A sophisticated cyber threat actor known as EncryptHub has been identified in a series of zero-day attacks targeting a vulnerability within the Microsoft Management Console (MMC). This flaw, recently patched by Microsoft, allows attackers to bypass security features and execute malicious code on Windows systems.

Understanding the MMC Vulnerability

The vulnerability, designated as CVE-2025-26633 and referred to as 'MSC EvilTwin,' was discovered by Trend Micro researcher Aliakbar Zahravi. It exploits the way MSC files are processed on unpatched devices, enabling attackers to circumvent Windows file reputation protections.

Exploitation Tactics

Attackers can exploit this vulnerability through various methods. In email-based attacks, they send specially crafted files to users, persuading them to open these files. In web-based scenarios, attackers might host or leverage compromised websites to distribute these malicious files.

  • Email Attacks: Users are tricked into opening malicious MSC files sent via email.
  • Web-Based Attacks: Malicious files are hosted on websites, exploiting the vulnerability when accessed.

EncryptHub's Malicious Campaign

Trend Micro researchers observed EncryptHub, also known as Water Gamayun or Larva-208, utilizing CVE-2025-26633 to execute harmful code and extract data from compromised systems. This campaign involved deploying various payloads linked to previous EncryptHub attacks.

Payloads and Techniques

The threat actor employed multiple malicious payloads, including the EncryptHub stealer, DarkWisp backdoor, SilentPrism backdoor, Stealc, Rhadamanthys stealer, and the PowerShell-based MSC EvilTwin trojan loader. These tools are used to maintain persistence and steal sensitive data.

  • Payload Deployment: Various malware tools are used to execute attacks and exfiltrate data.
  • Persistence and Data Theft: Techniques are designed to maintain access and steal sensitive information.

Ongoing Threat and Global Impact

This campaign is under active development, employing diverse delivery methods and custom payloads. EncryptHub has been linked to breaches of over 618 organizations worldwide, primarily through spear-phishing and social engineering attacks.

Ransomware Operations

EncryptHub is also involved in ransomware activities, deploying ransomware payloads to encrypt victims' files after data theft. They operate as affiliates of the RansomHub and BlackSuit ransomware groups.

Additional Vulnerabilities and Mitigation

In addition to CVE-2025-26633, Microsoft addressed another zero-day vulnerability (CVE-2025-24983) in the Windows Win32 Kernel Subsystem, exploited since March 2023. Organizations are urged to apply patches promptly to mitigate these threats.

The link has been copied!