LARVA-208 (EncryptHub) is a threat actor that has come to the forefront with highly sophisticated spear-phishing attacks since 26 June 2024. In the attacks it has carried out, it employs a different operational strategy, conducting all the processes necessary to obtain initial access through personalized SMS (smishing) or by calling the person directly (vishing), tricking the victim into installing remote management software. When investigating the attacks carried out by the threat actor, it is evident that their social engineering techniques and persuasion skills are highly effective.

In the first phase, the actor typically creates a phishing site designed to trick the organization into providing the victim\'s VPN credentials. The victim is then called and asked to enter their details on a phishing site for technical issues, posing as an IT team or helpdesk. If the attack targeting the victim is not a call but a direct SMS text message, a fake Microsoft Teams link is used to convince the victim. After gaining access from the victim user, the team runs various stealers on the compromised machine using the PowerShell scripts they have developed. The team currently prefers Fickle Stealer, StealC, and Rhadamanthys among these stealer scripts, which are run to collect sensitive information on the victim\'s machine. In most LARVA-208 attacks, ransomware was used in the final stage to encrypt the victim\'s device and demand a ransom.