{ "id": "ffc90005-1dae-4935-924f-2111128b16f8", "created_at": "2026-04-06T00:10:27.179492Z", "updated_at": "2026-04-10T03:31:39.522846Z", "deleted_at": null, "sha1_hash": "b18b2b5d022adb072f62229c6bf60fed8bf6d622", "title": "Over 600 organizations subjected to global EncryptHub attacks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3814232, "plain_text": "Over 600 organizations subjected to global EncryptHub attacks\r\nBy SC Staff\r\nPublished: 2025-02-27 · Archived: 2026-04-05 19:09:00 UTC\r\nThreat Intelligence, Phishing, Malware\r\n(Adobe Stock)\r\nAt least 618 organizations around the world had their networks compromised by the EncryptHub threat actor, also\r\nknown as Larva-208, in a social engineering and spear-phishing attack campaign that has been ongoing since\r\nJune, according to BleepingComputer.\r\nAfter leveraging SMS and voice phishing, as well as fraudulent login pages for Microsoft 365, Cisco AnyConnect,\r\nand other corporate VPN offerings to facilitate initial access, EncryptHub lured targets into installing AnyDesk,\r\nTeamViewer, and other remote monitoring and management software for lateral movement before utilizing\r\nPowerShell scripts that deliver the Rhadamanthys, Stealc, and Fickle Stealer infomation-stealing payloads, a\r\nreport from PRODAFT revealed.\r\nAside from exfiltrating cryptocurrency wallet and VPN client configuration data, EncryptHub also sought to\r\ncompromise password manager data and files with certain file extensions and keywords before deploying a\r\ncustom PowerShell-based data encryptor.\r\nFurther analysis showed the presence of the Larva-148 subgroup, from which EncryptHub may be obtaining its\r\ndomains and phishing kits.\r\nhttps://www.scworld.com/brief/over-600-organizations-subjected-to-global-encrypthub-attacks\r\nPage 1 of 3\n\nSC Staff\r\nRelated\r\nStryker back online after cyberattack\r\nSC StaffApril 3, 2026\r\nBleepingComputer reports that major U.S. medical device firm Stryker has confirmed resuming full operations\r\nthree weeks after a cyberattack by Iran-linked hacktivist operation Handala, which led to the wiping of several of\r\nits systems.\r\nhttps://www.scworld.com/brief/over-600-organizations-subjected-to-global-encrypthub-attacks\r\nPage 2 of 3\n\nGet daily email updates\r\nSC Media's daily must-read of the most current and pressing daily news\r\nSource: https://www.scworld.com/brief/over-600-organizations-subjected-to-global-encrypthub-attacks\r\nhttps://www.scworld.com/brief/over-600-organizations-subjected-to-global-encrypthub-attacks\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.scworld.com/brief/over-600-organizations-subjected-to-global-encrypthub-attacks" ], "report_names": [ "over-600-organizations-subjected-to-global-encrypthub-attacks" ], "threat_actors": [ { "id": "4134675e-5b72-4b50-8d70-1a8f18aafbb4", "created_at": "2024-10-04T02:00:04.766263Z", "updated_at": "2026-04-10T02:00:03.715945Z", "deleted_at": null, "main_name": "Handala", "aliases": [], "source_name": "MISPGALAXY:Handala", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "af10aec6-36a8-4bdb-ba47-8f75b6a4aa4b", "created_at": "2025-03-07T02:00:03.797427Z", "updated_at": "2026-04-10T02:00:03.821929Z", "deleted_at": null, "main_name": "Larva-208", "aliases": [ "EncryptHub" ], "source_name": "MISPGALAXY:Larva-208", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434227, "ts_updated_at": 1775791899, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b18b2b5d022adb072f62229c6bf60fed8bf6d622.pdf", "text": "https://archive.orkl.eu/b18b2b5d022adb072f62229c6bf60fed8bf6d622.txt", "img": "https://archive.orkl.eu/b18b2b5d022adb072f62229c6bf60fed8bf6d622.jpg" } }