Welcome to the Threat Context Monthly blog series where we provide a comprehensive roundup of the most relevant cybersecurity news and threat information from KrakenLabs, Outpost24’s cyber threat intelligence team. Here’s what you need to know from April about EncryptHub, EncryptRAT, and the Media Land leak.

Threat actor of the month: EncryptHub

“EncryptHub“ is a financially motivated threat actor first observed in June 2024. The adversary’s main objective is monetary gain through deploying ransomware, selling exploits, and stealing sensitive data from high-value corporate networks globally.

Outpost24 KrakenLabs researchers observed EncryptHub distributing trojanized versions of widely used applications, as well as leveraging the third-party PPI service LabInstalls to automate the deployment of malicious executables. These campaigns have led to the deployment of Powershell-based infostealer malware, Rhadamanthys, and StealC. The adversary also used XMRig to carry out cryptojacking campaigns.

Operational security mistakes have allowed Outpost24 KrakenLabs researchers to map his tactics, uncovering his multi-stage attack chains and methodologies. The threat actor frequently utilizes Telegram channels for managing compromised endpoints and exfiltrating stolen data. The adversary was also observed exploiting vulnerabilities in Fortinet and Palo Alto Networks systems, leveraging scripts specifically designed to compromise administrative credentials, reset passwords, and maintain persistent access.

Researchers observed that EncryptHub also relies heavily on ChatGPT to assist in their malicious operations. The AI chat bot assisted the adversary in the creation and configuration of Telegram bots, C2 servers, phishing sites, mail servers, and Onion services, learning how to create macOS apps, how to properly use a REST API, and how to call PowerShell scripts from Go. Furthermore, ChatGPT helped to write malware, such as clippers and cookie stealers, understand and improve code from other sources, and how to better integrate it with his current malware.

EncryptRAT – Proprietary C2 panel

EncryptHub has been developing and improving EncryptRAT, a command-and-control (C2) panel. This tool allows the user to manage active infections, send remote commands, manage additional modules, monitor and download logs from infected devices and configure various malware samples and exfiltration channels.

Exploits sales activities

On March 2025, EncryptHub offered for sale various exploits on the underground forum XSS including CVE-2025-26633 –RCE in Microsoft Management Console, CVE-2025-24061 –SmartScreen & MoTW bypass exploit, and CVE-2025-24071 –0-click NTLMv2 hash leak exploit. Surprisingly, the adversary previously reported the last two vulnerabilities to Microsoft’s MSRC under the alias SkorikARI.

Spotlight threat: Bulletproof hosting provider Media Land LLC. client’s data leaked

Media Land LLC. is a bulletproof hosting (BPH) provider that allows clients to host any type of content or use it for any type of activity regardless of its legitimacy. This BPH is advertised in underground forums by “yalishanda”, moniker identified with individual Alexander Volosovik.

On March 28, 2025, internal data from Media Land was leaked in a Telegram channel created on February 23. Researchers point to the significance of the leak, as it contains records of who purchased servers, who paid for them, and possibly personally identifiable information (PII). It is possible that the data was leaked by the same actor that exposed Black Basta‘s internal chat logs.

One of the researchers who informed about the leak made an observation regarding the possibility that the threat actor who obtained the database could have been creating fraudulent Telegram channels to deceive users.

Malicious operations hosted on Media Land LLC.

Servers hosted by Media Land infrastructure included the Dridex and Zeus banking trojans, the defunct card shop valid[.]cc, ransomware groups such as Egregor, Maze, Black Basta, or Hunters International, Magecart attacks infrastructure, the RIG Exploit Kit, etc.

KrakenLabs observed highlights

Emerging threats

CVE Program funding controversy: On April 16, the US government reinstated funding for the Common Vulnerabilities and Exposures database. The announcement came after hours of uncertainty after MITRE, the non-profit organization that runs the database, said its contract to operate the CVE Program had not been renewed. To ensure continued long-term international participation and stability of the CVE Program, a new non-profit, the CVE Foundation, has also been founded. Learn more / more / and more →

Slopsquatting – New supply chain attack method? ‘Slopsquatting’ (aka package hallucination) occurs when the code generated by a Large Language Model recommends or references a fictitious package. Researchers warn threat actors can exploit this in a new type of supply chain attack by publishing malicious packages with hallucinated names. Learn more / and more →

Oracle Cloud data breach

Oracle Cloud confirms data breach: A threat actor named “rose87168″claimed in underground forums to have breached Oracle Cloud. Initially, the vendor denied the breach but has ended up privately acknowledging some customers that attackers had stolen old client credentials clients after breaching a “legacy environment” last used in 2017. Security researchers that had access to the leak suggest, however, that the breach could also include more recent data. Learn more / more / and more →

StealC malware

Updated StealC version released: Updated 2.0 version for infostealer StealC has been released. This new version included major changes like fully server-side decryption on Chromium-based servers, automatic brute-forcing of crypto plugins, or a builder integrated directly into the admin panel, among other relevant updates. Learn more →

Ransomware

Hunters International prioritizes exfiltration: Threat group “Hunters International”continued their evolution from a double extortion Ransomware-as-a-Service (RaaS) to a dual model prioritizing exfiltration and extortion without encrypting the victims. In that regard, according to Group-IB, the adversary released a new data exfiltration service named “World Leaks”.  Learn more →

What’s new in Threat Context this month?

Threat actors: Dark Storm Team, superstar75737, Z-Pentest, Arkana Security, RipperSec, VanHelsing, and Crazy Evil.

Tools: MegaMedusa, VanHelsing Locker, and Nitrogen.

Add threat intelligence to your organization

Outpost24’s External Attack Surface Management (EASM) platform gives users access to threat intelligence powered by our human-led team, KrakenLabs. Get in touch to learn more about our Threat Intelligence sourcing.