![]() |
||
|
Outpost24 recently discovered that rising cybercriminal entity EncryptHub inadvertently exposed elements of its malicious enterprise. The security investigation unveiled previously unknown aspects of the group’s infrastructure, tools, and behavioral patterns.
The security researchers notably uncovered the group’s directory listing, allowing them to take a peek into the threat actors’ stealer logs, malware executables, PowerShell scripts, and Telegram bot configurations. These errors shed light on the group’s operations, including their attack chain and methodologies.
Outpost24 reported its findings in “Unveiling EncryptHub: Analysis of a Multistage Malware Campaign,” along with 20 indicators of compromise (IoCs) comprising 14 domains and six IP addresses, that WhoisXML API expanded through a DNS deep dive.
Our in-depth analysis of the EncryptHub IoCs led to the discovery of new connected artifacts comprising:
A sample of the additional artifacts obtained from our analysis is available for download from our website.
Before expanding the current list of EncryptHub IoCs, we sought to find more information on them first.
We began by querying the 14 domains identified as IoCs on Bulk WHOIS API. The results showed that:
They were administered by six registrars led by PDR, which accounted for nine domains. One domain each was administered by GoDaddy, Metaregistrar, Namecheap, NiceNIC, and Sarek Oy.
Most of the domains, 11 to be exact, were registered in the U.S. One domain each was registered in Iceland and Saint Kitts and Nevis. Finally, one domain did not have a registrant country on record.
We then queried the 14 domains identified as IoCs on DNS Chronicle API and discovered that all of them had historical domain-to-IP resolutions. In fact, the 14 domains had 86 domain-to-IP resolutions over time. The domain global-protect[.]net had the oldest IP resolution date—28 February 2020. Since its current creation date was 16 January 2025, it has probably been reregistered recently.
The table below shows the DNS histories of five other domains.
DOMAIN IoC | NUMBER OF IP RESOLUTIONS | FIRST IP RESOLUTION DATE |
---|---|---|
353827-coinbase[.]com | 1 | 27 January 2025 |
b8-crypt0x[.]com | 1 | 22 February 2025 |
concur[.]net[.]co | 3 | 22 January 2025 |
encrypthub[.]us | 1 | 9 February 2025 |
healthy-cleanse-fit[.]com | 23 | 27 September 2023 |
Next, we queried the six IP addresses identified as IoCs on Bulk IP Geolocation Lookup and found that:
Like the domains identified as IoCs, we also queried the IP addresses tagged as IoCs on DNS Chronicle API and discovered that only five had historical IP-to-domain resolutions. The five IP addresses had 123 IP-to-domain resolutions over time. The IP address 82[.]115[.]223[.]199 recorded the oldest domain resolution date—9 January 2021.
Here are details on three other IP addresses identified as IoCs.
IP ADDRESS IoC | NUMBER OF DOMAIN RESOLUTIONS | FIRST DOMAIN RESOLUTION DATE |
---|---|---|
193[.]149[.]176[.]228 | 19 | 7 June 2022 |
64[.]95[.]13[.]166 | 1 | 23 January 2025 |
85[.]209[.]128[.]128 | 7 | 17 December 2024 |
We started our search for connected web properties by querying the 14 domains identified as IoCs on WHOIS History API. We discovered that eight of them had eight email addresses in their historical WHOIS records after duplicates were filtered out. Four of the eight email addresses were public addresses.
We then queried the four public email addresses on Reverse WHOIS API and found that none of them appeared in the current WHOIS records of other domains. All of them, though, appeared in the historical WHOIS records of 64 domains after duplicates and those already identified as IoCs were filtered out.
A Threat Intelligence API query for the 64 email-connected domains showed that one—encrypthub[.]net—was already considered malicious.
Next, we queried the 14 domains identified as IoCs on DNS Lookup API. We discovered that 11 currently resolves to 10 IP addresses after duplicates and those already tagged as IoCs were filtered out.
This post only contains a snapshot of the full research. Download the complete findings and a sample of the additional artifacts on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.
Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.
Sponsored byWhoisXML API
Sponsored byVerisign
Sponsored byIPv4.Global
Sponsored byDNIB.com
Sponsored byCSC
Sponsored byRadix
Sponsored byVerisign