Full Report
EncryptHub, a notorious threat actor linked to breaches at 618 organizations, is believed to have reported two Windows zero-day vulnerabilities to Microsoft, revealing a conflicted figure straddling the line between cybercrime and security research. [...]
Analysis Summary
# Threat Actor: EncryptHub
## Attribution & Identity
The threat actor is identified as **EncryptHub**. They are believed to be loosely affiliated with ransomware gangs, such as those behind RansomHub and BlackSuit operations. The actor has a dual identity, operating both as a cybercriminal and, paradoxically, as a Windows bug-bounty researcher.
## Activity Summary
EncryptHub has been involved in various social engineering campaigns and phishing attacks. A notable recent campaign involved creating social media profiles and websites for fictitious applications, such as the project management application "GartoriSpace." These fictitious platforms were promoted via private messages, offering a download code for associated software, which ultimately deployed malware based on the victim's operating system. The actors are reported to have compromised over six hundred organizations. EncryptHub has also been linked to attacks exploiting a Windows zero-day vulnerability (CVE-2025-26633).
## Tactics, Techniques & Procedures
- Social engineering campaigns utilizing fictitious applications (e.g., GartoriSpace).
- Phishing attacks distributed via private messages on social media platforms.
- Deployment of custom malware loaders based on the victim's OS (PPKG file for Windows, AMOS for Mac).
- Exploitation of Microsoft Management Console vulnerability (CVE-2025-26633).
- Deployment of information stealers.
- **Tools Mentioned:** Fickle Stealer (custom PowerShell-based infostealer).
- **MITRE ATT&CK IDs:** Not explicitly listed, but related techniques include T1566 (Phishing) and T1190 (Exploit Public-Facing Application).
## Targeting
- **Sectors:** Undisclosed, but the reported compromise count suggests broad targeting across various organizations (over six hundred organizations compromised).
- **Geography:** Undisclosed.
- **Victims:** Over six hundred organizations compromised globally to deploy infostealers and potentially ransomware infrastructure.
## Tools & Infrastructure
- **Malware families used:** Fickle Stealer (PowerShell-based infostealer), AMOS information-stealer (for Mac devices).
- **Infrastructure:**
- Fictitious websites and X (Twitter) accounts used for promotion (e.g., Fake GartoriSpace website).
- Distribution of files via download codes provided through private messages.
- Malicious Payloads observed:
- PPKG file (Windows payload): Observed at hxxps://www[.]virustotal[.]com/gui/file/635048e48335d85e1943c4846e6165439d70af48deadcc5db6a8276c021edb68/community
- AMOS payload (Mac payload): Observed at hxxps://www[.]virustotal[.]com/gui/file/dde8af7476e9e1f201cabe5873df8299bbc1caf48639411da250f8caafe0cbd7
## Implications
EncryptHub poses a significant threat due to its versatile operational profile, combining high-level technical exploitation (zero-days) with effective, broad-spectrum social engineering tactics. The actors appear capable of deploying sophisticated information stealers and potentially leveraging these breaches for larger ransomware operations. Their association with known ransomware groups suggests a high level of criminal maturity.
## Mitigations
- Enhance vigilance against social engineering tactics, particularly those promoting unfamiliar software or applications via unsolicited social media contact.
- Strictly vet software downloads, especially those initiated via non-standard channels or requiring access codes.
- Ensure prompt patching for all Windows systems, specifically noting previous exploitation of vulnerabilities like CVE-2025-26633.
- Deploy robust endpoint detection and response (EDR) capabilities capable of detecting anomalous PowerShell script execution associated with custom stealers like Fickle Stealer.