At least 618 organizations around the world had their networks compromised by the EncryptHub threat actor, also known as Larva-208, in a social engineering and spear-phishing attack campaign that has been ongoing since June, according to BleepingComputer.
After leveraging SMS and voice phishing, as well as fraudulent login pages for Microsoft 365, Cisco AnyConnect, and other corporate VPN offerings to facilitate initial access, EncryptHub lured targets into installing AnyDesk, TeamViewer, and other remote monitoring and management software for lateral movement before utilizing PowerShell scripts that deliver the Rhadamanthys, Stealc, and Fickle Stealer infomation-stealing payloads, a report from PRODAFT revealed.
Aside from exfiltrating cryptocurrency wallet and VPN client configuration data, EncryptHub also sought to compromise password manager data and files with certain file extensions and keywords before deploying a custom PowerShell-based data encryptor.
Further analysis showed the presence of the Larva-148 subgroup, from which EncryptHub may be obtaining its domains and phishing kits.
