EncryptHub breaches 618 orgs to deploy infostealers, ransomware

A threat actor tracked as 'EncryptHub,' aka Larva-208, has been targeting organizations worldwide with spear-phishing and social engineering attacks to gain access to corporate networks. According to a report by Prodaft, which was published internally last week and made public yesterday, since June 2024, when EncryptHub initiated operations, it has compromised at least 618 organizations. After gaining access, the threat actors install Remote Monitoring and Management (RMM) software, followed by the deployment of information stealers like Stealc and Rhadamanthys. In many observed cases, EncryptHub also deploys ransomware on compromised systems. Prodaft told BleepingComputer that the threat group is affiliated with RansomHub and BlackSuit, having deployed both ransomware encryptors in the past and possibly acting as an initial access broker for them or a direct affiliate. However, in many attacks the researchers observed, the threat actors deployed a custom PowerShell data encryptor, ... Read full article.