Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

Windows Vulnerability Exploited by EncryptHub Threat Actor Leaves Millions of Systems at Risk


Windows zero-day vulnerability, dubbed "MSC EvilTwin" has been exploited by a threat actor known as EncryptHub leaving millions of Windows systems vulnerable to attack. To protect against these attacks, it's essential to keep your system updated with the latest security patches.

  • EncryptHub, a threat actor known for its sophisticated malware campaigns, has been linked to zero-day attacks exploiting an MMC vulnerability.
  • The attack exploits the vulnerability by sending specially crafted files to users and convincing them to open the file.
  • The EncryptHub threat actor has been associated with multiple malicious payloads, including stealer, backdoor, trojan loaders, and ransomware payloads.
  • The attacker manipulates .msc files and MUIPath to download and execute malicious payloads, maintain persistence, and steal sensitive data from infected systems.
  • EncryptHub is under active development, employing multiple delivery methods and custom payloads designed to maintain persistence and steal sensitive data.
  • Prodaft has previously linked EncryptHub to breaches of at least 618 organizations worldwide, following spear-phishing and social engineering attacks.



    • EncryptHub, a threat actor known for its sophisticated malware campaigns, has been linked to zero-day attacks exploiting a Microsoft Management Console (MMC) vulnerability patched this month. The vulnerability, dubbed "MSC EvilTwin" and now tracked as CVE-2025-26633, resides in how MMC files are handled on vulnerable devices.

    According to Trend Micro staff researcher Aliakbar Zahravi, the attack exploits the vulnerability by sending specially crafted files to users and convincing them to open the file. In a web-based attack scenario, an attacker could host a website containing a specially crafted file designed to exploit the vulnerability. This allows attackers to evade Windows file reputation protections and execute code without warning the user.

    The EncryptHub threat actor has been associated with multiple malicious payloads linked to previous attacks, including the EncryptHub stealer, DarkWisp backdoor, SilentPrism backdoor, Stealc, Rhadamanthys stealer, and a PowerShell-based MSC EvilTwin trojan loader. The attacker manipulates .msc files and the Multilingual User Interface Path (MUIPath) to download and execute malicious payloads, maintain persistence, and steal sensitive data from infected systems.

    In this campaign, EncryptHub is under active development, employing multiple delivery methods and custom payloads designed to maintain persistence and steal sensitive data. The attacker exfiltrates stolen data to Command-and-Control (C&C) servers. Trend Micro has also found an early version of the technique used in an April 2024 incident.

    Prodaft has previously linked EncryptHub to breaches of at least 618 organizations worldwide, following spear-phishing and social engineering attacks. EncryptHub also deploys ransomware payloads to encrypt victims' files after stealing sensitive data as an affiliate of the RansomHub and BlackSuit ransomware operations.

    This month, Microsoft patched a zero-day vulnerability (CVE-2025-24983) in the Windows Win32 Kernel Subsystem, which had been exploited in attacks since March 2023. The latest patch is part of this month's Patch Tuesday, addressing multiple zero-days and vulnerabilities across various systems.

    In addition to EncryptHub, another threat actor linked to the MMC vulnerability is Water Gamayun or Larva-208. This malicious actor has also been involved in deploying ransomware payloads and executing zero-day attacks on Windows systems.

    The breach highlights the growing importance of keeping systems up-to-date with the latest security patches. As vulnerabilities are patched, attackers often seek out alternative methods to exploit these vulnerabilities.

    The latest findings demonstrate the ever-evolving nature of cyber threats and highlight the need for organizations to remain vigilant in protecting their systems against sophisticated attacks. Cybersecurity experts emphasize the significance of monitoring system updates and implementing robust security protocols to prevent exploitation by threat actors like EncryptHub.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/Windows-Vulnerability-Exploited-by-EncryptHub-Threat-Actor-Leaves-Millions-of-Systems-at-Risk-ehn.shtml

  • https://www.bleepingcomputer.com/news/security/encrypthub-linked-to-zero-day-attacks-targeting-windows-systems/

  • https://www.bleepingcomputer.com/news/security/new-windows-zero-day-leaks-ntlm-hashes-gets-unofficial-patch/

  • https://nvd.nist.gov/vuln/detail/CVE-2025-26633

  • https://www.cvedetails.com/cve/CVE-2025-26633/

  • https://nvd.nist.gov/vuln/detail/CVE-2025-24983

  • https://www.cvedetails.com/cve/CVE-2025-24983/

  • https://outpost24.com/blog/unveiling-encrypthub-multi-stage-malware/

  • https://rewterz.com/threat-advisory/encrypthub-a-multi-stage-malware-breach-impacting-600-organizations-active-iocs

  • https://www.trendmicro.com/en_us/research/25/c/cve-2025-26633-water-gamayun.html

  • https://cybersecuritynews.com/hackers-exploit-windows-mmc-zero-day-vulnerability/


    • Published: Tue Mar 25 15:01:11 2025 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us