MalwareRansomwareUsed by 1 actor

EncryptHub

EncryptHub is a malware-associated cybercriminal persona/tooling name linked to malware campaigns, credential theft, and access brokering. The content identifies EncryptHub as part of the malware arsenal associated with Water Gamayun, a Russia-aligned threat group known for targeting enterprise and government networks with objectives including sensitive data exfiltration, credential harvesting, and persistence. In one reported campaign, the final payload could not be confirmed because command-and-control infrastructure was non-responsive, but EncryptHub was listed among the plausible malware families that may have been deployed alongside SilentPrism, DarkWisp, and Rhadamanthys. Separate reporting cited by the content states that EncryptHub relied on the MSC EvilTwin loader exploiting CVE-2025-26633. The content also describes EncryptHub as a persona tied to spoofed WinRAR websites, malware distribution, credential theft, and access brokering, and notes aliases SkorikARI and LARVA-208. It further claims this actor compromised hundreds of high-value targets across Europe and Asia. High-confidence indicators directly mentioned in the content include the association with MSC EvilTwin loader exploitation of CVE-2025-26633 and use in campaigns involving spoofed WinRAR websites.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

EncryptHub

"However, Water Gamayun’s arsenal includes EncryptHub, SilentPrism, DarkWisp, and Rhadamanthys, so it is highly likely that any of these malware could have been installed."

via zscaler threat labzzscaler.com

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app

sentinelone blogNews

Dec 25, 2025

The Best, the Worst and the Ugliest in Cybersecurity | 2025 Edition

Ransomware involved in multi-stage attacks targeting enterprises and individuals.

cso onlineNews

Dec 10, 2025

Behind the breaches: Case studies that reveal adversary motives and modus operandi

EncryptHub is a threat actor and malware developer known for credential theft, access brokering, and distributing malware through spoofed websites. The actor also engages in legitimate vulnerability disclosure, blurring the line between cybercrime and security research.

zscaler threat labzNews

Nov 25, 2025

In-Depth Analysis: Water Gamayun APT Multi-Stage Attack Uncovered

Referenced as part of Water Gamayun’s malware arsenal; potentially deployed as a backdoor or information-stealing payload in the described intrusion chain, but not confirmed in this specific case due to non-responsive C2.

recorded future blogNews

May 20, 2025

Rate My Rizz: Elevating Cyber Resilience Beyond Compliance

Ransomware that uses the MSC EvilTwin loader to deploy its payloads, exploiting CVE-2025-26633.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.