The financially motivated threat actor known as EncryptHub (aka LARVA-208 and Water Gamayun) has been attributed to a new campaign that's targeting Web3 developers to infect them with information stealer malware.
"LARVA-208 has evolved its tactics, using fake AI platforms (e.g., Norlax AI, mimicking Teampilot) to lure victims with job offers or portfolio review requests," Swiss cybersecurity company PRODAFT said in a statement shared with The Hacker News.
While the group has a history of deploying ransomware, the latest findings demonstrate an evolution of its tactics and a diversification of its monetization methods by using stealer malware to harvest data from cryptocurrency wallets.
EncryptHub's focus on Web3 developers isn't random—these individuals often manage crypto wallets, access to smart contract repositories, or sensitive test environments. Many operate as freelancers or work across multiple decentralized projects, making them harder to protect with traditional enterprise security controls. This decentralized, high-value developer community presents an ideal target for attackers looking to monetize quickly without triggering centralized defenses.
The attack chains entail directing prospective targets to deceptive artificial intelligence (AI) platforms and tricking them into clicking on purported meeting links within these sites.
Meeting links to these sites are sent to developers who follow Web3 and Blockchain-related content via platforms like X and Telegram under the pretext of a job interview or portfolio discussion. The threat actors have also been found sending the meeting links to people who applied for positions posted by them on a Web3 job board called Remote3.
What's interesting is the approach used by the attackers to sidestep security warnings issued by Remote3 on their site. Given that the service explicitly warns job seekers against downloading unfamiliar video conferencing software, the attackers conduct an initial conversation via Google Meet, during which they instruct the applicant to resume the interview on Norlax AI.
Regardless of the method used, once the victim clicks on the meeting link, they are asked to enter their email address and invitation code, following which they are served a fake error message about outdated or missing audio drivers.
Clicking the message leads to the download of malicious software disguised as a genuine Realtek HD Audio Driver, which executes PowerShell commands to retrieve and deploy the Fickle Stealer. The information gathered by the stealer malware is transmitted to an external server codenamed SilentPrism.
"The threat actors distribute infostealers like Fickle through fake AI applications, successfully harvesting cryptocurrency wallets, development credentials, and sensitive project data," PRODAFT said.
"This latest operation suggests a shift toward alternative monetization strategies, including the exfiltration of valuable data and credentials for potential resale or exploitation in illicit markets."
The development comes as Trustwave SpiderLabs detailed a new ransomware strain called KAWA4096 that "follows the style of the Akira ransomware group, and a ransom note format similar to Qilin's, likely an attempt to further enrich their visibility and credibility."
KAWA4096, which first emerged in June 2025, is said to have targeted 11 companies, with the most number of targets located in the United States and Japan. The initial access vector used in the attacks is not known.
A notable feature of KAWA4096 is its ability to encrypt files on shared network drives and the use of multithreading to increase operational efficiency and speed up the scanning and encryption process.
"After identifying valid files, the ransomware adds them to a shared queue," security researchers Nathaniel Morales and John Basmayor said. "This queue is processed by a pool of worker threads, each responsible for retrieving file paths and passing it on to the encryption routine. A semaphore is used for synchronization among threads, ensuring efficient processing of the file queue."
Another new entrant to the ransomware landscape is Crux, which claims to be part of the BlackByte group and has been deployed in the wild in three incidents detected on July 4 and 13, 2025, per Huntress.
In one of the incidents, the threat actors have been found to leverage valid credentials via RDP to obtain a foothold in the target network. Common to all the attacks is the use of legitimate Windows tools like svchost.exe and bcdedit.exe to conceal malicious commands and modify boot configuration so as to inhibit system recovery.
"The threat actor also clearly has a preference for legitimate processes like bcdedit.exe and svchost.exe, so continual monitoring for suspicious behavior using these processes via endpoint detection and response (EDR) can help suss out threat actors in your environment," Huntress said.
