Ethical Hacking News
Recent attacks from EncryptHub (also known as LARVA-208/Water Gamayun) have been making headlines in the cybersecurity community. This threat actor has been using social engineering tactics, exploiting vulnerabilities in systems, and leveraging abuse of trusted platforms to deliver malware. Experts warn that this emerging threat group represents a well-resourced and adaptive adversary, requiring layered defense strategies, ongoing threat intelligence, and user awareness training to mitigate their risks.
Cybersecurity experts have identified a new threat actor called EncryptHub (LARVA-208/Water Gamayun) that is using sophisticated tactics to breach internal networks. The EncryptHub actor has launched a new campaign exploiting the now-patched Windows flaw CVE-2025-26633, using rogue MSC files and social engineering to deliver malware. The attack chain involves fake IT messages on Microsoft Teams, PowerShell loaders, and exploitation of MSC EvilTwin vulnerability to execute malicious .msc files. Researchers have also detailed two new tools in EncryptHub's arsenal: SilentCrystal, a Golang loader that abuses Brave Support, and a Golang SOCKS5 backdoor that sends stolen system details via Telegram. The EncryptHub threat actor is using fake video conferencing platforms (RivaTalk) as cover for its C2 server and employing layered defense strategies to maintain persistence and control. Proactive detection and swift incident response are critical in mitigating the risks posed by this emerging threat group.
Cybersecurity experts have long been aware of the threat posed by sophisticated adversaries, capable of leveraging social engineering tactics and exploiting vulnerabilities in systems to breach internal networks. Recently, a new player has emerged on the scene, known as EncryptHub (also referred to as LARVA-208/Water Gamayun), which has been making waves in the cybersecurity community with its clever use of tools and techniques.
According to reports from Trustwave SpiderLabs, the EncryptHub actor has recently launched a new campaign exploiting the now-patched Windows flaw CVE-2025-26633 (dubbed "MSC EvilTwin"), using rogue MSC files and social engineering to deliver malware. This vulnerability allows attackers to bypass security features locally, allowing them to execute malicious .msc files.
The attack chain begins with fake IT messages on Microsoft Teams, designed to gain remote access into the target environment. A PowerShell loader fetches runner.ps1, which drops two .msc files to exploit CVE-2025-26633 (MSC EvilTwin). Attackers then exploit the MSC EvilTwin to allow mmc.exe loading an identically named .msc from the MUIPath (e.g., en-US) and execute the attacker's copy. Runner.ps1 then inserts the C2 URL into that file, which downloads build.ps1. Build.ps1 steals system info, establishes persistence, and runs AES-encrypted commands from the C2, including deploying Fickle Stealer.
Researchers have also detailed SilentCrystal, a Golang loader by EncryptHub, that replaced earlier PowerShell scripts. It abuses Brave Support to host payloads, creates a fake Windows directory to bypass defenses, and exploits MSC EvilTwin to execute malware. The researchers also detailed another tool in the threat actor's arsenal, a Golang SOCKS5 backdoor that works in client or server mode. This tool sends stolen system details via Telegram, and sets up C2 infrastructure with TLS.
Furthermore, experts have observed EncryptHub setting up a fake video call platform, RivaTalk, as cover for its new C2 server. The site, registered in July 2025, requires an access code to download its malicious Windows app, limiting exposure to targets. The installer abuses a Symantec ELAM binary to sideload a DLL, which runs a PowerShell script pulling further payloads.
The EncryptHub threat actor represents a well-resourced and adaptive adversary, combining social engineering, abuse of trusted platforms, and the exploitation of system vulnerabilities to maintain persistence and control. Their use of fake video conferencing platforms, encrypted command structures, and evolving malware toolsets underscores the importance of layered defense strategies, ongoing threat intelligence, and user awareness training.
As their campaigns grow more targeted and stealthier, proactive detection and swift incident response are critical in mitigating the risks posed by this emerging threat group.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Evolution-of-Stealthy-Threat-Actors-EncryptHubs-New-Campaign-ehn.shtml
https://securityaffairs.com/181203/cyber-crime/encrypthub-abuses-brave-support-in-new-campaign-exploiting-msc-eviltwin-flaw.html
https://thehackernews.com/2025/08/russian-group-encrypthub-exploits-msc.html
https://nvd.nist.gov/vuln/detail/CVE-2025-26633
https://www.cvedetails.com/cve/CVE-2025-26633/
Published: Sat Aug 16 05:14:04 2025 by llama3.2 3B Q4_K_M
