Listen to this Post
Introduction
In the blurred and often paradoxical world of cybersecurity, few figures exemplify the duality of hacker and protector like EncryptHub. Known for breaching over 600 organizations and dabbling in the creation of malware and phishing tools, this notorious threat actor shocked the cybersecurity world after being linked to the discovery and reporting of two zero-day vulnerabilities in Windows. The twist? The same individual who sought to undermine systems also helped secure them—at least on the surface.
This strange blend of altruism and anarchy presents a compelling case of modern cyber threats, where motivations aren’t black and white. Let’s explore how one of the most prolific cybercriminals of recent times may have unintentionally unmasked himself, and what it reveals about the evolving nature of digital threats.
Summary: The Curious Case of EncryptHub and SkorikARI
- EncryptHub, a threat actor connected to over 618 breaches, has been identified as the source behind two reported Windows zero-day vulnerabilities:
– CVE-2025-24061 (Mark of the Web bypass)
– CVE-2025-24071 (File Explorer spoofing)
- These vulnerabilities were patched by Microsoft in March 2025 and credited to a mysterious identity: “SkorikARI.”
- Researchers at Outpost24 traced this alias back to EncryptHub after the threat actor accidentally infected his own system, exposing credentials that linked both personas.
- The leak connected accounts and online behaviors to both EncryptHub’s criminal activities and SkorikARI’s security research contributions.
- Compromised credentials included access to GitHub, Gmail, freelance work platforms, and forums like xss.is—used by both identities.
- A particularly telling discovery involved ChatGPT conversations, where the hacker asked the AI to evaluate his moral stance as a hacker.
- ChatGPT’s response: 40% black hat, 30% grey hat, 20% white hat, 10% undecided—underscoring the individual’s conflicted identity.
- The hacker had used ChatGPT to build malware, phishing sites, and even brainstorm large-scale “harmless” publicity stunts.
- The cyber-opsec failures of EncryptHub allowed for significant forensic tracking by security analysts, undermining his otherwise skilled technical profile.
- Outpost24 suggests EncryptHub is part of, or closely aligned with, RansomHub and BlackSuit, and has created tools like Fickle Stealer, a PowerShell-based infostealer.
- EncryptHub’s campaigns often involve social engineering, fake websites, and malware-laced apps—such as the fabricated productivity platform GartoriSpace.
- Fickle Stealer and AMOS (targeting macOS) were deployed via social platforms, exploiting users into downloading malware under the guise of legitimate tools.
- Despite some zero-day contributions, EncryptHub also attempted to sell vulnerabilities in underground forums, highlighting the profit-driven intent.
- A prior vulnerability, CVE-2025-26633 (MMC flaw), exploited by EncryptHub, was incorrectly attributed to Trend Micro before further investigation.
What Undercode Say: A Deep Dive Analysis
EncryptHub’s story
1. The Rise of the Hybrid Hacker:
EncryptHub is a prime example of a modern cybercriminal who also plays the role of researcher. These hybrid actors are difficult to classify and even harder to predict. Their actions are not governed solely by ideology or profit—but often a blend of ego, experimentation, and personal conflict.
2. Zero-Days as Currency and Credibility:
By submitting two critical vulnerabilities to Microsoft, EncryptHub (under SkorikARI) demonstrated technical excellence. However, it’s unclear whether this was a move toward legitimacy or a calculated strategy to build reputation in both underground and professional circles.
3. Opsec: The Greatest Threat to Hackers:
Ironically, EncryptHub’s downfall came from poor operational security (opsec). Infecting his own system and failing to compartmentalize online personas led researchers directly to him. It highlights how even the best malware authors are vulnerable to basic security lapses.
4. ChatGPT as a Mirror and Tool:
EncryptHub’s use of ChatGPT is both fascinating and disturbing. Not only did he use it for malware development and planning, but he also sought moral validation. This reveals a psychological depth: a hacker seeking to understand his place in a world where ethical lines are increasingly blurred.
5. Malware as a Freelance Hustle:
The hacker’s dual life included legitimate freelance work. This “day job, night crime” reality raises questions about how many freelancers in tech may moonlight as malicious actors, hidden behind pseudonyms and encrypted forums.
6. Social Engineering on Steroids:
Creating fake SaaS companies and promoting them via social media to distribute malware like Fickle Stealer shows a level of marketing savvy rarely seen in traditional cybercrime. This sophistication makes threats harder to detect and prevent.
7. The Ethical Grey Zone:
EncryptHub represents a broader category of individuals who operate in ethical grey areas—simultaneously helping secure systems while actively undermining others. Cybersecurity as a field must contend with the existence of these dual-natured contributors.
8. Failure of Attribution Systems:
The CVE-2025-26633 case—initially attributed to Trend Micro—demonstrates how even formal vulnerability attribution can go wrong, sometimes allowing threat actors to operate under the radar or take credit where it’s not due.
9. The Ransomware Connection:
Ties to groups like RansomHub and BlackSuit suggest EncryptHub is more than a solo operator. This adds weight to the idea that sophisticated malware campaigns are increasingly collaborative and professionalized enterprises.
10. Ethical Implications for the Industry:
As more threat actors contribute to security through vulnerability disclosures, the line between researcher and criminal will continue to blur. The industry may need to redefine how it values, tracks, and rewards contributions.
Fact Checker Results
- Microsoft did attribute CVE-2025-24061 and CVE-2025-24071 to “SkorikARI,” verifying the reporting identity used by EncryptHub.
- Outpost24’s research matches multiple exposed credentials to both EncryptHub and SkorikARI, confirming the dual identity with high confidence.
- Fickle Stealer and GartoriSpace campaigns were actively distributed through social platforms, with payloads verified by VirusTotal.
you want this turned into a blog format or need visuals like a timeline of EncryptHub’s activities or a diagram showing the digital identity linkage.
References:
Reported By: www.bleepingcomputer.com
Extra Source Hub:
https://www.digitaltrends.com
Wikipedia
Undercode AI
Image Source:
Pexels
Undercode AI DI v2
