Listen to this Post
Introduction
Cybersecurity researchers have uncovered a sophisticated campaign by EncryptHub, a notorious threat actor targeting developers, enterprises, and even gaming platforms. This group has been actively exploiting a recently patched Windows vulnerability—CVE-2025-26633, nicknamed “MSC EvilTwin”—to deliver malware through malicious Microsoft Management Console (MMC) files. Beyond exploiting technical flaws, EncryptHub leans heavily on social engineering, fake IT messages, and even counterfeit video conferencing apps to lure victims and maintain persistence. The findings, reported by Trustwave SpiderLabs, show just how resourceful and adaptive this adversary has become in blending deception with advanced technical attacks.
the Original
EncryptHub, also known as LARVA-208/Water Gamayun, is exploiting CVE-2025-26633 (“MSC EvilTwin”), a flaw in Microsoft Management Console that enables attackers to bypass security measures and execute malicious .msc files.
The campaign begins with fake IT support messages on Microsoft Teams, tricking employees into providing remote access. Attackers then deploy a PowerShell loader that drops runner.ps1, which plants two .msc files designed to exploit the MSC EvilTwin vulnerability. This allows mmc.exe to load a malicious copy of a management console file, executing attacker code. The malware then connects to a command-and-control (C2) server, downloading build.ps1, which steals system data, ensures persistence, and runs encrypted commands—including the deployment of Fickle Stealer malware.
SpiderLabs also uncovered additional tools:
SilentCrystal: A Golang loader replacing earlier PowerShell scripts, capable of hosting payloads via Brave browser support pages and bypassing defenses by faking Windows directories.
Golang SOCKS5 Backdoor: Functions as both client and server, sending stolen data via Telegram, while establishing a resilient, TLS-protected C2 infrastructure.
In July 2025, EncryptHub escalated operations with RivaTalk, a fake video conferencing platform requiring an access code to limit exposure. The installer abused a Symantec binary to sideload a malicious DLL, launching a PowerShell script for further payload delivery. While showing fake installation screens, RivaTalk generated dummy web traffic to disguise communications with its C2 servers.
Researchers stress that EncryptHub’s tactics—ranging from fake IT chats and weaponized video apps to encrypted command channels—demonstrate the group’s evolution into a stealthy, well-funded cybercrime organization. The report concludes that layered defense, rapid incident response, and user awareness training are essential to defend against these campaigns, which are growing more targeted and difficult to detect.
What Undercode Say:
The case of EncryptHub represents a textbook example of how modern cybercrime no longer relies on just one technique but rather a hybrid ecosystem of tools, deception, and persistence strategies. What makes EncryptHub particularly dangerous is its synergy between social engineering and technical exploitation—something many organizations underestimate.
1. Social Engineering as the Entry Point
By starting with fake Microsoft Teams messages, EncryptHub bypasses traditional defenses. Most organizations focus on patching vulnerabilities but fail to recognize that the weakest link is often the human operator. When employees see what appears to be a legitimate IT request, the barrier to compromise is already lowered.
2. Weaponization of Legitimate Features
The exploitation of the MSC EvilTwin flaw shows how attackers can twist built-in Windows functionalities into powerful attack vectors. Microsoft Management Console was designed to give administrators powerful oversight—but in the wrong hands, it becomes a weapon.
3. Shift Toward Resilience and Stealth
The move from PowerShell scripts to Golang loaders (e.g., SilentCrystal) illustrates how EncryptHub is actively evading detection. PowerShell-based malware is more easily flagged by security tools, but Golang binaries are harder to analyze and maintain persistence under the radar.
4. Use of Trusted Platforms
Hosting payloads on Brave Support, using Telegram for exfiltration, and abusing Symantec binaries reflects a broader cybercrime trend: attackers increasingly hide inside legitimate services and software ecosystems, making detection and attribution far more difficult.
5. The RivaTalk Strategy
Creating a fake video conferencing platform is genius-level social engineering. It mirrors the pandemic-era shift where Zoom and Teams became household names. By mimicking something people trust and use daily, EncryptHub not only tricked targets but also created an exclusive, invite-only layer of deception (access codes, fake installers). This exclusivity tactic increases victim compliance while limiting visibility to researchers.
6. Enterprise-Scale Risks
With reports of over 618 organizations compromised by February 2025, the scope of damage is staggering. Stolen intellectual property, compromised Web3 developer environments, and possible long-term persistence in corporate networks make EncryptHub not just a nuisance but a strategic cyber threat.
7. Lessons for Defense
Layered Security is Non-Negotiable: Endpoint detection, network monitoring, and anomaly-based detection must all work together.
User Training is Critical: Employees must be conditioned to recognize suspicious messages—even on trusted platforms like Teams.
Zero Trust Approaches: Organizations should limit internal lateral movement so one compromised account doesn’t collapse the entire network.
Threat Intelligence Sharing: The global community must collaborate to track evolving groups like EncryptHub, since they rapidly adapt once exposed.
EncryptHub’s story underlines the evolution of cybercriminal organizations into full-fledged, professionalized operations. They are no longer random hackers but structured groups with supply chains, development lifecycles, and even marketing strategies disguised as fake apps.
🔍 Fact Checker Results
✅ CVE-2025-26633 (“MSC EvilTwin”) is a real Windows flaw patched by Microsoft.
✅ Trustwave SpiderLabs confirmed EncryptHub’s exploitation campaigns.
❌ No evidence supports EncryptHub targeting general consumers—their primary focus remains developers, enterprises, and Web3-related environments.
📊 Prediction
Looking ahead, EncryptHub is unlikely to slow down. The shift from scripts to Golang binaries, coupled with exclusive fake platforms like RivaTalk, suggests a move toward targeted, high-value intrusions rather than mass campaigns. We can expect them to refine supply chain attacks and possibly pivot to mobile or cross-platform malware, since their current operations already show advanced adaptability. Organizations failing to adopt proactive threat hunting and zero-trust models will likely become the next victims of EncryptHub’s stealth warfare.
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: securityaffairs.com
Extra Source Hub:
https://www.instagram.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
