A newly identified cybercriminal group, LARVA-208, also known as EncryptHub, has successfully infiltrated 618 organizations globally since June 2024, leveraging advanced social engineering techniques to steal credentials and deploy ransomware.
According to reports from cybersecurity firms CATALYST and Prodaft, the group has demonstrated a high level of sophistication in its operations, targeting corporate networks through spear-phishing campaigns that utilize smishing (SMS phishing) and vishing (voice phishing).
Sophisticated Social Engineering Tactics Exploited
LARVA-208’s modus operandi involves impersonating IT personnel to deceive employees into divulging VPN credentials or installing Remote Monitoring and Management (RMM) software such as AnyDesk, TeamViewer, or Atera.
.png
)
The attackers have registered over 70 domain names mimicking popular VPN services like Cisco AnyConnect, Palo Alto GlobalProtect, and Fortinet to enhance the credibility of their phishing campaigns.
By harvesting one-time passcodes (OTPs) during real-time interactions, the group bypasses multifactor authentication (MFA) measures and redirects victims to legitimate login pages to avoid suspicion.
Once access is gained, LARVA-208 deploys custom-developed PowerShell scripts to install information-stealing malware such as StealC, Rhadamanthys, and Fickle Stealer.
According to Catalyst, these tools extract sensitive data, including browser-stored credentials, session cookies, and system information.
The stolen data is exfiltrated to Command-and-Control (C2) servers controlled by the attackers.
Additionally, the group targets cryptocurrency wallets and password managers, further amplifying the impact of their attacks.
The final stage of LARVA-208’s operations involves deploying ransomware payloads to encrypt files on compromised systems.
The group’s proprietary ransomware, Locker.ps1, utilizes AES encryption to lock files and appends a “.crypted” extension.
Victims are left with a ransom note instructing them to contact the attackers via Telegram for payment in cryptocurrency.
The group has also been linked to other ransomware strains such as RansomHub and BlackSuit.
Ransomware Deployment Causes Widespread Operational Disruptions
In some cases, LARVA-208 exploits vulnerabilities in Microsoft Teams links by abusing open redirect parameters on Microsoft’s domains.
This allows them to intercept user credentials without creating fake login pages.
The group’s reliance on bulletproof hosting providers for phishing sites further complicates takedown efforts.
The scale of these breaches has resulted in significant operational disruptions for affected organizations.
Experts warn that LARVA-208 exemplifies the growing sophistication of cyber threats targeting high-value entities.
By combining advanced obfuscation techniques with tailored social engineering tactics, the group has demonstrated remarkable efficacy in evading detection and compromising critical systems.
Cybersecurity firms emphasize the need for enhanced awareness and robust security measures to counteract such threats.
As LARVA-208 continues its campaigns, organizations must remain vigilant against evolving attack vectors designed to exploit human vulnerabilities and technical defenses alike.
Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free
