This month’s threat report highlights the activities of the financially motivated threat actor EncryptHub, detailing their use of ransomware, exploits sales, and advanced malware development in collaboration with tools like ChatGPT. Additionally, the leak from Media Land LLC raises concerns about compromised data related to malicious operations. Affected: EncryptHub, Media Land LLC, Oracle Cloud, Cybersecurity Sector
Keypoints :
- EncryptHub is a financially motivated threat actor emerging since June 2024 focusing on ransomware and data theft.
- Utilizes trojanized applications and a third-party service, LabInstalls, for malware distribution.
- Malicious campaigns included the deployment of Powershell-based infostealers and cryptojacking operations with XMRig.
- Leveraged vulnerabilities in Fortinet and Palo Alto Networks systems to compromise credentials.
- ChatGPT has been utilized for creating malware and managing operations.
- Media Land LLC, a bulletproof hosting provider, was subjected to a significant data leak revealing sensitive customer information.
- Various exploits were sold on underground forums, including critical CVEs related to Microsoft Management Console.
MITRE Techniques :
- Initial Access (T1071.001) – Using external remote services to gain access to the network.
- Credential Dumping (T1003.001) – Exploiting system vulnerabilities to obtain admin credentials.
- Command and Control (T1071) – Utilizing Telegram channels for exfiltration and management of compromised endpoints.
- Exfiltration Over C2 Channel (T1041) – Exfiltrating data through communication channels established via compromised systems.
- Malware (T1203) – Development and deployment of various forms of malware such as ransomware and infostealer.
Full Story: https://outpost24.com/blog/threat-context-monthly-april-2025-encrypthub-encryptrat-media-land/