Listen to this Post

Introduction: A Dangerous New Wave of Cyber Attacks
A highly advanced cybercrime operation, uncovered by Trustwave SpiderLabs, has brought a chilling reminder of how quickly cyber threats evolve. Known as EncryptHub, this campaign blends persuasive social engineering with the exploitation of a newly disclosed Microsoft Management Console vulnerability to infiltrate organizational networks. The group behind the attacks, also tracked as LARVA-208 and Water Gamayun, is refining its tactics to make detection harder and attacks more impactful. By abusing trusted platforms such as Brave Support, deploying sophisticated malware loaders, and exploiting the CVE-2025-26633 flaw, they have managed to compromise hundreds of organizations worldwide.
A New Breed of Cyber Threats
The EncryptHub campaign stands out because it doesn’t rely solely on technical exploits — it manipulates human trust as well. The operation kicks off with hackers posing as IT support staff, contacting employees via Microsoft Teams. Their goal is to trick the victim into granting remote access. Once inside, attackers run PowerShell commands that download and execute malicious payloads from their own compromised infrastructure.
Exploiting the MSC EvilTwin Flaw
Central to their attack is CVE-2025-26633, nicknamed “MSC EvilTwin,” a dangerous flaw in Microsoft Management Console. This vulnerability allows malicious .msc files to execute under the guise of legitimate ones. The attackers drop two files with the same name — one harmless and one harmful — placing the malicious one in the MUIPath directory. Due to how the flaw works, the system unknowingly runs the malicious version, granting the hackers complete control. While Microsoft officially disclosed this flaw in March 2025, evidence shows the attackers had already been exploiting it as early as February.
Advanced Malware and Infrastructure Abuse
EncryptHub’s toolkit is alarmingly sophisticated. They use SilentCrystal, a Golang-based loader that mimics PowerShell’s functions while cleverly hiding its activities through Brave Support’s infrastructure. They create deceptive Windows directories with trailing spaces to fool both users and security tools. The malware also installs a SOCKS5 proxy backdoor, enabling two-way communication with command servers and allowing the hackers to use infected devices as part of their network.
Covert Communication and Payload Delivery
The attackers maintain stealth by sending updates through Telegram, sharing details about the infected system’s hardware, network, and even geolocation. They’ve also built a fake video conferencing site — rivatalk.net — which uses access codes to limit who can download malicious software. These downloads abuse legitimate Symantec anti-malware tools for DLL sideloading, helping the payload slip past defenses.
A Global and Growing Threat
By February 2025, EncryptHub had compromised at least 618 organizations worldwide, targeting everything from Web3 developers to gaming platforms like Steam. This rapid evolution shows they are expanding their reach and refining their techniques. Cybersecurity experts warn that only layered defenses, real-time threat intelligence, and strong employee training can hope to stop such adaptive adversaries.
What Undercode Say:
EncryptHub represents a dangerous intersection of technical precision and psychological manipulation. This is not a group that simply finds vulnerabilities — they engineer full-scale operations that merge human deception with deep system compromise. The exploitation of the MSC EvilTwin flaw reveals how even minor design quirks in system architecture can lead to severe consequences when combined with clever file placement tactics.
The abuse of Brave Support for hosting payloads is particularly concerning. By piggybacking on a trusted brand, attackers bypass much of the skepticism that usually follows suspicious links. This is a common pattern in advanced campaigns: exploit trust first, then technology. The trailing-space folder trick demonstrates that the group understands not only how to evade antivirus detection but also how to exploit human assumptions about file paths.
The dual-mode SOCKS5 proxy capability shows they are building resilience into their infrastructure. If one communication method is blocked, the other can take over. This modular design mirrors the approach seen in nation-state level cyber campaigns, where flexibility and redundancy are key.
Their decision to use Telegram for status updates suggests they favor easily available, encrypted channels that are difficult to block without broader collateral damage. The fake conferencing site adds a social exclusivity element to the malware delivery, ensuring only high-value targets gain access — a tactic that protects the payload from being widely analyzed.
What’s most alarming is the speed at which EncryptHub evolves. Moving from Web3 to gaming platforms within months signals a highly adaptive, revenue-focused mindset. Their willingness to expand attack surfaces also implies they are testing for the most profitable industries to target.
From a defense standpoint, organizations must approach this threat holistically. Technical patching alone is not enough. The fact that they initiate attacks via Microsoft Teams messages shows that user awareness training is as critical as firewall rules. Every employee must understand that even trusted internal communication tools can be exploited.
It’s also worth noting that the MSC EvilTwin flaw was exploited before public disclosure. This reinforces the importance of proactive security research, as attackers often have months of head start before a vulnerability becomes widely known.
Finally, the 618 confirmed victims are likely only a fraction of the true total. Many organizations may be unaware they have been compromised, especially if attackers are maintaining low visibility for long-term espionage or resource hijacking. The mix of social engineering, zero-day exploitation, and infrastructure abuse makes EncryptHub one of the most dangerous actors active in 2025.
🔍 Fact Checker Results:
✅ CVE-2025-26633 (MSC EvilTwin) is a confirmed Microsoft Management Console vulnerability disclosed in March 2025.
✅ Trustwave SpiderLabs has attributed the EncryptHub campaign to LARVA-208/Water Gamayun.
✅ The figure of 618 compromised organizations is based on February 2025 threat intelligence data.
📊 Prediction:
Given EncryptHub’s speed of adaptation, it is likely that they will expand into supply chain attacks within the next 6–8 months. The combination of social engineering and infrastructure abuse could make them a key player in global ransomware operations. Expect them to increasingly target industries with weak internal verification processes, such as healthcare and education, while continuing to abuse trusted platforms for malware delivery.
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: cyberpress.org
Extra Source Hub:
https://www.digitaltrends.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon




