Ethical Hacking News
Microsoft Credits EncryptHub, Hacker Behind 618+ Breaches, for Disclosing Windows Flaws
In an unexpected twist, Microsoft has acknowledged that the notorious hacker behind over 618 high-profile breaches, EncryptHub, had actually been disclosing security flaws in Windows. The analysis by Outpost24 KrakenLabs reveals a complex picture of a single individual who straddles legitimate career in cybersecurity and cybercrime.
EncryptHub, a notorious hacker, had been disclosing security flaws in Windows as part of an extensive analysis published by Outpost24 KrakenLabs. The vulnerabilities, CVE-2025-24061 and CVE-2025-24071, were fixed by Microsoft as part of its Patch Tuesday update last month. EncryptHub was tracked under the monikers LARVA-208 and Water Gamayun and had been involved in various malware campaigns, including distributing ransomware through a bogus WinRAR site. The individual behind EncryptHub was believed to have been jailed around 2022 due to the Russo-Ukrainian war and later pivoted to cybercrime in the first half of 2024. EncryptHub's case highlights the importance of operational security practices for cybercriminals, with basic mistakes leading to his exposure despite technical sophistication.
Microsoft has recently acknowledged that EncryptHub, a notorious hacker behind over 618 high-profile breaches, had actually been disclosing security flaws in Windows. This revelation comes as part of an extensive analysis published by Outpost24 KrakenLabs, which unmasked the individual behind the EncryptHub persona.
The vulnerabilities in question, CVE-2025-24061 and CVE-2025-24071, were both fixed by Microsoft as part of its Patch Tuesday update last month. The first vulnerability, a security feature bypass vulnerability, has a CVSS score of 7.8, while the second, a file explorer spoofing vulnerability, has a CVSS score of 6.5.
EncryptHub, also tracked under the monikers LARVA-208 and Water Gamayun, was spotlighted in mid-2024 as part of a campaign that leveraged a bogus WinRAR site to distribute various kinds of malware hosted on a GitHub repository named "encrypthub." In recent weeks, the threat actor has been attributed to the zero-day exploitation of another security flaw in Microsoft Management Console (CVE-2025-26633) to deliver information stealers and previously undocumented backdoors named SilentPrism and DarkWisp.
According to Lidia Lopez, Senior Threat Intelligence Analyst at Outpost24, "All data analyzed throughout our investigation points to the actions of a single individual." However, she added that "we cannot rule out the possibility of collaboration with other threat actors. In one of the Telegram channels used to monitor infection statistics, there was another Telegram user with administrative privileges, suggesting potential cooperation or assistance from others without a clear group affiliation."
Outpost24 said it was able to piece together EncryptHub's online footprint from the "actor's self-infections due to poor operational security practices," uncovering new aspects of their infrastructure and tooling in the process.
The individual behind EncryptHub is believed to have kept a low profile after moving to an unspecified place near Romania, studying computer science on their own by enrolling for online courses, while seeking computer-related jobs on the side. However, all of their activity abruptly ceased in early 2022 coinciding with the onset of the Russo-Ukrainian war. It is believed that he was jailed around the same time.
Once released, he resumed his job search, this time offering freelance web and app development services, which gained some traction. However, the pay likely wasn't enough, and after briefly trying bug bounty programs with little success, it is believed that he pivoted to cybercrime in the first half of 2024.
One of EncryptHub's earliest ventures in the cybercrime landscape is Fickle Stealer, which was first documented by Fortinet FortiGuard Labs in June 2024 as a Rust-based information stealer malware that's distributed via multiple channels. In a recent interview with security researcher g0njxa, the threat actor claimed that Fickle "delivers results on systems where StealC or Rhadamantys would never work" and that it "passes high-quality corporate antivirus systems." They also stated that the stealer is not only being shared privately but also "integral" to another product of theirs dubbed EncryptRAT.
According to Lopez, "EncryptHub's case highlights how poor operational security remains one of the most critical weaknesses for cybercriminals." She pointed out that despite technical sophistication, basic mistakes – like password reuse, exposed infrastructure, and mixing personal with criminal activity – ultimately led to his exposure.
In conclusion, Microsoft has given credit to EncryptHub for disclosing vulnerabilities in Windows. While it may seem counterintuitive to give credit to a hacker, it highlights the complexities of cybersecurity operations security and the importance of operational security practices for cybercriminals.
Related Information:
https://www.ethicalhackingnews.com/articles/Microsoft-Credits-EncryptHub-Hacker-Behind-618-Breaches-for-Disclosing-Windows-Flaws-ehn.shtml
Published: Sat Apr 5 22:33:46 2025 by llama3.2 3B Q4_K_M
