to compromise high-value targets across multiple industries. The group deploys stealer malware like Fickle, StealC, and Rhadamanthys after initial access is obtained. Threat actors use trojanized applications disguised as legitimate software for initial access. EncryptHub uses a third-party PPI service called LabInstalls to facilitate bulk malware installs. The group assesses EncryptRAT, a command-and-control panel, and may be looking to commercialize the tool.
The world of cybersecurity has been left reeling by the emergence of a highly sophisticated threat actor known as EncryptHub. This financially motivated group has been observed orchestrating complex phishing campaigns to deploy information stealers and ransomware, while also working on a new product called EncryptRAT. According to recent reports from Outpost24 KrakenLabs and Swiss cybersecurity company PRODAFT, EncryptHub has become an active threat since the end of June 2024.
EncryptHub's tactics have been described as ruthless, with the group making operational security errors and incorporating exploits for popular security flaws into their attack campaigns. The threat actor has also been linked to other groups, including RansomHub and Blacksuit ransomware, further emphasizing the severity of this threat.
The spear-phishing group, which is affiliated with EncryptHub, uses advanced social engineering tactics to compromise high-value targets across multiple industries. This typically involves creating a phishing site that targets an organization to obtain the victim's VPN credentials. The victim is then called and asked to enter their details into the phishing site for technical issues, posing as an IT team or helpdesk.
If the attack targeting the victim is not a call but a direct SMS text message, a fake Microsoft Teams link is used to convince the victim. Once access is obtained, EncryptHub proceeds to run PowerShell scripts that lead to the deployment of stealer malware like Fickle, StealC, and Rhadamanthys. The end goal of the attacks in most instances is to deliver ransomware and demand a ransom.
One of the other common methods adopted by threat actors concerns the use of trojanized applications disguised as legitimate software for initial access. These include counterfeit versions of QQ Talk, QQ Installer, WeChat, DingTalk, VooV Meeting, Google Meet, Microsoft Visual Studio 2022, and Palo Alto Global Protect. These booby-trapped applications, once installed, trigger a multi-stage process that acts as a delivery vehicle for next-stage payloads such as Kematian Stealer to facilitate cookie theft.
A crucial component of EncryptHub's distribution chain has been the use of a third-party PPI service dubbed LabInstalls, which facilitates bulk malware installs for paying customers starting from $10 (100 loads) to $450 (10,000 loads). This has confirmed that EncryptHub is indeed using this service by leaving positive feedback in LabInstalls selling thread on the top-tier Russian-speaking underground forum XSS.
The company described the threat actor as a hacking group that makes operational security errors and incorporates exploits for popular security flaws into their attack campaigns. EncryptHub is assessed to have become active towards the end of June 2024, relying on a variety of approaches ranging from SMS phishing (smishing) to voice phishing (vishing) in an attempt to trick prospective targets into installing remote monitoring and management (RMM) software.
The spear-phishing group's tactics are also aimed at obtaining sensitive information about high-value targets. PRODAFT told The Hacker News that the actor usually creates a phishing site that targets the organization to obtain the victim's VPN credentials. The victim is then called and asked to enter their details into the phishing site for technical issues, posing as an IT team or helpdesk.
These changes underscore active tweaks to EncryptHub's kill chain, with the threat actor also developing new components like EncryptRAT, a command-and-control (C2) panel to manage active infections, issue remote commands, and access stolen data. There is some evidence to suggest that the adversary may be looking to commercialize the tool.
"EncryptHub continues to evolve its tactics, underlining the critical need for continuous monitoring and proactive defense measures," the company said. "Organizations must remain vigilant and adopt multi-layered security strategies to mitigate the risks posed by such adversaries."
Related Information:
https://www.ethicalhackingnews.com/articles/EncryptHubs-Sophisticated-Phishing-Campaigns-and-Trojanized-Apps-A-Growing-Concern-for-Cybersecurity-ehn.shtml
https://thehackernews.com/2025/03/encrypthub-deploys-ransomware-and.html
https://www.pcrisk.com/removal-guides/30270-kematian-stealer
https://www.cyfirma.com/research/kematian-stealer-a-deep-dive-into-a-new-information-stealer/
https://www.s-rminform.com/latest-thinking/meet-blacksuit
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a
Published: Thu Mar 6 08:08:18 2025 by llama3.2 3B Q4_K_M
