Inside The LARVA-208 Cybercrime Operations

Published Date: March 4, 2025
Category: ShadowOpsIntel
Share:

LARVA-208 (EncryptHub) is an advanced threat actor specializing in spear-phishing attacks, leveraging smishing (SMS phishing) and vishing (voice phishing) to gain initial access. Operating since June 26, 2024, the group employs sophisticated social engineering tactics to trick victims into installing remote monitoring and management (RMM) software. Their attacks primarily target VPN credentials and Microsoft Teams authentication, using phishing sites and malicious Open URL Redirection techniques. Post-compromise, LARVA-208 deploys stealer malware (Fickle, StealC, Rhadamanthys) and, in many cases, executes ransomware to encrypt victim devices.

Severity Level: High

Threat Details

1. Initial Access – Spear-Phishing & Social Engineering

  • Vishing & Smishing Attacks: The actor impersonates an IT helpdesk via phone calls, convincing victims to enter credentials into a spoofed VPN login page or install RMM tools like AnyDesk, TeamViewer, or Zoho Assist.
  • Fake Microsoft Teams Links: Uses Open URL Redirection vulnerabilities in Microsoft authentication to harvest credentials.

2. Credential Theft & MFA Bypass

  • Phishing Domains: LARVA-208 has registered 70+ fake domains impersonating VPN services (Cisco, Palo Alto, Fortinet) to steal login credentials.
  • MFA Exploitation: Bypasses MFA by capturing one-time passcodes during real-time phone calls with victims.

3. Post-Exploitation & Malware Deployment

  • Executes custom PowerShell scripts to deploy malware such as:
    – Fickle, StealC, Rhadamanthys → Credential & data stealers.
    – encrypt.ps1, stealc.ps1, locker.ps1 → Used to collect system info, steal data, and deploy ransomware.
  • RMM Software: The victims are tricked into installing AnyDesk, Atera, GoTo Resolve, ScreenConnect, Splashtop, TeamViewer, or Zoho Assist. Post installation, attackers request connection details, allowing them persistent access to victim machines.

4. Data Exfiltration

  • Stolen credentials and system data are exfiltrated to Telegram channels and attacker-controlled C2 servers.

5. Ransomware Deployment

  • Encrypts files using AES encryption, appends .crypted extension.
  • Ransom demand issued via Telegram contact (t.me/encrypthub).
  • Ransomware used:
    – locker.ps1 (custom PowerShell-based ransomware).
    – RansomHub, Blacksuit ransomware deployed in various attacks.

Recommendations

  1. Implement geofencing and network-based restrictions to allow VPN access only from trusted IPs.
  2. Use device-based conditional access policies to block VPN access from unknown endpoints.
  3. Implement phishing-resistant MFA, such as FIDO2 security keys or certificate-based authentication.
  4. Implement number-matching and location-based MFA prompts to prevent social engineering-based MFA bypass.
  5. Enforce PowerShell Constrained Language Mode to block unauthorized script execution.
  6. Block unauthorized RMM software (e.g., AnyDesk, TeamViewer, Zoho Assist, Atera).
  7. Create application allowlisting policies to only permit approved IT support tools.
  8. Train employees to recognize Teams-based phishing attempts and verify unexpected login requests.
  9. Set up alerts for suspicious outbound network traffic, especially to Telegram API endpoints or unusual cloud storage services.
  10. Deploy Data Loss Prevention (DLP) solutions to detect and block unauthorized data transfers.
  11. Block the IOCs at their respective controls.
    https://www.virustotal.com/gui/collection/a48cec3c9001308f1d97e52d2c8aa459fa5e4bbfee51831056f24087e96af917/iocs

Source:

  • https://www.bleepingcomputer.com/news/security/encrypthub-breaches-618-orgs-to-deploy-infostealers-ransomware/
  • https://catalyst.prodaft.com/public/report/larva-208/overview

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn.