Ethical Hacking News
Russian group EncryptHub exploits vulnerability in Microsoft's MMC framework, deploying advanced stealer malware that leverages social engineering and system vulnerabilities to gain control over internal environments.
The Russian hacking group EncryptHub has carried out a sophisticated threat campaign using a vulnerability in Microsoft Management Console (MMC) framework, CVE-2025-26633. The attack begins with phishing emails and malware that fetches system information and establishes persistence on the host. The payload files dropped during this attack sequence contain malicious MSC files that trigger the execution of a rogue MSC file when its innocuous counterpart is launched. The malware also uses legitimate platforms like Brave Support to host next-stage malware and circumvents security restrictions placed on uploading file attachments. The attack sequence includes additional tools, such as a Golang backdoor and a SOCKS5 proxy tunneling protocol, used to establish C2 infrastructure and exfiltrate system metadata. Organizations and individuals are advised to remain vigilant and implement effective security measures to mitigate these risks, including staying informed about emerging threats and maintaining robust cybersecurity defenses.
The cybersecurity landscape continues to be shaped by the ever-evolving and often nefarious tactics employed by malicious actors. A recent discovery has shed light on a sophisticated threat campaign carried out by the Russian hacking group, known as EncryptHub. This group has been linked to various high-profile attacks in the past, showcasing their ability to adapt and evolve in the face of emerging security measures.
According to a report from Trustwave SpiderLabs, the latest attack vector employed by EncryptHub involves the exploitation of a vulnerability in the Microsoft Management Console (MMC) framework, designated as CVE-2025-26633. This vulnerability, commonly referred to as MSC EvilTwin, has been previously documented by Trend Micro in March 2025 and was also identified by Trustwave researchers as being exploited by EncryptHub.
The attack sequence initiated by EncryptHub begins with the threat actor posing as an IT department representative, sending a Microsoft Teams request to the target with the intention of initiating a remote connection. Upon successful execution, the malware deployed by EncryptHub fetches and executes from an external server another PowerShell script that collects system information, establishes persistence on the host, and communicates with an EncryptHub command-and-control (C2) server to receive and run malicious payloads.
Among the payload files dropped during this attack sequence are two MSC files with identical names, one benign and the other malicious. The malicious file serves as a trigger for CVE-2025-26633, ultimately resulting in the execution of a rogue MSC file when its innocuous counterpart is launched. This malware execution fetches and executes from an external server another PowerShell script that collects system information, establishes persistence on the host, and communicates with an EncryptHub C2 server to receive and run malicious payloads.
The payload files also contain a Go-based loader codenamed SilentCrystal, which abuses Brave Support, a legitimate platform associated with the Brave web browser, to host next-stage malware — a ZIP archive containing the two MSC files to weaponize CVE-2025-26633. This tactic allows EncryptHub to circumvent security restrictions placed on uploading file attachments on the Brave Support platform.
Furthermore, researchers have identified additional tools deployed by EncryptHub during this attack sequence, including a Golang backdoor that operates in both client and server mode to send system metadata to the C2 server, as well as set up C2 infrastructure by making use of the SOCKS5 proxy tunneling protocol. Furthermore, there is evidence suggesting that EncryptHub continues to rely on videoconferencing lures, this time setting up phony platforms like RivaTalk to deceive victims into downloading an MSI installer.
The installation of the MSI file leads to the delivery of several files: a legitimate Early Launch Anti-Malware (ELAM) installer binary from Symantec that is used to sideload a malicious DLL. This DLL, in turn, launches a PowerShell command to download and run another PowerShell script engineered to gather system information and exfiltrate it to the C2 server.
The malware also displays a fake "System Configuration" pop-up message as a ruse while launching a background job to generate fake browser traffic by making HTTP requests to popular websites to blend C2 communications with normal network activity. This advanced technique highlights the sophistication of EncryptHub's tactics and underscores the importance of layered defense strategies, ongoing threat intelligence, and user awareness training.
The involvement of EncryptHub in high-profile attacks serves as a reminder that no system is completely immune to the evolving threats in the modern cybersecurity landscape. As such, it is imperative for organizations and individuals alike to remain vigilant and implement effective security measures to mitigate these risks.
In conclusion, the exploitation of CVE-2025-26633 by EncryptHub represents a significant threat to users of Microsoft Windows systems. The use of advanced social engineering tactics combined with the abuse of vulnerabilities in system software underscores the importance of staying informed about emerging threats and maintaining robust cybersecurity defenses.
Related Information:
https://www.ethicalhackingnews.com/articles/Russian-Group-EncryptHub-Exploits-Microsoft-Vulnerability-to-Deploy-Advanced-Stealer-Malware-ehn.shtml
https://thehackernews.com/2025/08/russian-group-encrypthub-exploits-msc.html
https://www.cybersecuritydive.com/news/russian-threat-actor-weaponizing-microsoft-management-console-zero-day/743558/
Published: Sat Aug 16 01:50:44 2025 by llama3.2 3B Q4_K_M
