EncryptHub

EncryptHub is a financially motivated Russian threat actor, also tracked as LARVA-208 and Water Gamayun. The content also describes Water Gamayun as a Russia-aligned APT and attributes the same activity cluster to EncryptHub/LARVA-208. EncryptHub has been linked to malware campaigns, credential theft, and access brokering, and gained prominence in mid-2024. The actor has targeted Web3 developers, enterprise and government networks, and organizations in sectors including telecom, finance, defense, and manufacturing. Reporting in the content states that at least 618 organizations worldwide were compromised in campaigns attributed to EncryptHub. The actor has also abused Steam to distribute malware by compromising game titles such as Chemia. Observed tradecraft includes social engineering, spear-phishing, smishing, vishing, fake IT-support interactions over Microsoft Teams, videoconferencing lures, fraudulent login pages impersonating Microsoft 365, Cisco AnyConnect, and other corporate VPN services, and the use of remote monitoring and management tools such as AnyDesk and TeamViewer for access and lateral movement. The actor has repeatedly exploited the Windows Microsoft Management Console vulnerability CVE-2025-26633 ("MSC EvilTwin") using rogue or paired benign/malicious .msc files to trigger code execution. Related activity includes abuse of compromised or trusted platforms such as Brave Support, use of deceptive paths such as "C:\Windows \System32", PowerShell-based multi-stage loaders, persistence, AES-encrypted tasking, SOCKS5 proxy tunneling, DLL sideloading via a legitimate Symantec ELAM binary, and use of built-in administrative tools for lateral movement. Malware and tooling directly associated in the content include Fickle Stealer, SilentPrism, DarkWisp, SilentCrystal, a Golang-based SOCKS5 backdoor, Rhadamanthys, Stealc, HijackLoader, and Vidar. In the Chemia Steam case, EncryptHub added HijackLoader, which downloaded Vidar, and also deployed its custom Fickle Stealer, which steals credentials, browser data, cookies, and cryptocurrency wallets. Other reporting in the content states the actor used PowerShell scripts to deliver Rhadamanthys, Stealc, and Fickle Stealer, and exfiltrated cryptocurrency wallet data, VPN client configuration data, password manager data, and files matching selected extensions and keywords. A custom PowerShell-based data encryptor is also mentioned. The content references a Larva-148 subgroup in connection with EncryptHub activity, with analysis suggesting it may supply domains and phishing kits.