Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

Windows Zero-Day Exploit: EncryptHub Unleashes Rhadamanthys and StealC Malware on Vulnerable Systems



A recent zero-day exploit by EncryptHub has left many vulnerable systems open to attack, with malware families such as Rhadamanthys and StealC causing significant damage. This article provides a detailed breakdown of the threat actor's tactics and offers insights into how organizations can protect themselves against similar attacks.

  • The EncryptHub threat actor exploited a zero-day vulnerability in Microsoft Windows to deploy malware families, including backdoors and information stealers.
  • The attack used an improper neutralization vulnerability in Microsoft Management Console (MMC) to download and execute malicious payload on vulnerable systems.
  • Victims were likely tricked into downloading digitally-signed Microsoft installer (MSI) files impersonating legitimate Chinese software.
  • Multiple delivery methods were employed, including mock trusted directories to bypass User Account Control (UAC) and drop malicious .msc files.
  • The malware families affected include Rhadamanthys and StealC, known for stealing sensitive data from infected systems.



    • The cybersecurity world was dealt a devastating blow recently, as a sophisticated threat actor known as EncryptHub exploited a zero-day vulnerability in Microsoft Windows to deploy a wide range of malware families, including backdoors and information stealers such as Rhadamanthys and StealC. This malicious campaign, which has been attributed to Russian activity clusters, leverages the improper neutralization vulnerability in Microsoft Management Console (MMC) to download and execute malicious payload on vulnerable systems.

    According to Trend Micro researcher Aliakbar Zahravi, the attack chain likely begins with victims downloading digitally-signed Microsoft installer (MSI) files impersonating legitimate Chinese software. These MSI files are then used to fetch and execute the loader from a remote server. The threat actor has been experimenting with these techniques since April 2024 and has employed multiple delivery methods, including using mock trusted directories such as "C:\Windows \System32" to bypass User Account Control (UAC) and drop malicious .msc files.

    The vulnerable component in question is CVE-2025-26633, a security vulnerability described by Microsoft as an improper neutralization vulnerability in MMC. This bug could allow an attacker to bypass a security feature locally, rendering standard protection measures ineffective. The exploit takes advantage of the way that mmc.exe uses MUIPath to execute malicious .msc files without the victim's knowledge.

    EncryptHub has been observed adopting two other methods to run malicious payload on infected systems using .msc files. Firstly, they use the ExecuteShellCommand method of MMC to download and execute a next-stage payload on the victim's machine. Secondly, they utilize mock trusted directories such as "C:\Windows \System32" to bypass UAC and drop a malicious .msc file called "WmiMgmt.msc". These tactics demonstrate the attackers' resourcefulness and determination to evade detection.

    The malware families affected by this exploit include Rhadamanthys and StealC, both of which are known for their ability to steal sensitive data from infected systems. The attack is under active development, employing multiple delivery methods and custom payloads designed to maintain persistence and steal sensitive data before exfiltrating it to the attackers' command-and-control (C&C) servers.

    This malicious campaign highlights the ongoing threat posed by zero-day exploits and the importance of keeping software up-to-date with the latest security patches. As Aliakbar Zahravi noted, "This campaign is under active development; it employs multiple delivery methods and custom payloads designed to maintain persistence and steal sensitive data." It serves as a stark reminder for organizations to prioritize their cybersecurity posture and remain vigilant in the face of evolving threats.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/Windows-Zero-Day-Exploit-EncryptHub-Unleashes-Rhadamanthys-and-StealC-Malware-on-Vulnerable-Systems-ehn.shtml

  • https://thehackernews.com/2025/03/encrypthub-exploits-windows-zero-day-to.html

  • https://cyber1defense.com/2025/03/26/encrypthub-exploits-windows-zero-day/

  • https://nvd.nist.gov/vuln/detail/CVE-2025-26633

  • https://www.cvedetails.com/cve/CVE-2025-26633/

  • https://any.run/malware-trends/rhadamanthys

  • https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/

  • https://any.run/malware-trends/stealc

  • https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

  • https://outpost24.com/blog/unveiling-encrypthub-multi-stage-malware/

  • https://rewterz.com/threat-advisory/encrypthub-a-multi-stage-malware-breach-impacting-600-organizations-active-iocs

  • https://hackread.com/encrypthub-opsec-failures-expose-malware-operation/

  • https://apt.etda.or.th/cgi-bin/listgroups.cgi?t=Stealc

  • https://thehackernews.com/2023/02/researchers-discover-dozens-samples-of.html


    • Published: Wed Mar 26 11:15:11 2025 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us