It has been observed that a financially motivated threat actor known as EncryptThub coordinates sophisticated phishing campaigns to deploy information steel and ransomware, while also working on a new product called Encryptrat.
“It has been observed that Encrypthub is targeting users of popular applications by distributing the Trojanized version,” Outpost24 Krakenlabs said in a new report shared with Hacker News. “In addition, threat actors also use third-party pay-per-installation (PPI) distribution services.”
Cybersecurity companies described threat actors as hacking groups that carry out operational security errors, and as people who incorporated common security flaws into their attack campaigns.
Tracked as larva-208 by Swiss Cybersecurity Company Prodaft, Encrypthub is rated active until the end of June 2024 and is relying on a variety of approaches from SMS phishing to voice phishing to future target (RMM) software installations.
The company told Hacker News that Spear Fishing Group is partnering with Ransombe and Blacksuit Ransomware Group, which uses advanced social engineering tactics to compromise high-value targets across multiple industries.
“Actors usually create phishing sites that target organizations to obtain victims’ VPN qualifications,” says Prodaft. “The victim is called and asked to enter the victim’s phishing site on the victim’s phishing site for the IT team or help desk. If the attack targeting the victim is a direct text message rather than a call, then fake Microsoft Team Links are used to convince the victim.”
Phishing sites are hosted by bulletproof hosting providers like Yalishhand. Once access is obtained, EncryptThub proceeds to run PowerShell scripts that lead to the deployment of steeler malware such as Fickle, Stealc, and Rhadamanthys. In most cases, the ultimate goal of an attack is to provide ransomware and demand ransom.
One other common method employed by threat actors involves the use of troilerized applications disguised as legal software for initial access. These include counterfeit versions of QQ Talk, QQ Installer, Wechat, Dingtalk, Voov Meeting, Google Meet, Microsoft Visual Studio 2022, and Palo Alto Global Protect.
These booby-confined applications, when installed, trigger a multi-stage process that acts as a delivery means of the next stepped payload, such as Kematien Steelers, to promote cookie theft.
Since at least January 2, 2025, a key component of Encrypthub’s delivery chain is the use of a third-party PPI service called Labinstalls, which facilitates bulk malware installations to pay customers from $10 (100 loads) to $450 (10,000 loads).
“Encrypthub has actually confirmed that it is a client by leaving positive feedback to Rabinstal, who sells threads to the best Russian-speaking underground forum XSS.
“Threat actors are most likely hired this service to ease the burden of distribution and increase the number of targets that malware can reach.”
These changes highlight active tunings in Actrypthub’s Kill Chain, and threat actors develop new components, such as Encryptrat, a command-and-control (C2) panel, for managing active infections, issuing remote commands, and accessing stolen data. There is some evidence to suggest that the enemy may be considering commercializing the tool.
“Encrypthub continues to evolve its tactics, highlighting the critical need for continuous surveillance and aggressive defence measures,” the company said. “Organisations need to stay vigilant and adopt multi-layered security strategies to mitigate the risks posed by such enemies.”
Source link
