Home / Industry

Decrypting the Inner DNS Workings of EncryptHub

Outpost24 recently discovered that rising cybercriminal entity EncryptHub inadvertently exposed elements of its malicious enterprise. The security investigation unveiled previously unknown aspects of the group’s infrastructure, tools, and behavioral patterns.

The security researchers notably uncovered the group’s directory listing, allowing them to take a peek into the threat actors’ stealer logs, malware executables, PowerShell scripts, and Telegram bot configurations. These errors shed light on the group’s operations, including their attack chain and methodologies.

Outpost24 reported its findings in “Unveiling EncryptHub: Analysis of a Multistage Malware Campaign,” along with 20 indicators of compromise (IoCs) comprising 14 domains and six IP addresses, that WhoisXML API expanded through a DNS deep dive.

Our in-depth analysis of the EncryptHub IoCs led to the discovery of new connected artifacts comprising:

  • 64 email-connected domains, one of which turned out to be malicious
  • 10 additional IP addresses, seven of which have already been tagged as malicious
  • 71 IP-connected domains, one of which has already been weaponized for attacks
  • 419 string-connected domains, seven of which have already figured in malicious campaigns

A sample of the additional artifacts obtained from our analysis is available for download from our website.

More on the EncryptHub IoCs

Before expanding the current list of EncryptHub IoCs, we sought to find more information on them first.

We began by querying the 14 domains identified as IoCs on Bulk WHOIS API. The results showed that:

  • They were all fairly newly registered, having been created between 2024 and 2025. Specifically, four were created in 2024 and 10 in 2025.
  • They were administered by six registrars led by PDR, which accounted for nine domains. One domain each was administered by GoDaddy, Metaregistrar, Namecheap, NiceNIC, and Sarek Oy.

  • Most of the domains, 11 to be exact, were registered in the U.S. One domain each was registered in Iceland and Saint Kitts and Nevis. Finally, one domain did not have a registrant country on record.

We then queried the 14 domains identified as IoCs on DNS Chronicle API and discovered that all of them had historical domain-to-IP resolutions. In fact, the 14 domains had 86 domain-to-IP resolutions over time. The domain global-protect[.]net had the oldest IP resolution date—28 February 2020. Since its current creation date was 16 January 2025, it has probably been reregistered recently.

The table below shows the DNS histories of five other domains.

DOMAIN IoCNUMBER OF IP RESOLUTIONSFIRST IP RESOLUTION DATE
353827-coinbase[.]com127 January 2025
b8-crypt0x[.]com122 February 2025
concur[.]net[.]co322 January 2025
encrypthub[.]us19 February 2025
healthy-cleanse-fit[.]com2327 September 2023

Next, we queried the six IP addresses identified as IoCs on Bulk IP Geolocation Lookup and found that:

  • They were geolocated in three countries. Two IP addresses each traced their origins to Germany, the Netherlands, and the U.S.

Like the domains identified as IoCs, we also queried the IP addresses tagged as IoCs on DNS Chronicle API and discovered that only five had historical IP-to-domain resolutions. The five IP addresses had 123 IP-to-domain resolutions over time. The IP address 82[.]115[.]223[.]199 recorded the oldest domain resolution date—9 January 2021.

Here are details on three other IP addresses identified as IoCs.

IP ADDRESS IoCNUMBER OF DOMAIN RESOLUTIONSFIRST DOMAIN RESOLUTION DATE
193[.]149[.]176[.]228197 June 2022
64[.]95[.]13[.]166123 January 2025
85[.]209[.]128[.]128717 December 2024

EncryptHub IoC List Expansion Findings

We started our search for connected web properties by querying the 14 domains identified as IoCs on WHOIS History API. We discovered that eight of them had eight email addresses in their historical WHOIS records after duplicates were filtered out. Four of the eight email addresses were public addresses.

We then queried the four public email addresses on Reverse WHOIS API and found that none of them appeared in the current WHOIS records of other domains. All of them, though, appeared in the historical WHOIS records of 64 domains after duplicates and those already identified as IoCs were filtered out.

A Threat Intelligence API query for the 64 email-connected domains showed that one—encrypthub[.]net—was already considered malicious.

Next, we queried the 14 domains identified as IoCs on DNS Lookup API. We discovered that 11 currently resolves to 10 IP addresses after duplicates and those already tagged as IoCs were filtered out.

This post only contains a snapshot of the full research. Download the complete findings and a sample of the additional artifacts on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.

Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.

NORDVPN DISCOUNT - CircleID x NordVPN
Get NordVPN  [74% +3 extra months, from $2.99/month]
By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under

Comments

Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

Threat Intelligence

Sponsored byWhoisXML API

Cybersecurity

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

DNS

Sponsored byDNIB.com

Brand Protection

Sponsored byCSC

New TLDs

Sponsored byRadix

Domain Names

Sponsored byVerisign