The financially motivated threat actor known as EncryptHub has been observed orchestrating sophisticated phishing campaigns to deploy information stealers and ransomware, while also working on a new product called EncryptRAT.
“EncryptHub has been observed targeting users of popular applications, by distributing trojanized versions,” Outpost24 KrakenLabs said in a new report shared with The Hacker News. “Furthermore, the threat actor has also made use of third-party Pay-Per-Install (PPI) distribution services.”
The cybersecurity company described the threat actor as a hacking group that makes operational security errors and as someone who incorporates exploits for popular security flaws into their attack campaigns.
EncryptHub, also tracked by Swiss cybersecurity company PRODAFT as LARVA-208, is assessed to have become active towards the end of June 2024, relying on a variety of approaches ranging from SMS phishing (smishing) to voice phishing (vishing) in an attempt to trick prospective targets into installing remote monitoring and management (RMM) software.
The company told The Hacker News that the spear-phishing group is affiliated with RansomHub and Blacksuit ransomware groups and has been using advanced social engineering tactics to compromise high-value targets across multiple industries.
“The actor usually creates a phishing site that targets the organization to obtain the victim’s VPN credentials,” PRODAFT said. “The victim is then called and asked to enter the victim’s details into the phishing site for technical issues, posing as an IT team or helpdesk. If the attack targeting the victim is not a call but a direct SMS text message, a fake Microsoft Teams link is used to convince the victim.”
The phishing sites are hosted on bulletproof hosting providers like Yalishand. Once access is obtained, EncryptHub proceeds to run PowerShell scripts that lead to the deployment of stealer malware like Fickle, StealC, and Rhadamanthys. The end goal of the attacks in most instances is to deliver ransomware and demand a ransom.
One of the other common methods adopted by threat actors concerns the use of trojanized applications disguised as legitimate software for initial access. These include counterfeit versions of QQ Talk, QQ Installer, WeChat, DingTalk, VooV Meeting, Google Meet, Microsoft Visual Studio 2022, and Palo Alto Global Protect.
These booby-trapped applications, once installed, trigger a multi-stage process that acts as a delivery vehicle for next-stage payloads such as Kematian Stealer to facilitate cookie theft.
At least since January 2, 2025, a crucial component of EncryptHub’s distribution chain has been the use of a third-party PPI service dubbed LabInstalls, which facilitates bulk malware installs for paying customers starting from $10 (100 loads) to $450 (10,000 loads).
“EncryptHub indeed confirmed being their client by leaving positive feedback in LabInstalls selling thread on the top-tier Russian-speaking underground forum XSS, even including a screenshot that evidences the use of the service,” Outpost24 said.
“The threat actor most likely hired this service to ease the burden of distribution and expand the number of targets that his malware could reach.”
These changes underscore active tweaks to EncryptHub’s kill chain, with the threat actor also developing new components like EncryptRAT, a command-and-control (C2) panel to manage active infections, issue remote commands, and access stolen data. There is some evidence to suggest that the adversary may be looking to commercialize the tool.
“EncryptHub continues to evolve its tactics, underlining the critical need for continuous monitoring and proactive defense measures,” the company said. “Organizations must remain vigilant and adopt multi-layered security strategies to mitigate the risks posed by such adversaries.”
