- The group known as EncryptHub is targeting Web3 developers with information-stealing Malware via fake AI platforms.
- Attackers use deceptive job offers and portfolio review requests to lure victims.
- They deliver malware disguised as audio driver updates, aiming to gain access to cryptocurrency wallets and sensitive credentials.
- New Ransomware strains such as KAWA4096 and Crux have emerged, targeting organizations in the United States and Japan.
- Ransomware groups use legitimate Windows tools to avoid detection and disable system recovery features.
A threat actor identified as EncryptHub, also known as LARVA-208 and Water Gamayun, has launched a new campaign against Web3 developers. According to Cybersecurity company PRODAFT, the group targets these developers using fake Artificial Intelligence platforms and job-related pretexts to infect devices with information-stealing malware.
Investigators report that EncryptHub sends job offers and portfolio review requests through platforms like X (formerly Twitter), Telegram, and a Web3 job board named Remote3. The campaign focuses on freelancers and developers involved in decentralized crypto projects who often handle sensitive wallets and smart contracts. Once in contact, attackers guide victims through fake interviews using Google Meet, then instruct them to join a meeting on platforms such as Norlax AI, ultimately leading victims to download malicious files.
When victims click on meeting links, they are prompted for an email address and invitation code, then shown a fake error message about outdated audio drivers. Accepting this prompt downloads a file disguised as a Realtek audio driver. This file executes PowerShell commands to install a malware known as Fickle Stealer, which collects information from crypto wallets and development environments and sends the data to an external server called SilentPrism.
PRODAFT stated, “The threat actors distribute infostealers like Fickle through fake AI applications, successfully harvesting cryptocurrency wallets, development credentials, and sensitive project data.” The company noted a shift in criminal methods, describing increased reliance on data theft for direct monetization or resale in illicit markets.
Trustwave SpiderLabs recently described a new ransomware named KAWA4096, which has attacked at least 11 companies—mainly in the United States and Japan—since June 2025. The group uses a technique that processes files in parallel, rapidly encrypting files on shared network drives. Investigators have not identified the method used to gain initial access.
Another ransomware called Crux has emerged this month. According to Huntress, Crux attackers frequently use stolen remote desktop credentials and legitimate Windows tools such as svchost.exe and bcdedit.exe to hide activity and disable system recovery.
Huntress advises, “Continual monitoring for suspicious behavior using these processes via endpoint detection and response (EDR) can help suss out threat actors in your environment.”
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Ripple’s XRP Hits Record $3.65, Eyes $5 Milestone in 2025
- James Wynn Places $23M in High-Leverage ETH, PEPE Crypto Bets
- $10 in Shiba Inu in 2020 Could Be Worth $2 Million by 2025
- GENIUS Act curbs Big Tech stablecoins, pushes DeFi as yields banned
- Cardano’s Hoskinson Seeks More Audit Transparency, Eyes August Release
