The threat actor known as EncryptHub is continuing to exploit a now-patched security flaw impacting Microsoft Windows to deliver malicious payloads.
Trustwave SpiderLabs said it recently observed an EncryptHub campaign that brings together social engineering and the exploitation of a vulnerability in the Microsoft Management Console (MMC) framework (CVE-2025-26633, aka MSC EvilTwin) to trigger the infection routine via a rogue Microsoft Console (MSC) file.
“These activities are part of a broad, ongoing wave of malicious activity that blends social engineering with technical exploitation to bypass security defenses and gain control over internal environments,” Trustwave researchers Nathaniel Morales and Nikita Kazymirskyi said.
EncryptHub, also tracked as LARVA-208 and Water Gamayun, is a Russian hacking group that first gained prominence in mid-2024. Operating at a high tempo, the financially motivated crew is known for leveraging several methods, including fake job offers, portfolio review, and even compromising Steam games, to infect targets with stealer malware.
The threat actor’s abuse of CVE-2025-26633 was previously documented by Trend Micro in March 2025, uncovering attacks that deliver two backdoors called SilentPrism and DarkWisp.
The latest attack sequence involves the threat actor claiming to be from the IT department and sending a Microsoft Teams request to the target with the goal of initiating a remote connection and deploying secondary payloads by means of PowerShell commands.
Among the files dropped are two MSC files with the same name, one benign and the other malicious, that’s used to trigger CVE-2025-26633, ultimately resulting in the execution of the rogue MSC file when its innocuous counterpart is launched.
The MSC file, for its part, fetches and executes from an external server another PowerShell script that collects system information, establishes persistence on the host, and communicates with an EncryptHub command-and-control (C2) server to receive and run malicious payloads, including a stealer called Fickle Stealer.
“The script receives AES-encrypted commands from the attacker, decrypts them, and runs the payloads directly on the infected machine,” the researchers said.
Also deployed by the threat actor over the course of the attack is a Go-based loader codenamed SilentCrystal, which abuses Brave Support, a legitimate platform associated with the Brave web browser, to host next-stage malware – a ZIP archive containing the two MSC files to weaponize CVE-2025-26633.
What makes this significant is that uploading file attachments on the Brave Support platform is restricted for new users, indicating that the attackers somehow managed to obtain unauthorized access to an account with upload permissions to pull off the scheme.
Some of the other tools deployed include a Golang backdoor that operates in both client and server mode to send system metadata to the…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
