EncryptRAT

The financially motivated threat actor known as EncryptHub has been actively orchestrating advanced phishing campaigns to deploy information stealers and ransomware. Additionally, the group is working on a new threatening tool called EncryptRAT, signaling its continuous evolution in the cybercrime landscape.

Targeting Popular Applications and Using PPI Services

EncryptHub has been observed distributing trojanized versions of widely used applications to infiltrate victims' systems. The group also leverages third-party Pay-Per-Install (PPI) services, such as LabInstalls, to broaden the reach of their malware campaigns.

Operational Security Mistakes and Exploit Utilization

Cybersecurity researchers have identified EncryptHub as a hacking group that frequently makes operational security errors. Despite these mistakes, the group successfully integrates exploits for widely known security vulnerabilities into its attacks, making them a persistent threat.

Emerging Threat: LARVA-208 and Multi-Channel Attacks

Also tracked by a Swiss cybersecurity firm as LARVA-208, EncryptHub is believed to have become active in June 2024. The group employs various attack vectors, including SMS phishing (smishing) and voice phishing (vishing), to deceive victims into installing Remote Monitoring and Management (RMM) software.

Affiliations with Major Ransomware Groups

EncryptHub has strong ties to the RansomHub and Blacksuit Ransomware groups. Over the past nine months, it has compromised more than 618 high-value targets across multiple industries using advanced social engineering techniques. A common tactic involves phishing websites designed to steal VPN credentials, followed by a call impersonating IT support to persuade victims into entering their details. In cases where calls are not used, fake Microsoft Teams links serve as bait.

Bulletproof Hosting and Malware Deployment

To evade detection, EncryptHub hosts phishing sites on bulletproof hosting providers like Yalishand. Once access is gained, the attacker executes PowerShell scripts to install stealer malware such as Fickle, StealC, and Rhadamanthys. In most cases, the ultimate objective is to deploy ransomware and extort a ransom payment.

Trojanized Applications as a Key Entry Point

Another commonly used method involves disguising malware as legitimate software. EncryptHub has been distributing fake versions of applications like QQ Talk, QQ Installer, WeChat, DingTalk, VooV Meeting, Google Meet, Microsoft Visual Studio 2022 and the Palo Alto Global Protect. Once installed, these counterfeit applications initiate a multi-stage process, eventually delivering unsafe payloads like the Kematian Stealer to collect browser cookies and other sensitive data.

LabInstalls: A Crucial Element in Malware Distribution

Since at least January 2, 2025, EncryptHub has relied on LabInstalls, a PPI service that offers bulk malware installation for a fee. Prices range from $10 for 100 loads to $450 for 10,000 loads. EncryptHub confirmed its use of the service by leaving positive feedback on a Russian-speaking underground forum, even sharing a screenshot as evidence. This suggests the actor is outsourcing distribution to scale its operations more efficiently.

EncryptRAT: The Next Evolution in Cybercrime

EncryptHub is actively developing EncryptRAT, a Command-and-Control (C2) panel designed to manage infected systems, execute remote commands and access stolen data. Some evidence suggests the group may be planning to commercialize this tool, potentially increasing its threat to businesses and individuals alike.

The Need for Vigilance and Proactive Defense

EncryptHub's continuous adaptation and evolution highlight the urgent need for organizations to adopt multi-layered security strategies. Constant monitoring, proactive defense measures, and user awareness training are essential to mitigating the risks posed by this growing cyber threat.