EncryptHub, a notorious threat actor linked to breaches at 618 organizations, is believed to have reported two Windows zero-day vulnerabilities to Microsoft, revealing a conflicted figure straddling the line between cybercrime and security research. A new report by Outpost24 researchers has now linked the EncryptHub threat actor with SkorikARI after the threat actor allegedly infected himself and exposed their credentials. This exposure allowed the researchers to link the threat actor to various online accounts and expose the profile of a person who vacillates between being a cybersecurity researcher and a cybercriminal. The threat actor also had a deeper, personal engagement with OpenAI's LLM chatbot, in one case describing his accomplishments and asking the AI to categorize him as a cool hacker or malicious researcher. "The hardest evidence was from the fact that the password files EncrypHub exfiltrated from his own system had accounts linked to both EncryptHub, like credentials to EncryptRAT, which was still in development, or his account on xss.is, and to SkorikARI, like accesses to freelance sites or his own Gmail account," explained Garcia. However, more recently, the threat actors have made a name for themselves with various social engineering campaigns, phishing attacks, and creating a custom PowerShell-based infostealer named Fickle Stealer. EncryptHub's foray into zero-days is not new, with the threat actor or one of the members attempting to sell zero-days to other cybercriminals on hacking forums. The threat actor is also known for conducting social engineering campaigns where they create social media profiles and websites for fictitious applications. EncryptHub is a threat actor that is believed to be loosely affiliated with ransomware gangs, such as RansomHub and the BlackSuit operations. In one example, researchers found that the threat actor created an X account and website for a project management application called GartoriSpace. Hector Garcia, Security Analyst at Outpost24, told BleepingComputer that the link of SkorikARI to EncryptHub is based on multiple pieces of evidence, making up for a high-confidence assessment. One of the exposed accounts is SkorikARI, which the hacker used to disclose the two mentioned zero-day vulnerabilities to Microsoft, contributing to Windows security.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Mon, 07 Apr 2025 21:40:24 +0000