EncryptHub Deploys Ransomware and Stealer via Trojanized Apps, PPI Services, and Phishing

The financially motivated threat actor EncryptHub, active since June 2024, employs various tactics including phishing, trojanized apps, and PPI services to deploy information stealers and ransomware. They use spear-phishing, smishing, and vishing to trick victims into installing RMM software, while also distributing counterfeit versions of popular applications. EncryptHub is affiliated with RansomHub and Blacksuit ransomware groups and is developing new tools like EncryptRAT for their campaigns.