Ethical Hacking News
EncryptHub linked to zero-day attacks targeting Windows systems; a malicious actor exploiting vulnerabilities in Microsoft Management Console files to execute malicious code and steal sensitive data from compromised systems.
A malicious actor known as EncryptHub has been linked to zero-day attacks targeting Windows systems, specifically using a Microsoft Management Console (MSC) vulnerability.The vulnerability, dubbed "MSC EvilTwin" and tracked as CVE-2025-26633, allows attackers to evade file reputation protections and execute code on unpatched devices.EncryptHub has used this zero-day exploit to execute malicious code, exfiltrate data, and deploy various payloads, including the EncryptHub stealer and DarkWisp backdoor.The threat actor manipulates .msc files and the Multilingual User Interface Path (MUIPath) to download and execute malicious payload, maintain persistence, and steal sensitive data.EncryptHub has been linked to breaches of at least 618 organizations worldwide through spear-phishing and social engineering attacks.The group also deploys ransomware payloads to encrypt victims' files after stealing sensitive data.
In a recent security breach, it has come to light that a malicious actor known as EncryptHub has been linked to zero-day attacks targeting Windows systems. According to Sergiu Gatlan, a news reporter who has covered the latest cybersecurity and technology developments for over a decade, this attack is the result of a Microsoft Management Console vulnerability patched earlier in March.
This vulnerability, which has been dubbed "MSC EvilTwin" and now tracked as CVE-2025-26633, resides in how MSC files are handled on vulnerable devices. Attackers can leverage this vulnerability to evade Windows file reputation protections and execute code because the user is not warned before loading unexpected MSC files on unpatched devices.
In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability.
Throughout this campaign, EncryptHub (also known as Water Gamayun or Larva-208) has used CVE-2025-26633 zero-day exploits to execute malicious code and exfiltrate data from compromised systems. This threat actor has also deployed multiple malicious payloads linked to previous EncryptHub attacks, including the EncryptHub stealer, DarkWisp backdoor, SilentPrism backdoor, Stealc, Rhadamanthys stealer, and the PowerShell-based MSC EvilTwin trojan loader.
As Trend Micro staff researcher Aliakbar Zahravi explained in a report published on Tuesday, "In this attack, the threat actor manipulates .msc files and the Multilingual User Interface Path (MUIPath) to download and execute malicious payload, maintain persistence and steal sensitive data from infected systems."
This campaign is under active development; it employs multiple delivery methods and custom payloads designed to maintain persistence and steal sensitive data, then exfiltrate it to the attackers' command-and-control (C&C) servers. While analyzing these attacks, Trend Micro has also found an early version of this technique used in an April 2024 incident.
Cyber threat intelligence company Prodaft has previously linked EncryptHub to breaches of at least 618 organizations worldwide following spear-phishing and social engineering attacks. EncryptHub also deploys ransomware payloads to encrypt victims' files after stealing sensitive files as an affiliate of the RansomHub and BlackSuit ransomware operations.
This month, Microsoft also patched a zero-day vulnerability (CVE-2025-24983) in the Windows Win32 Kernel Subsystem, which had been exploited in attacks since March 2023. The fact that multiple zero-day vulnerabilities have been linked to recent EncryptHub attacks highlights the increasing threat posed by this malicious actor.
Top 10 MITRE ATT&CK techniques behind 93% of attacks are being analyzed and discovered through an analysis of 14M malicious actions, providing valuable insights into how attackers operate and how organizations can defend against them. Microsoft has also issued several patches for zero-day vulnerabilities in its systems in recent months, underscoring the importance of keeping software up-to-date to prevent exploitation.
In light of this latest development, cybersecurity experts are emphasizing the need for users to exercise caution when interacting with suspicious emails or websites. The threat posed by EncryptHub serves as a reminder that even the most seemingly innocuous interactions can be exploited to launch devastating attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/Zero-Day-Attacks-on-Windows-Systems-The-Lurking-Threat-of-EncryptHub-ehn.shtml
Published: Tue Mar 25 12:11:48 2025 by llama3.2 3B Q4_K_M
