Update: EncryptHub Expands Cybercrime Operations with Phishing, Malware, and Ransomware
EncryptHub, a financially driven threat group, has been carrying out advanced phishing campaigns to deliver information stealers and ransomware while developing a new remote access tool called EncryptRAT. This group targets users of popular applications by spreading trojanized software versions, often leveraging third-party pay-per-install services to reach more victims. They rely on a mix of SMS phishing, voice phishing, and fake IT support calls to steal VPN credentials and deploy remote monitoring software. Victims are often tricked into entering their credentials on phishing sites that mimic legitimate login pages, leading to further compromise. Once inside a network, EncryptHub executes PowerShell scripts to deploy malware such as Fickle, StealC, and Rhadamanthys. Before ransomware is delivered, these tools steal sensitive data, including cookies and login credentials. The group has also been caught distributing fake versions of software applications, including QQ Talk, WeChat, Google Meet, and Palo Alto Global Protect, which serve as backdoors for malware installation. Since January 2025, they have been using a third-party service called LabInstalls to automate bulk malware distribution, making their attacks more efficient. EncryptHub is now working on EncryptRAT, a command-and-control panel that allows attackers to issue remote commands, manage infections, and extract stolen data. Given their ongoing expansion, security teams must remain alert and strengthen defenses against phishing, social engineering, and malicious software distribution tactics.
Update: Mass Website Infections Exploit WordPress, Magento, and JavaScript Vulnerabilities
Thousands of websites have been compromised in multiple large-scale attacks, with hackers injecting malicious JavaScript and deploying backdoors to maintain long-term access. Over 1,000 WordPress sites have been infected with a third-party script that embeds four separate backdoors, each designed to give attackers a way back in if one entry point is detected and removed. One method installs a fake plugin to execute commands; another modifies critical WordPress configuration files; a third adds unauthorized SSH keys for persistent remote access; and the fourth fetches additional payloads to open a reverse shell. To reduce the risk, users are urged to remove any unauthorized SSH keys, reset WordPress admin credentials, and monitor logs for unusual activity. Meanwhile, another campaign has compromised over 35,000 websites with JavaScript designed to hijack browsers and redirect visitors to Chinese-language gambling sites. The attackers embed malicious scripts across multiple domains, triggering automatic redirections once a user lands on an infected site. This aligns with another attack targeting Magento e-commerce platforms, where a threat group known as ScreamedJungle has injected Bablosoft JS into compromised sites. This script collects detailed browser fingerprints from visitors, which can be used to evade security systems and carry out fraud. The group has exploited vulnerabilities in outdated Magento versions to breach websites and gather user data. These incidents highlight the growing threat of JavaScript-based attacks, where adversaries exploit website vulnerabilities to steal data, manipulate user behavior, and establish persistent control over compromised environments.
Update: Medusa Ransomware Expands Operations, Targeting Government and Financial Sectors
The Medusa ransomware group has escalated its attacks, claiming nearly 400 victims since its emergence in early 2023. Attacks linked to Medusa surged by 42% between 2023 and 2024, with over 40 incidents reported in just the first two months of 2025. Tracked as Spearwing by Symantec, the group operates on a double extortion model, stealing sensitive data before encrypting systems to pressure victims into paying a ransom. If payment is refused, they threaten to leak the stolen data online. Medusa has aggressively targeted financial institutions, government agencies, healthcare providers, and non-profits, demanding ransoms ranging from $100,000 to $15 million. The attackers exploit known vulnerabilities in public-facing applications, mainly Microsoft Exchange Server, to gain initial access. There are also indications that they purchase network access from initial access brokers. Once inside, they use remote management tools such as SimpleHelp, AnyDesk, and MeshAgent for persistent control. The group also deploys the Bring Your Own Vulnerable Driver (BYOVD) technique, using KillAV to disable security software. Medusa has been observed leveraging PDQ Deploy, a legitimate remote management software, to distribute additional malware and move laterally across networks. Data exfiltration uses tools like Navicat, RoboCopy, and Rclone, allowing the group to steal large volumes of sensitive information before encryption. The increase in Medusa ransomware activity comes amid a shifting ransomware landscape, with new ransomware-as-a-service (RaaS) groups filling the void left by disruptions to LockBit and BlackCat. With the rise of groups like RansomHub, Play, Qilin, and Anubis, the competition among cyber extortionists has intensified. Medusa’s evolving techniques and strategic targeting of high-value organizations suggest that it will continue to be a significant threat in the ransomware ecosystem.
