EncryptHub, a rising cybercriminal group linked to over 600 ransomware and infostealer attacks globally, has been exposed due to critical operational security (OPSEC) lapses.
These failures, combined with extensive use of ChatGPT for malware development and operational planning, have provided cybersecurity researchers with unprecedented insight into the group’s tactics, techniques, and procedures (TTPs).
EncryptHub’s activities highlight the evolving sophistication of ransomware operators while underscoring the risks of poor security practices.
Multi-Stage Malware Campaign and Infrastructure Weaknesses
EncryptHub’s campaigns employ multi-layered PowerShell scripts and trojanized applications to compromise systems.
The group targets high-value entities by prioritizing credentials linked to cryptocurrency wallets, VPNs, and corporate networks.
Once access is gained often through spear-phishing or fake login pages imitating VPN products like Cisco AnyConnect and Palo Alto GlobalProtect the attackers deploy custom malware such as Stealc and Rhadamanthys to exfiltrate sensitive data.
In many cases, they escalate their operations by deploying ransomware that encrypts files using AES encryption, appending the “.crypted” extension.
Despite their technical proficiency, EncryptHub inadvertently exposed critical elements of their infrastructure.
Researchers discovered directory listings enabled on servers, unprotected stealer logs stored alongside malware executables, and misconfigured Telegram bot credentials used for campaign oversight.
These errors allowed investigators to map their attack chain in detail.
ChatGPT: A Key Ally in Cybercrime
A unique aspect of EncryptHub’s operations is its reliance on ChatGPT as a development assistant.
The AI chatbot was used extensively to create malware components, configure command-and-control (C2) servers, develop phishing sites, and even draft posts for underground forums.
EncryptHub also leveraged ChatGPT for vulnerability research, including CVEs like CVE-2025-24071 and CVE-2025-24061, which were exploited in their campaigns.
In one revealing exchange, EncryptHub sought advice from ChatGPT on whether they were better suited for “black hat” or “white hat” activities.
The interaction highlighted the operator’s internal conflict between pursuing legitimate cybersecurity work and continuing down a criminal path.
However, subsequent conversations indicated a clear decision to embrace cybercrime fully.
Indicators of Compromise (IOCs)
Researchers identified several IOCs linked to EncryptHub’s operations:
- Malware Hashes: Examples include
6f346b7dffc0c3872923dd0c3b2ddb7966a10961dba9a69b116e5c3d978fa0fa(crypto.ps1) andcb41b440148b2d24d4877ab09514aa23a4253a17a31967b946053ffcfc87f222(ram.ps1). - Domains: Malicious domains such as
0xffsec[.]netandfriendlyguys[.]vipwere used for phishing campaigns. - IPs: Known IP addresses include
206.166.251.99and193.149.176.228.
These IOCs are critical for organizations aiming to detect and mitigate EncryptHub-related threats.
EncryptHub’s operational errors serve as a cautionary tale for cybercriminals and defenders alike.
Key mistakes included password reuse across personal and criminal accounts, failure to enable two-factor authentication (2FA), and storing sensitive credentials in plaintext files accessible via their own malware.
Additionally, the use of personal emails for criminal activities and reliance on misconfigured infrastructure exposed their operations to scrutiny.
One glaring example was the exposure of a JSON file containing Telegram bot tokens due to directory listing being enabled on a C2 server.
According to the Report, this oversight allowed researchers to infiltrate Telegram groups used by EncryptHub for campaign coordination.
EncryptHub’s case illustrates how even sophisticated threat actors can be undone by basic security lapses.
While their technical capabilities are significant evidenced by their development of custom tools like “EncryptRAT” their OPSEC failures have left them vulnerable to detection and disruption.
Organizations must remain vigilant by implementing robust endpoint defenses, conducting regular security training, and monitoring IOCs associated with this group.
As ransomware operators continue to evolve, the importance of threat intelligence cannot be overstated. By understanding adversaries’
TTPs and leveraging insights from cases like EncryptHub’s, defenders can stay one step ahead in the ongoing battle against cybercrime.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
