Security researchers have identified a financially motivated threat actor called EncryptHub orchestrating sophisticated phishing campaigns to deploy information stealers and ransomware, while developing a new remote access tool named EncryptRAT.
According to Outpost24 KrakenLabs, “EncryptHub has been observed targeting users of popular applications by distributing trojanized versions” and utilizing third-party Pay-Per-Install (PPI) distribution services to expand their reach.
The group, also tracked as LARVA-208 by Swiss cybersecurity firm PRODAFT, became active in June 2024. They employ various attack vectors including SMS phishing (smishing) and voice phishing (vishing) to trick targets into installing remote monitoring and management software.
PRODAFT confirmed to The Hacker News that EncryptHub is affiliated with RansomHub and Blacksuit ransomware groups. Their typical attack pattern involves:
1. Creating organization-specific phishing sites to harvest VPN credentials
2. Contacting victims via phone calls posing as IT support or sending fake Microsoft Teams links via SMS
3. Hosting phishing infrastructure on bulletproof providers like Yalishand
4. Deploying PowerShell scripts that deliver stealers like Fickle, StealC, and Rhadamanthys
5. Ultimately delivering ransomware and demanding payment
Another common tactic involves distributing trojanized applications disguised as legitimate software including QQ Talk, WeChat, Google Meet, Microsoft Visual Studio 2022, and Palo Alto Global Protect. These fake applications deploy malware like Kematian Stealer to facilitate cookie theft.
Since January 2025, EncryptHub has leveraged a third-party PPI service called LabInstalls, which offers bulk malware distribution starting from $10 for 100 installations up to $450 for 10,000 installations. The threat actor confirmed their use of this service through positive feedback on the Russian-speaking underground forum XSS.
The group is also developing EncryptRAT, a command-and-control panel to manage infections, issue remote commands, and access stolen data, with potential plans to commercialize this tool.
Security experts emphasize that “organizations must remain vigilant and adopt multi-layered security strategies” to defend against EncryptHub’s evolving tactics.