A sophisticated cyber threat actor known as EncryptHub (Larva-208) has been conducting widespread spear-phishing and social engineering campaigns to infiltrate corporate networks worldwide. According to cybersecurity firm Prodaft, the group has successfully compromised at least 618 organizations since its operations began in June 2024.
Tactics and Attack Techniques
EncryptHub employs SMS phishing (smishing), voice phishing (vishing), and fake login pages designed to mimic corporate VPN products like Cisco AnyConnect, Palo Alto GlobalProtect, Fortinet, and Microsoft 365. These phishing sites, hosted on bulletproof hosting services, steal user credentials and multi-factor authentication (MFA) session tokens in real time. Once victims unknowingly submit their information, they are redirected to legitimate corporate websites to avoid suspicion.
Nominations are open for Honouring Women in Cyberspace on International Women’s Day 2025- Nominate Now!
Infrastructure and Execution
- EncryptHub has registered over 70 phishing domains resembling legitimate services (e.g., linkwebcisco.com, weblinkteams.com).
- Another subgroup, Larva-148, is suspected of handling domain registration and managing phishing infrastructure.
- The phishing sites are hosted on providers like Yalishanda, which are known to ignore takedown requests.
Deploying Malware and Ransomware
Once access is gained, EncryptHub uses Remote Monitoring and Management (RMM) software such as AnyDesk, TeamViewer, ScreenConnect, Atera, and Splashtop to maintain remote control over infected systems. The attackers then deploy PowerShell scripts and various information stealers, including:
- Stealc, Rhadamanthys, and Fickle Stealer – extract browser-stored credentials, cryptocurrency wallets, and password manager data.
- Python-based malware – targets Linux and Mac users.
Additionally, the cybercriminals steal sensitive data such as:
- Cryptocurrency wallet credentials (MetaMask, Trust Wallet, Trezor, Coinbase, etc.).
- VPN configuration files (Cisco, Fortinet, OpenVPN, WireGuard, etc.).
- Password manager data (1Password, NordPass, LastPass, KeePass, etc.).
- Files with sensitive keywords (e.g., “pass”, “auth”, “wallet”, “2fa”, “recovery”).
In some attacks, EncryptHub deploys its own ransomware—a custom PowerShell-based encryptor that appends the “.crypted” extension to files after encryption. Victims receive ransom notes demanding USDT payments via Telegram.
Empanelment for Speakers, Trainers, and Cyber Security Experts Opens at Future Crime Research Foundation
Affiliations with RansomHub and BlackSuit
Prodaft has linked EncryptHub to RansomHub and BlackSuit, two prominent ransomware operations. The group likely functions as an Initial Access Broker (IAB), selling stolen credentials or directly deploying ransomware on behalf of larger cybercrime syndicates.
Conclusion
Cybersecurity experts warn that EncryptHub’s targeted social engineering tactics, advanced obfuscation techniques, and tailored phishing campaigns make it a significant global threat. Organizations are advised to enhance email security, enforce multi-factor authentication (MFA), and conduct regular employee cybersecurity training to prevent such attacks.