Full Report
This is the second part of Outpost24’s KrakenLabs investigation into EncryptHub, an up-and-coming cybercriminal who has been gaining popularity in recent months and is heavily expanding and evolving operations at the time of writing. We’ve already published one article explaining EncryptHub’s campaigns and TPPs, infrastructure, infection methods, and targets. This article will follow a different […] The post Unmasking EncryptHub: Help from ChatGPT & OPSEC blunders appeared first on Outpost24.
Analysis Summary
# Threat Actor: EncryptHub
## Attribution & Identity
**Primary Alias:** EncryptHub
**Other Known Aliases:** SkorikARI
**Attribution Context:** Cybercriminal operating primarily from Ukraine/coastal region near Romania. The analysis focuses on humanizing the actor based on publicly exposed details and OPSEC failures, rather than formal nation-state attribution.
## Activity Summary
EncryptHub pivoted to cybercrime in the first half of 2024, potentially after serving jail time. Earlier activities may have involved grunts work in vishing and ransomware campaigns. The actor is driven by a desire to learn, achieving legitimate recognition from MSRC (Microsoft Security Response Center) under the alias SkorikARI for discovering vulnerabilities CVE-2025-24071 and CVE-2025-24061, vulnerabilities that are likely exploited in their own campaigns. The article focuses on this actor's journey, OPSEC mistakes, and use of ChatGPT. Previous documented campaigns involved multi-stage malware deployment.
## Tactics, Techniques & Procedures
- Password reuse across different critical accounts (C2 domains, hosting, exchanges).
- Exploiting self-discovered vulnerabilities (CVE-2025-24071, CVE-2025-24061) in campaigns.
- Use of power/scripting languages (many IOCs are `.ps1` files).
- Deployment of Clipper malware/stealers.
- Cryptojacking activities.
## Targeting
- **Sectors:** (Not explicitly detailed in this section, inferred from tools) Financial/Cryptocurrency (Clipper malware, cryptocurrency exchanges targeted for credentials).
- **Geography:** (Inferred location of origin/residence: Ukraine/coastal region near Romania).
- **Victims:** Credentials for EncryptRAT C2 servers, bulletproof hosting providers, registrars, SSL certificate providers, and cryptocurrency exchanges were compromised due to poor credential management.
## Tools & Infrastructure
**Malware Families/Tools Used:**
- Clipper malware
- Keylogger
- Rhadamanthys (Infostealer family)
- EncryptRAT (Mentioned as having associated C2 domains)
**Indicators of Compromise (IOCs):**
* **Cryptojacking Scripts:** `MinerInstall.ps1`, `runner.ps1`
* **Clipper Scripts:** `crypto.ps1`
* **Keylogger Files:** `logger.ps1`, `logger.exe`
* **Build IDs (Scripts):** `qq.ps1`, `admin.ps1`, `gato.ps1`, `trojanprivate.ps1`, `brave.ps1`, `traffic.ps1`, `general.ps1`
* **Executable:** `choker.exe`
* **IPs (Defanged):**
* 206.166.251.99
* 193.149.176.228
* 45.131.215.16
* 82.115.223.231
* **Domains (Defanged):**
* 0xffsec\[.\]net
* eatertoken\[.\]com
* friendlyguys\[.\]vip
* echonex\[.\]ai
* echonex\[.\]io
* vexio\[.\]io
* noexploit\[.\]net
* **URLs (Defanged):**
* hxxps://vexio\[.\]io/application/Vexio.Meets.application
## Implications
EncryptHub represents a self-taught, highly-driven individual attempting to bridge legitimate security research (discovering CVEs) with active cybercriminal operations. The actor's motivation appears tied to financial gain, driven by insufficient income from legitimate work attempts. The actor's reliance on shared passwords across critical infrastructure (C2, hosting, exchanges) indicates significant operational security (OPSEC) flaws that could lead to rapid compromise of their entire ecosystem if one account is breached.
## Mitigations
- **Credential Audit:** Immediately audit all administrative, hosting, and C2 infrastructure accounts for password reuse. Enforce strong, unique passwords, preferably managed via a secure password vault.
- **Vulnerability Management:** Organizations should patch vulnerabilities **CVE-2025-24071 and CVE-2025-24061** immediately if they are not already mitigated, as these are actively being weaponized by the actor.
- **Malware Detection:** Implement detection capabilities for power-shell based malware delivery, Clipper functionality, and known Rhadamanthys indicators.
- **Limit Cryptojacking Impact:** Employ monitoring for unusual CPU/system load indicative of cryptojacking tools like `MinerInstall.ps1`.