Unveiling EncryptHub: Analysis of a multi-stage malware campaign
Essential information
- Published
- 07/04/2025 10:37
- Modified
- 07/04/2025 11:07
- Tags
- 2025-04-07 encryptrat information stealer kematian stealer labinstalls pay-per-install rhadamanthys
- Related entities
- 66 observables, 1 intrusion sets (apt), 5 techniques (mitre), 3 malware
Description
EncryptHub, an emerging cybercriminal entity, has been conducting multi-stage malware campaigns using trojanized applications and third-party distribution services. Their tactics include using PowerShell scripts for system data gathering, information exfiltration, and payload deployment. The threat actor prioritizes stolen credentials based on cryptocurrency ownership and corporate network affiliation. EncryptHub is developing a remote access tool called 'EncryptRAT' with plans for future distribution. Their evolving killchain involves multiple stages, including initial execution, data exfiltration, system information collection, and eventual deployment of the Rhadamanthys malware. Despite operational security mistakes, EncryptHub continues to refine their tactics, emphasizing the need for vigilant cybersecurity measures.